Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Two new families were added to the Microsoft Malicious Software Removal Tool (MSRT) this month: Win32/Filcout and Win32/Miuref.
We first detected Filcout in April 2014 after we observed it installing variants of Win32/Sefnit. We first detected Miuref in December 2013. This blog will discuss Miuref, a browser hijacker that can perform click fraud and hijack search results.
The family has a number of means of getting itself onto a user’s computer. It can be installed via an exploit such as JS/Fiexp, distributed via spam emails, use social engineering in an attempt to trick users into running its installer, or be downloaded and run by other malware such as Win32/Fareit and Win32/Onkods.
It is generally distributed packaged in a Nullsoft installer, which is a commercially available scripted installer that is normally used to install legitimate software. In this case, the installer extracts and runs an executable file with a variable file name. It also extracts one or two data files. One of these data files is named setup.dat. The other data file, if it is present, can have one of the following file names:
Setup.dat contains a DLL that has been compressed with aPLib and encrypted with RC4. The main function of the executable file is to decrypt and decompress the DLL and manually load it into memory. This requires the following steps to ensure the DLL code executes correctly:
These steps are normally performed by calling the kernel32.dll LoadLibrary function, which, when given the filename of a DLL, will load it into memory. By loading the DLL into memory manually, instead of using a LoadLibrary call, the malware is able to execute the DLL’s payload without needing to write a decrypted copy to disk. This might be an attempt to avoid detection by antimalware products.
The DLL component sends details of the affected system to a remote server, including the computer name, machine GUID, and hard disk serial number. If Chrome or Firefox are present, it can install extensions for these browsers. These extensions, which we detect as Trojan:JS/Miuref.A for the Firefox extension and Trojan:JS/Miuref.B for the Chrome extension, can redirect web searches to pages controlled by the attacker. For Internet Explorer the redirection is done by injecting code into the Internet Explorer process and obtaining the redirection URLs from a remote server. The malware can also perform click fraud by running additional hidden Internet Explorer processes and sending clicks to online advertisements that appear to come from the pages controlled by the attacker.
Miuref also appears to have mechanisms to allow it to update itself, or to download and run other malware.
As usual, there are a number of steps you can take to help protect your computer from Miuref and other malware and potentially unwanted software: