Stealthy New Click-Fraud Malware Related to Tor Botnet

Microsoft reports having discovered a click-fraud component to the Sefnit malware, thought to have disappeared in 2011. It has also linked Sefnit to the Mevade Tor botnet.

A malware family, likely developed by the same authors who built a massive botnet recently discovered on the Tor network, has been revived with a stealthy new click-fraud scam.

Microsoft reports a rash of new click-fraud activity linked to the Sefnit malware, which was thought dead and buried as of 2011, Microsoft Malware Protection Center researcher Geoff McDonald wrote in a blogpost this week.

McDonald said Microsoft discovered a new click-fraud component to the Sefnit malware in June, one that uses the open source 3proxy project. Originally, Microsoft said, it had classified the click-fraud portion of Sefnit as the Mevade malware; it now considers them to be of the same family.

“The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements,” McDonald said.

Using the proxies keeps the noise level down on Sefnit activity, unlike previous versions of the malware which would hijack clicks from search engine results, sending those clicks through an agency to a webpage resembling the user’s destination.

“These clicks are generally considered quite high value and are hard to detect from an antifraud perspective,” McDonald said.

There was nothing stopping observant users, however, from noticing that they had not landed on the site they were looking for and submitting the issue a security researcher, Microsoft said. The unwanted attention, experts thought, caused the Sefnit gang to close up shop.

In June, the malware was found again operating as a proxy service on 3proxy.

“The new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet,” McDonald said. “This allowed them to evade attention from antimalware researchers for a couple years.”

The botnet of proxies now sends requests, or phony ad clicks, through a network of affiliate search programs such as mywebsearch[.]com and legitimate ad agencies to eventually defraud a legitimate advertiser.

Microsoft provides an example using Groupon. The Sefnit authors are likely a mywebsearch affiliate, and use the proxy service to redirect traffic to the affiliate to “fake a click” on a Google ad on the Groupon site, defrauding Groupon in the process. The retailer must pay Google for the phony click; Google takes its share and in turn pays out the rest to the mywebsearch affiliate.

To keep the scam persistent, the malware authors have built time lags into the scheme so that the malware will not click too often on the ads, alerting antifraud services.

Microsoft said the Sefnit Trojan is being spread alongside legitimate installations of the File Scout application, also developed by the Sefnit gang.

“Specifically, it expects a similar format xml structure for the C&C-download and execute commands, both applications are distributed together, and the two applications were compiled 15 minutes apart with the same compiler,” McDonald said.

Sefnit is also spreading on some InstallBrain software bundler installers and through the eMule peer-to-peer network.

“The authors have adapted their click fraud mechanisms in a way that takes user interaction out of the picture while maintaining the effectiveness,” McDonald said. “This removal of the user-interaction reliance in the click fraud methodology was a large factor in the Sefnit authors being able to stay out of the security-researchers’ radars over the last couple of years.”

Mevade, meanwhile, caused a stir in mid-August when experts realized the number of Tor users had skyrocketed from 500,000 to close to 3 million and speculated that a botnet had set up shop on the network and the botmaster was using it to communicate with compromised hosts and to avoid potential takedown attempts.

The decision to move to Tor, however, was its undoing. Experts at Damballa Labs said the influx of Tor users drew unwanted attention to the botnet leading to its detection. Researcher Mark Gilbert told Threatpost that the botmaster was likely renting out portions of the Mevade botnet for click-fraud, adware scams and even data exfiltration.

Suggested articles