Follow:

 

Win32/Sefnit


Microsoft security software detects and removes this family of threats.

This family of threats can allow backdoor access, download files, and use your PC and Internet connection for click fraud and bitcoin and Litecoin mining.

Some Sefnit versions can monitor Internet Explorer or Mozilla Firefox to hijack search results when you use search engines such as Bing, Yahoo!, and Google.

They can be downloaded by other malware, or bundled with other software and downloaded through peer-to-peer file sharing networks.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page

Threat behavior

Installation

Variants of the Win32/Sefnit family can be installed by other malware or potentially unwanted software, like Win32/Filcout, Win32/Brantall, and Win32/Rotbrow.

Sefnit is installed by a malicious installer for an application called File Scout. We detect File Scout as Win32/Filcout. An example of a software bundler that silently installs Sefnit during installation:

Sefnit can be downloaded and installed by a software bundler called InstallBrain. We detect versions of InstallBrain that install Sefnit as Win32/Brantall. The installer for it might look like:

Win32/Rotbrow  might have the program names BrowserProtect, BProtect, or BitGuard. Versions of these programs that install Sefnit are the ones that we detect as Win32/Rotbrow. They are often installed along with legitimate programs like the Babylon toolbar

You might also have downloaded it through peer-to-peer file sharing networks, thinking it is a legitimate application. For example, we have seen Trojan:Win32/Sefnit.AT and Trojan:Win32/Sefnit.gen!D spread through the eMule sharing program, pretending to be legitimate programs.

The Sefnit family has the following components:

The updater and installer service uses these file names:

  • <system folder>\FlashPlayerUpdateService.exe - Adobe Flash Player Update Service
  • BleServicesCtrl.exe - Bluetooth LE Services Control Protocol
  • Wins.exe - Windows Internet Name Service
  • TrustedInstaller.exe - Windows Modules Installer
  • winthemes_service.dll - Windows Themes
  • themes.dll - Windows Themes
  • winthemes.dll - Windows Themes
  • %APPDATA%\updater\updater.dll – Update Service
  • wnetprof.exe - Windows Network List Service
  • wncs.dll - Windows Network Connection Service

Note: Some of these file names and service names might be used by legitimate processes.

The click-fraud component uses these file names:

The peer-to-peer file-sharing component uses the file name (system folder)\config\systemprofile\Local Settings\Application Data\Windows Internet Name Service\wins.exe.

The bitcoin mining component uses these file names:

Sefnit might use any of these methods to automatically start in your PC, depending on the sample:

  • Create jobs to ensure that it automatically runs on a regular basis on your PC
  • Change your registry settings to that it automatically runs its DLL component when you start Windows (some samples have both an EXE and a DLL component)
  • Register itself as a service that automatically runs when Windows starts

If it creates a job, the job might be called:

  • AdobeFlashPlayerUpdate
  • TrustedInstaller Update
  • CPU Grid Computing
  • Grid Computing Updater
  • The network connection monitor

If it installs a DLL component, the DLL component might have these file names:

Payload

Downloads other malware

Sefnit connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that controls what files to download, or which actions to take.

Some of the C&C servers used by this trojan are:

  • 6tlpoektcb3gudt3.onion
  • 7fyipi6vxyhpeouy.onion
  • 7sc6xyn3rrxtknu6.onion
  • assetsstatistic.com
  • full-statistic.com
  • fullstatistic.com
  • ijqqxydixp4qbzce.onion
  • jameslipon.no-ip.biz
  • kimberlybroher.no-ip.biz
  • l77ukkijtdca2tsy.onion
  • lorpzyxqxscsmscx.onion
  • lqqciuwa5yzxewc3.onion
  • lqqth7gagyod22sc.onion
  • mdyxc4g64gi6fk7b.onion
  • olivasonny.no-ip.biz
  • onhiimfoqy4acjv4.onion
  • patricevaillancourt.sytes.net
  • pomyeasfnmtn544p.onion
  • qxc7mc24mj7m4e2o.onion
  • reserve-statistic.com
  • reservestatistic.net
  • securitystatistic.com
  • service-stat.com
  • service-statistic.com
  • service-update.net
  • srvupd.com
  • srvupd.net
  • stockstatistic.com
  • storestatistic.com
  • svcupd.net
  • timothymahoney.ddns.me.uk
  • updservice.net
  • updsrv.net
  • updsvc.com
  • updsvc.net
  • wsytsa2omakx655w.onion
  • ye63peqbnm6vctar.onion

The trojan uses different methods to contact the servers, depending on the variant. It uses these protocols:

  • HTTP
  • HTTP over Tor
  • SSH by using the legitimate application PuTTY

Uses your PC for click fraud

Some variants of the family, such as Trojan:Win32/Sefnit.AS, use your PC's Internet connection to do click fraud.

Sefnit uses the 3proxy service to proxy HTTP traffic and imitate a user browsing the Internet and clicking on advertisements.

Other versions of Sefnit can monitor Internet Explorer and Firefox to hijack the search results for various search engines like Bing, Yahoo!, and Google.

Additional information

Some variants install a Tor service on your PC with the name Tor Win32 Service. This a legitimate service that is used by the trojan to pass its traffic off as anonymous. The amount of users connecting to Tor network's increased considerably starting in August 2013. This increase is believed to be a result of the Sefnit family using Tor for its C&C communication. The following graph shows the network traffic increase from the Tor metrics portal:

Running files downloaded from peer-to-peer file sharing programs like eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.

Recommended reading

Analysis by Geoff McDonald


Symptoms

The following could indicate that you have this threat on your PC:

  • You installed a file from a peer-to-peer sharing network and shortly after you see an installer like either of these:



Prevention


Alert level: Severe
This entry was first published on: Jun 04, 2014
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases