​Two new families were added to the Microsoft Malicious Software Removal Tool (MSRT) this month: Win32/Filcout and Win32/Miuref.

We first detected Filcout in April 2014 after we observed it installing variants of Win32/Sefnit. We first detected Miuref in December 2013. This blog will discuss Miuref, a browser hijacker that can perform click fraud and hijack search results.

The family has a number of means of getting itself onto a user’s computer. It can be installed via an exploit such as JS/Fiexp, distributed via spam emails, use social engineering in an attempt to trick users into running its installer, or be downloaded and run by other malware such as Win32/Fareit and Win32/Onkods.

It is generally distributed packaged in a Nullsoft installer, which is a commercially available scripted installer that is normally used to install legitimate software. In this case, the installer extracts and runs an executable file with a variable file name. It also extracts one or two data files. One of these data files is named setup.dat. The other data file, if it is present, can have one of the following file names:

  • a
  • a.dat
  • b
  • c
  • d
  • data.dat
  • nk
  • ns21.dat
  • padding.txt
  • rs.dat

Setup.dat contains a DLL that has been compressed with aPLib and encrypted with RC4. The main function of the executable file is to decrypt and decompress the DLL and manually load it into memory. This requires the following steps to ensure the DLL code executes correctly:

  • Patching the locations of jumps and call instructions within the DLL with the correct value.
  • Loading each section of the DLL into memory.
  • Changing the read, write, and execute permissions of the memory containing the DLL copy to match those of each corresponding section of the DLL.
  • Parsing the DLL’s import table, and using LoadLibrary and GetProcAddress calls to dynamically import the functions that would normally be statically imported by the DLL.
  • Making a call to the DllMain routine of the DLL, followed by a call to the DllRegisterServer function that it exports.

These steps are normally performed by calling the kernel32.dll LoadLibrary function, which, when given the filename of a DLL, will load it into memory. By loading the DLL into memory manually, instead of using a LoadLibrary call, the malware is able to execute the DLL’s payload without needing to write a decrypted copy to disk. This might be an attempt to avoid detection by antimalware products.

The DLL component sends details of the affected system to a remote server, including the computer name, machine GUID, and hard disk serial number. If Chrome or Firefox are present, it can install extensions for these browsers. These extensions, which we detect as Trojan:JS/Miuref.A for the Firefox extension and Trojan:JS/Miuref.B for the Chrome extension, can redirect web searches to pages controlled by the attacker. For Internet Explorer the redirection is done by injecting code into the Internet Explorer process and obtaining the redirection URLs from a remote server. The malware can also perform click fraud by running additional hidden Internet Explorer processes and sending clicks to online advertisements that appear to come from the pages controlled by the attacker.

Miuref also appears to have mechanisms to allow it to update itself, or to download and run other malware.

As usual, there are a number of steps you can take to help protect your computer from Miuref and other malware and potentially unwanted software:

  • Keep your software up to date, especially Java, Adobe Reader and Flash, and Windows and other Microsoft products.
  • Use caution when opening attachments or links in emails or instant messages, especially if they are suspicious or unexpected.
  • Run an up-to-date real time antimalware product, such as Microsoft Security Essentials, or, if you are running Windows 8, ensure that Windows Defender is active.

David Wood

MMPC