Click-Fraud Sefnit Variant Shuns Tor for SSH

Facebook security researchers discovered a new variant of the Sefnit click-fraud malware. Unlike previous versions that used Tor for communication, this one uses SSH over port 443.

Sefnit was the first malware family to shed light on the problem of botnets and other malicious code using the Tor anonymity network as a communication protocol. While others before and since have done the same, Sefnit made the biggest splash at the end of last summer when the botnet caused a 600 percent increase in Tor usage kicking off alarm bells that a large botnet was afoot.

Sefnit over Tor was slowly squashed as administrators took steps to push users to upgrade to a newer version of the Tor client that included a new handshake feature that replaced the one being used by the malware. Microsoft updated a number of its security products by November, including Microsoft Security Essentials, Windows Defender and the Malicious Software Removal Tool, to mitigate Sefnit and remediate machines infected with the Sefnit-related Tor service.

At its peak, more than five million machines on average were connecting to the Tor network, up from an average of fewer than one million. By the end of 2013, Tor metrics showed that number dropping to around 2 million.

The Sefnit authors have now countered, re-launching another version that has shunned Tor as a communication protocol and spreads via more traditional means. Researchers at Facebook found the variant and along with researchers at Microsoft have dug under the covers of Sefnit.BW and learned that this version is also being used for click-fraud as well as Litecoin mining. The malware opens a backdoor connection to a number of malicious domains where more malware can be uploaded to infected machines.

The original malware, also known as Mevade, was ultimately found out to be a click-fraud and Bitcoin mining scheme.

The new variant, like the previous one, is delivered by a phony application called File Scout developed by the malware authors.

Facebook said yesterday that in March and April FileScout was dropping a NullSoft installer on infected machines that dropped two executable files that ultimately uses SSH as a communication protocol.

The first file drops two dlls called winthemes and themes respectively. Both attach themselves to the Windows registry that ping out and attempt to connect to one of eight command and control servers, all of which were registered on March 27.

The first file then creates a directory in which it drops three more dlls called startup, run and channel; the SSH capabilities for C&C communication are built into the channel dll, which connects to sbc at kitiapgub[.]net over port 443. Facebook said this connection uses the same embedded keyfile that was used in the initial Sefnit infections over Tor in September.

“Using static details about channel.dll, such as its exported function name of check_update and its imphash, we were able to identify 7 additional channel.dll variants in the wild,” Facebook said.

The second file drops an updater dll that calls out to a domain, axnize[.]net; the email used to register this malicious domain was also used to register 10 other domains, Facebook said, some of which are the same domains used by the themes dll.

Microsoft’s Geoff McDonald, who did some of the early research on Sefnit, said that the malware can be spread by other malware, or bundled with software available on peer-to-peer networks. The primary monetization method is click fraud, McDonald said, adding that the primary indicators of compromise are the SSH connection over 443, in addition to performance downgrades because of the Litecoin mining.

“We have seen Sefnit using the 3proxy service to proxy HTTP traffic to emulate a user browsing the Internet and clicking on advertisements,” McDonald said.

Suggested articles