Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about
Sefnit performing click fraud and how we
added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.
Win32/Sefnit made headlines last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously. Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&C communication. Based on the Tor Network’s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.
