Archive

Archive for the ‘Sefnit’ Category

Tackling the Sefnit botnet Tor hazard

January 10th, 2014 No comments

Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.

Win32/Sefnit made headlines last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously. Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&C communication. Based on the Tor Network’s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.

Win32/Sefnit affects the Tor network

Figure 1: The effect of Win32/Sefnit on the Tor Network connecting-user base

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

The Tor client

The Tor client service left behind on a previously-infected machine may seem harmless at first glance – Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20. While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities – as illustrated in Figure 2.

 

CVE
Versions Affected
DESCRIPTION
v0.2.2.35 and earlier
Multiple heap-based buffer overflows.
0.2.2.20-alpha and earlier and v0.2.1.28 and earlier
Heap-based buffer-overflow.
v0.2.0.34 and earlier
Treats incomplete IPv4 addresses as valid causing unknown impact.
v0.2.0.33 and earlier
Unspecified heap corruption.

Figure 2: History of vulnerabilities affecting Tor with potential for remote-code execution

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication – essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

These actions and their effect on the Tor Network’s estimated connecting-users is illustrated in Figure 3.

 Tor Network connecting user estimate timeline

Figure 3: Tor Network connecting-user estimate timeline with marked events.

Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further.

Home users:

Download and run our free Microsoft Safety Scanner to scan and clean your PC.

Network administrators and advanced users:

Download and run our free Microsoft Safety Scanner to scan and clean workstations.

Your anti-virus solution may have removed Sefnit from your workstations while leaving the Sefnit-added Tor service running. The remediation of the Tor service is dependent on the completeness of the removal by other AV scanners. For this reason, we recommend you check your workstations for Tor client services added by Sefnit. You can use the following commands to check and stop the Tor client service using Command Prompt as Administrator:

    1. Query the basic information about the Tor service by issuing the command: “sc query tor.” If the service is found, it should result in something like the following:

Tor service is found

    1. If the Tor service is found, and you weren't expecting it, it’s highly likely that it is a Sefnit-installed service. The configuration should be queried by issuing command “sc qc tor,” which should give you a result like that shown below:

Tor service configuration

    1. If the “BINARY_PATH_NAME” above matches, the Sefnit-added Tor client service can be stopped by the command “sc stop tor”:

Stopping the Tor service

    1. You can then delete the service with the command “sc delete tor”:

Correct Tor service removal

    1. Verify that the service is no longer running by “sc query tor” again. If removed correctly, this should display the following error:

The service is no longer running

We also shared this information with our Microsoft Virus Initiative and Virus Information Alliance partners so that they, too, can help in the clean-up.

Geoff McDonald
MMPC

Categories: MSRT, Sefnit, Tor Tags:

Tackling the Sefnit botnet Tor hazard

January 10th, 2014 No comments

Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.

Win32/Sefnit made headlines last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously. Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&C communication. Based on the Tor Network’s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.

Win32/Sefnit affects the Tor network

Figure 1: The effect of Win32/Sefnit on the Tor Network connecting-user base

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

The Tor client

The Tor client service left behind on a previously-infected machine may seem harmless at first glance – Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20. While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities – as illustrated in Figure 2.

 

CVE
Versions Affected
DESCRIPTION
v0.2.2.35 and earlier
Multiple heap-based buffer overflows.
0.2.2.20-alpha and earlier and v0.2.1.28 and earlier
Heap-based buffer-overflow.
v0.2.0.34 and earlier
Treats incomplete IPv4 addresses as valid causing unknown impact.
v0.2.0.33 and earlier
Unspecified heap corruption.

Figure 2: History of vulnerabilities affecting Tor with potential for remote-code execution

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication – essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

These actions and their effect on the Tor Network’s estimated connecting-users is illustrated in Figure 3.

 Tor Network connecting user estimate timeline

Figure 3: Tor Network connecting-user estimate timeline with marked events.

Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further.

Home users:

Download and run our free Microsoft Safety Scanner to scan and clean your PC.

Network administrators and advanced users:

Download and run our free Microsoft Safety Scanner to scan and clean workstations.

Your anti-virus solution may have removed Sefnit from your workstations while leaving the Sefnit-added Tor service running. The remediation of the Tor service is dependent on the completeness of the removal by other AV scanners. For this reason, we recommend you check your workstations for Tor client services added by Sefnit. You can use the following commands to check and stop the Tor client service using Command Prompt as Administrator:

    1. Query the basic information about the Tor service by issuing the command: “sc query tor.” If the service is found, it should result in something like the following:

Tor service is found

    1. If the Tor service is found, and you weren't expecting it, it’s highly likely that it is a Sefnit-installed service. The configuration should be queried by issuing command “sc qc tor,” which should give you a result like that shown below:

Tor service configuration

    1. If the “BINARY_PATH_NAME” above matches, the Sefnit-added Tor client service can be stopped by the command “sc stop tor”:

Stopping the Tor service

    1. You can then delete the service with the command “sc delete tor”:

Correct Tor service removal

    1. Verify that the service is no longer running by “sc query tor” again. If removed correctly, this should display the following error:

The service is no longer running

We also shared this information with our Microsoft Virus Initiative and Virus Information Alliance partners so that they, too, can help in the clean-up.

Geoff McDonald
MMPC

* January 22, 2014: To clarify, this protection removes the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.

 

Categories: MSRT, Sefnit, Tor Tags:

Protection metrics – November results

December 24th, 2013 No comments

In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.

(If you want a refresh on the definition of the metrics we use in our monthly results, see our initial post: Our protection metrics – September results.)

For Rotbrow, (which, by the way, was also added to the MSRT in December), we saw half the number of active infections in November in comparison to the previous month. Active Brantall infections were reduced by about a fifth, month over month.

A relatively new family, Win32/Wysotot, which was added to our realtime protection products at the end of October, and impacted 0.002 percent of our customer base in November, had a moderate impact (although much smaller in comparison to the Sefnit trio), but went into decline later in the month. Wysotot is typically installed on your computer through software bundlers that advertise free software or games. It redirects you to another website when you open certain browsers through a shortcut file. It can also download other software, run and kill processes on your computer and sends the status of your security software to a command and control (C&C) server.

The VBS/Jenxcus family had a similar impact, but, contrary to Wysotot, hasn't declined. This worm uses shortcut links to propagate, but also is often downloaded online or through torrents. It also has the capability to spread through removable drives, so if your computer's infected with Jenxcus, make sure you also scan any removable drives you've used recently with an antivirus product. More on Jenxcus next month.

Also, considering the recent action against the Sirefef family, we will have a few interesting trends to report next month. Stay tuned for that update in the new year.

In the meantime, make sure your antivirus solution is up to date. If you're running Windows 8, Windows Defender helps protect you against malware; if you're running Windows 7 and earlier, you can install Microsoft Security Essentials.

Holly Stewart

MMPC

Categories: Protection metrics, Rotbrow, Sefnit Tags: