New Sefnit Variant Adopts SSH to Commit Click Fraud

blog_selfnit

There’s a new variant of Sefnit in town, which has ditched the Tor anonymity network in favor of Secure Shell (SSH) network protocol to establish communication with a command and control server. What does this mean for end users? Basically, a new malware that can hijack your computer and turn it into a zombie that makes money for its master, by clicking on ads and mining for cryptocurrency gold.

Fortunately if you’re running Emsisoft, we’ve got your back.

A Brief History of Sefnit

Malware from the Sefnit family typically acts as a Trojan, or a program that disguises itself as something useful in order to hide malicious functionality in the background. Sefnit can come bundled with other programs that you actually want to download, or it can come as a standalone Trojan. Sefnit is typically used to perform a number of malicious actions, and in addition to connecting your computer to a click fraud or cryptocurrency mining botnet, it can also grant attackers remote control of your machine and the ability to download more malware onto it.

One of the most fundamental concepts of malware is the command and control server, or the CnC. When your computer gets infected by botnet malware, it is essentially turned into a zombie that takes commands from a CnC server. In many cases, commands can be to send sensitive information that will help attackers commit identity theft. With Sefnit, commands are to click on ads or to mine for cryptocurrency – both actions designed to, you guessed it, Make Money with Malware.

Of course, connecting a victim’s computer to a CnC server is highly illegal, so for malware authors looking to score one of the biggest challenges is finding a server and a communication channel on which and through which to commit their nasty deeds. Attackers who propagated Sefnit from 2011-2013 eventually figured out that the best way to do this was to create a variant of the malware that could run through Tor –  the anonymity network of anonymity networks, and a subsection of the deep web. This new variant was known as Mevade, and by September 2013 Mevade was found to be responsible for a 600% increase in the Tor user base – all of which were actually zombie computers.

Eventually, administrators of Tor and Microsoft issued patches that resolved the Tor vulnerability responsible for this massive botnet, and soon the network’s user base decreased to its normal, human size. But, as this new SSH capable Sefnit variant indicates, malware authors are not so easily discouraged.

Sefnit Through SSH

Sefnit through SSH was discovered by security researchers at Facebook, with the help of Geoff McDonald, a Microsoft security researcher who helped mitigate Sefnit on Tor. Readers interested in a technical analysis of the malware can find reports here and here.

In essence, Secure Shell protocol is simply a communication channel, through which one computer can communicate or – in the case of Sefnit – control another. This new Sefnit variant utilizes SSH over port 443, to initiate a series of malicious downloads. For more on ports, check out the Emsisoft Security Knowledgebase article, What is a Port?.

Protecting Yourself from Sefnit

Users running Emsisoft Anti-Malware are automatically protected from this new Sefnit variant in many ways.

  • Facebook’s analysis indicates that the SSH Sefnit is being dropped by Filescout, which is itself a potentially unwanted program, or a PUP. PUPs are not technically legally malware, but Emsisoft Anti-Malware is specifically designed to protect you from them, as they can be quite annoying, can drain your machine’s resources, and – as is the case with this new form of Sefnit – can also spread malware.
  • The malware that Filescout is dropping is a “Nullsoft Installer.” Emsisoft Anti-Malware’s dual engine scanner detects this malware as Dropped:Trojan.Generic.11179864 (B) (SHA-1 099fa59839c0da006d1ebab53bbfaeb94f63a27c).
  • If installed, the “Nullsoft Installer” will then initiate installation of a malicious executable, which has been rather un-creatively named file1.exe. This is the malware that allows Sefnit to function through SSH protocol, and Emsisoft Anti-Malware detects it as Gen:Variant.Zusy.88587 (B) (SHA-1 51e16c2729df79e91863b0fccc1af9349fc65270).

Users who aren’t yet running Emsisoft can diagnose an SSH Sefnit infection in two ways. The first indicator is the use of SSH protocol on port 443; the second is a general decrease in system performance, due to the fact that the malware makes infected computers mine for cryptocurrency.

As always, anyone who is not yet running Emsisoft Anti-Malware and who suspects they may be infected by this latest threat is more than welcome to request assistance from our Malware Removal Experts at the Help My PC is Infected! support forum. Diagnosis and removal is free for anyone who needs it, and if you are pleased with our service you can even try our software for 30-days at no cost.

Have a Great (Malware-Free) Day!