A Complete Overview of the Sirefef Malware

Malwarebytes Anti-Malware screenshot

The Sirefef malware (aka ZeroAccess) can take on many forms. It is considered to be a multi-component family of malware, which means that it can be implemented in a variety of different ways such as a rootkit, virus, or a Trojan horse.


As a rootkit, Sirefef gives attackers full access to your system while using stealth techniques in order to hide its presence from the affected device. Sirefef hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can't detect it. It includes a sophisticated self-defense mechanism which terminates any security-related processes that attempt to access it.


As a virus, Sirefef attaches itself to an application. When you run the infected application, Sirefef is executed. Consequently, it will activate and deliver its payload, such as capturing your sensitive information, deleting critical system files, and enabling backdoors for attackers to use and access your system over the Internet.

Trojan Horse

You may also become infected with Sirefef in the form of a Trojan horse. Sirefef can disguise itself as a legitimate application, such as a utility, game, or even a free antivirus program. Attackers use this technique to trick you into downloading the fake application, and once you allow the application to run on your computer, the hidden Sirefef malware is executed.

Pirated Software

There are many ways your system can become infected with this malware. Sirefef is often distributed by exploits that promote software piracy. Pirated software often requires key generators (keygens) and password crackers (cracks) to bypass software licensing. When the pirated software is executed, the malware replaces system critical drivers with its own malicious copy in an attempt to trick the operating system. Subsequently, the malicious driver will load each time your operating system starts.

Infected Websites

Another way Sirefef can install on your machine is by visiting infected websites. An attacker can compromise a legitimate website with the Sirefef malware which will infect your computer when you visit the site. An attacker can also trick you into visiting a bad site through phishing. Phishing is the practice of sending spam email to users with the intention of tricking them into revealing sensitive information or clicking on a link. In this case, you would receive an email enticing you to click on a link that will direct you to an infected website.


Sirefef communicates to remote hosts through a peer-to-peer (P2) protocol. It uses this channel to download other malware components and hides them within Windows directories. Once installed, the components are capable of performing the following tasks:

  • Stops Windows Firewall - Sirefef attempts to turn off Windows Firewall to ensure that its own traffic is not interrupted.
  • Stops Windows Defender Service - By stopping Windows Defender, Sirefef can execute its malicious code without being detected.
  • Changes Your Internet Browser Settings - You may experience changes with your Internet browser, such as changes to your home page and modification of your search engine results.
  • Contacts Remote Hosts - Sirefef can send information about your infected computer and can create a network of other infected computers to coordinate a much greater attack, such as a botnet (zombie) attack.
  • Creates a Folder to Store Other Malware - Sirefef will download other malware and store them in hidden files.

Sirefef is a severe malware that can cause damage to your computer in a variety of ways. Once installed, Sirefef can make lasting modifications to your computer’s security settings and can be difficult to remove. By performing mitigation steps, you can help prevent this malicious attack from infecting your computer.