Sefnit Accomplices Account for Spike in Malware Infections

Microsoft’s latest Security Intelligence Report identifies two malware families, Rotbrow and Brantall, previously thought to be benign that have been dropping the Sefnit botnet.

Plenty has been written about the Sefnit malware family and its favor with using Tor to mask communication, as well as the money it’s made for criminals via click-fraud schemes.

Sefnit, however, has had a pair of accomplices that until recently were regarded as harmless programs by most security companies.  The trio, which now includes two malware families Rotbrow and Brantall, are responsible for a startling jump in malware infections detected in the fourth quarter of last year, according to Microsoft.

In its latest Security Intelligence Report (SIR), Microsoft puts the blame on Sefnit et al for a 3x increase in worldwide infection rates at the end of last year. The SIR reports on malware and vulnerability trends based on data collected by various Microsoft security products including the Malicious Software Removal Tool (MSRT). Through the first three quarters, infection rates at around six computers cleaned per 1,000 scanned. In Q4, that number jumped 18 per 1,000.

Sefnit is the principal antagonist here, and it’s difficult to handle because it’s distributed through a number of non-traditional means, including peer-to-peer file sharing networks, and almost always it’s disguised as legitimate software, or bundled with something else.

Enter Rotbrow and Brantall.

Both of which have been re-classified as malware by Microsoft, and both present themselves to victims as legitimate software packages. Rotbrow, for example, pretends to be a safeguard against browser add-ons, while Brantall purports to be an installer for legitimate programs, Microsoft said.

Microsoft said that both have been seen installing Sefnit.

“Microsoft has been aware of this program since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the SIR says. “Researchers discovered that some versions of the Browser Protector process, called BitGuard.exe, drop an installer for a harmless program called File Scout, and also secretly install Sefnit at the same time.”

The addition of Rotbrow signatures, Microsoft said, likely contributed to the jump in infection numbers.

“Detections of Rotbrow decreased considerably after December, and the MMPC expects the CCM infection rate to return to more typical levels in subsequent quarters as the MSRT and other security products resolve the remaining backlog of old Rotbrow infections,” the SIR says.

Sefnit, meanwhile, remains an evolving threat with a recent campaign shunning Tor as a command and control channel in favor SSH, a more traditional channel. In addition to click fraud, Sefnit is also used for Bitcoin mining and search result hijacking. A new click-fraud component discovered last year, Microsoft said, is used as a proxy service to relay HTTP traffic which is triggered to click on pay-per-click ads.

The SIR also covered vulnerability trends, noting that high severity vulnerability disclosures were down almost nine percent, while medium severity were up 19 percent and accounted for 59 percent of disclosures in the second half of the year. Industry wide, vulnerabilities in apps other than browsers and OS apps increased 34 percent. OS vulnerabilities climbed 48 percent, while OS application vulnerabilities dropped 46 percent. Browser vulnerability disclosures were also down 28 percent in the second half of 2013.

As for exploits, Microsoft reports that Java-based attacks are still king, followed by HTML/JavaScript attacks, though both dipped a bit in the fourth quarter, Microsoft said. The decline in both attacks could be traced to the disappearance of the Blackhole Exploit Kit upon the October arrest of its alleged author Paunch.

Suggested articles