Sirefef infections explode due to new infection technique

The Sirefef/Zaccess family of Trojans – designed to download other malware, disable the machine’s security features, and often make lasting changes to the computer – is usually distributed to unsuspecting victims via email spam campaigns.

But its peddlers have lately changed tack, and have begun bundling the malware with codecs, game installers and crack/keygen applications, Trend Micro warns.

“During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware,” the researchers shared.

As it turned out, the patched file was component of the Sirefef/Zaccess malware family, and was used to run the malware’s other malicious components upon reboot.

“This proved to be a new variant of Sirefef/Zaccess, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques,” they said.

This infection with this new variant was traced back to the execution of K-Lite Codec Pack.exe, and it has more than likely been downloaded by the users themselves from the Internet in order to play movies downloaded via P2P applications.

To keep up the illusion that the offered codec is legitimate and to up the likelihood of it being used, the file names are also often modified to include the titles of popular movies.

According to Trend Micro numbers, Sirefef/Zaccess infections have hugely increased in July, going from some 1,000 infected computers on the first of the month to over 11,000 on the 27th.

The great majority of infected computers is located in the US. Nevertheless, all users are advised to be cautious when downloading files from untrusted sources such as P2P networks.