Trojan:Win32/Sefnit.AS

Installation

Variants of this family can be installed by other malware or unwanted software.

We have seen it included in software bundlers that install clean applications. The following is an example of a software bundler that silently installs Sefnit:

This variant copies itself to the following location:

• <system folder>\TrustedInstaller.exe
• <system folder>\uti.exe
• <system folder>\wncs.dll
• <system folder>\wnetprof.exe
• <system folder>\wnetprofmon.exe

Note: In some cases this file path may correspond to a legitimate clean file as well.

The trojan registers itself as a service in the registry. We have seen it use these names:

• Windows Internet Name Service
• Bluetooth LE Services Control Protocol
• Network connection monitor
• Windows Network Connection Service

Note: In some cases these names may correspond to legitimate clean services as well.

It may add two scheduled jobs so it runs on a regular basis:

• %windir% \Tasks\<job name>.job
• %windir% \Tasks\<job name>2.job

Where <job name> changes depending on the variant, for example TrustedInstaller Update.job and TrustedInstaller Update 2.job.

Payload

Uses your PC for click fraud

This threat acts as a network proxy to do click fraud.

A hacker can use your PC to relay Internet traffic that simulates a user browsing the Internet and clicking on ads. We have seen this threat using the open-source 3proxy service to do this. It does this in the background, so you are unlikely to notice anything unusual.

For more information about how Sefnit dos click fraud, see our blog Mevade and Sefnit: Stealthy click fraud, and to read about what click fraud is and how malware can use your PC to do it, see Another way Microsoft is disrupting the malware ecosystem.

Downloads other malware

The trojan connects to remote servers, known as C&C servers. When connected, it tries to download data that tells it what files to download or actions to take.
Some of the C&C domains known to be used by this trojan include:

• assetsstatistic.com
• fullstatistic.com
• full-statistic.com
• reserve-statistic.com
• reservestatistic.net
• securitystatistic.com
• service-stat.com
• service-statistic.com
• service-update.net
• stockstatistic.com
• storestatistic.com
• updservice.net

Additional information

This threats uses a C&C infrastructure that mixes HTTP and SSH. Standard HTPP is used to download and read an encrypted XML file that specifies download-and-run commands as well as the C&C server to be used for SSH. Clean library code from the PuTTY project is used to implement the SSH client.

This threat is only one component of Sefnit. Typically, up to three known components are installed around the same time on an infected PC. For details on these other components, please refer to the Win32/Sefnit family description.

You can also read more about the family in our blog Mevade and Sefnit: Stealthy click fraud.

Since August 2013, there has been a considerable increase in the Tor network's incoming connecting users - this is believed to be as result of the Sefnit family using Tor for its C&C communication. This is shown in the following graph from the Tor metrics portal:

Running files downloaded from peer-to-peer networks like eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.

Analysis by Geoff McDonald