Over the past few days we have seen an increase in Cefyns showing its nasty face on the network mirror port. Anytime this happens, I feel that it is helpful to provide a closer look into what this malware can actually do in order to raise awareness. First and foremost, before we get into the analysis, UPDATE YOUR ANTIVIRUS DEFINITIONS!!! While that is humming along, follow me as we descend from 40,000 feet into Cefyns’ dark and deceitful world.
This trojan is nothing new. Cefyns seems to have first appeared in late 2008, though variants have shown up throughout its lifetime. I obtained a copy from http://offensivecomputing.net. If you are not yet a member, I highly recommend this site, as it is a great resource for malware samples (if that’s your thing) as well as news on malware analysis and software. Before I uploaded this gem to my sandbox, I ran it through VirusTotal, which labeled it malware with a smooth 83% confidence.
So what does this malware do? Well, for starters, it creates the following files:
C:\Program Files\altcmd C:\Users\Public\Start Menu\Programs\StartUp\autorun.exe C:\Users\malware\Application Data\printer.exe C:\Users\malware\Start Menu\Programs\StartUp\findfast.exe C:\Users\malware\Temp\3a37.bat C:\Users\malware\Temp\3a37.tmp C:\Users\malware\Temp\3cf0.bat C:\Users\malware\Temp\3cf0.tmp C:\Windows\shell.exe C:\Windows\system32\ONf.exe C:\Windows\system32\append.dll C:\windows\system32\drivers/etc/hosts C:\Windows\system32\drivers/etc/st.im C:\Windows\system32\npad.exe C:\Windows\system32\printer.exe C:\Windows\system32\spoolvs.exe C:\Windows\system32\wowfx.dll C:\Windows\system32\xlib254.dll
Starting from the top, the Altcmd contains altcmd32.dll, altcmd.inf, and uninstall.bat. These all pertain to the Cefyns infection, however it is interesting to note that uninstall.bat does look like it attempts to remove INI files, C:\Program Files\altmcd, and the registry changes that were made pertaining only to Altcmd.
Another noteworthy file is autorun.exe. Incidentally, autorun.exe, printer.exe, findfast,exe, shell.exe, and spoolvs.exe all have the same md5sum, and all are tagged by anti-virus software as Cefyns (http://hlurl.com/8ax). It seems that Cefyns tries to ensure its startup a few ways by making different registry and Startup folder changes, in the hopes that a user may overlook one of its startup paths. Npad.exe (http://hlurl.com/8ay) and ONf.exe (http://hlurl.com/8az) were also tagged by A/V as containing Cefyns.
The pot of gold at the end of the rainbow though is what is contained in st.im, which gets propagated to C:\Windows\system32\drivers\etc\hosts:
10.18.250.4 ad.doubleclick.net 10.18.250.4 ad.fastclick.net 10.18.250.4 ads.fastclick.net 10.18.250.4 ar.atwola.com 10.18.250.4 atdmt.com 10.18.250.4 avp.ch 10.18.250.4 avp.com 10.18.250.4 avp.ru 10.18.250.4 awaps.net 10.18.250.4 banner.fastclick.net 10.18.250.4 banners.fastclick.net 10.18.250.4 ca.com 10.18.250.4 click.atdmt.com 10.18.250.4 clicks.atdmt.com 10.18.250.4 customer.symantec.com 10.18.250.4 dispatch.mcafee.com 10.18.250.4 download.mcafee.com 10.18.250.4 download.microsoft.com 10.18.250.4 downloads-us1.kaspersky-labs.com 10.18.250.4 downloads-us2.kaspersky-labs.com 10.18.250.4 downloads-us3.kaspersky-labs.com 10.18.250.4 downloads.microsoft.com 10.18.250.4 downloads1.kaspersky-labs.com 10.18.250.4 downloads2.kaspersky-labs.com 10.18.250.4 downloads3.kaspersky-labs.com 10.18.250.4 downloads4.kaspersky-labs.com 10.18.250.4 engine.awaps.net 10.18.250.4 f-secure.com 10.18.250.4 fastclick.net 10.18.250.4 ftp.avp.ch 10.18.250.4 ftp.downloads1.kaspersky-labs.com 10.18.250.4 ftp.downloads2.kaspersky-labs.com 10.18.250.4 ftp.downloads3.kaspersky-labs.com 10.18.250.4 ftp.f-secure.com 10.18.250.4 ftp.kasperskylab.ru 10.18.250.4 ftp.sophos.com 10.18.250.4 go.microsoft.com 10.18.250.4 ids.kaspersky-labs.com 10.18.250.4 kaspersky-labs.com 10.18.250.4 kaspersky.com 10.18.250.4 liveupdate.symantec.com 10.18.250.4 liveupdate.symantecliveupdate.com 10.18.250.4 mast.mcafee.com 10.18.250.4 mcafee.com 10.18.250.4 media.fastclick.net 10.18.250.4 microsoft.com 10.18.250.4 msdn.microsoft.com 10.18.250.4 my-etrust.com 10.18.250.4 nai.com 10.18.250.4 networkassociates.com 10.18.250.4 norton.com 10.18.250.4 office.microsoft.com 10.18.250.4 pandasoftware.com 10.18.250.4 phx.corporate-ir.net 10.18.250.4 rads.mcafee.com 10.18.250.4 secure.nai.com 10.18.250.4 securityresponse.symantec.com 10.18.250.4 service1.symantec.com 10.18.250.4 sophos.com 10.18.250.4 spd.atdmt.com 10.18.250.4 support.microsoft.com 10.18.250.4 symantec.com 10.18.250.4 trendmicro.com 10.18.250.4 update.symantec.com 10.18.250.4 updates.symantec.com 10.18.250.4 updates1.kaspersky-labs.com 10.18.250.4 updates2.kaspersky-labs.com 10.18.250.4 updates3.kaspersky-labs.com 10.18.250.4 updates4.kaspersky-labs.com 10.18.250.4 updates5.kaspersky-labs.com 10.18.250.4 us.mcafee.com 10.18.250.4 vil.nai.com 10.18.250.4 viruslist.com 10.18.250.4 viruslist.ru 10.18.250.4 virusscan.jotti.org 10.18.250.4 virustotal.com 10.18.250.4 windowsupdate.microsoft.com 10.18.250.4 www.avp.ch 10.18.250.4 www.avp.com 10.18.250.4 www.avp.ru 10.18.250.4 www.awaps.net 10.18.250.4 www.ca.com 10.18.250.4 www.f-secure.com 10.18.250.4 www.fastclick.net 10.18.250.4 www.grisoft.com 10.18.250.4 www.kaspersky-labs.com 10.18.250.4 www.kaspersky.com 10.18.250.4 www.kaspersky.ru 10.18.250.4 www.mcafee.com 10.18.250.4 www.microsoft.com 10.18.250.4 www.my-etrust.com 10.18.250.4 www.nai.com 10.18.250.4 www.networkassociates.com 10.18.250.4 www.pandasoftware.com 10.18.250.4 www.sophos.com 10.18.250.4 www.symantec.com 10.18.250.4 www.trendmicro.com 10.18.250.4 www.viruslist.com 10.18.250.4 www.viruslist.ru 10.18.250.4 www.virustotal.com
I consider it a “who’s who” for anti-viruses, but don’t feel bad if you are left out (*cough* clamAV). This does present an interesting poor man’s IDS technique though, if you see hosts going to 10.18.250.4 (assuming that is not legitimate traffic), chances are high that you need to scan them right away.
So what does this do once it is installed? From what I saw, it contacted lntoplive.com, and tried to do a GET request for what looked to be like some sort of configuration:
2011-07-06 18:15:47.654280 IP (tos 0x0, ttl 64, id 1775, offset 0, flags [DF], proto UDP (17), length 59) 10.0.2.15.40119 > 10.0.2.3.53: [udp sum ok] 37299+ A? lntoplive.com. (31) 2011-07-06 18:15:47.727419 IP (tos 0x0, ttl 64, id 10738, offset 0, flags [DF], proto TCP (6), length 260) 10.0.2.15.33025 > 208.73.210.29.80: Flags [P.], cksum 0x35e4 (correct), seq 1:221, ack 1, win 5840, length 220 E...).@.@.a. ....I.....P.`/.....P...5...GET /l3/?q=counter&id=495&cid=f643ad11d487be7624feed8b42414666 HTTP/1.1
Unfortunate for us, lntoplive.com is currently parked, so the request did not return anything useful. It has been documented though that Cefyns will also try to contact a few other domains (http://hlurl.com/8b0), although I did not see that in my testing. From what I have been able to gather online, this trojan does include backdoor functionality in order for an attacker to install some “friends,” but I did not get a chance to play with this feature.
To sum everything up, this trojan can easily be avoided by keeping your A/V definitions up to date, and training your users to contact your support staff when they receive notifications that their A/V has not updated in a week. Some of the software used in this post (aside from built-in Linux binaries such as “strings”) was Zero Wine Tryouts and Galleta. The former is a
malware analysis sandbox, the latter can be used to parse Internet Explorer index.dat files on a Linux system.
