The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing, Yahoo! and Google.
The earliest reported variant in this family can be traced back to August 2010. The installation mechanism employed by early samples remains very similar to samples we observe in the wild today. Variants of Sefnit employ the use of a Nullsoft Scriptable Install System (NSIS) dropper to install an obfuscated a dynamic link library (DLL) component. The component is executed by the dropper by using “rundll32.exe” and also will execute during Windows logon.
The obfuscation technique used has changed from the “spaghetti-style” of numerous unconditional branches between small islands of code to one that is “in plain sight”. In the following example, we can see the immediate value of 1Bh move via the local variable ‘var_1’ to the cl register, rather than being moved directly.
Figure 1. Example of simply obfuscated subroutine from a recent Sefnit variant
Once this component of Sefnit is installed, it attempts to perform browser search result redirection for Bing, Yahoo and Google search engines. Win32/Sefnit is often installed by different exploit kits including such as “Blackhole” (detected as Blacole), or distributed on file sharing networks with enticing “keygen” or “crack” styled file names.
If we examine the reports during December 2011 from a total of 81,147 unique customer machines which reported a Sefnit infection to MMPC, we observed the following:
Consider this month’s release of the MSRT like a digital beagle, sniffing out Sefnit as if it were a doggy biscuit and disposing of it properly. Thank you for reading!