Installation
Variants of the Win32/Sefnit family can be installed by other malware or unwanted software, like Win32/Filcout, Win32/Brantall, and Win32/Rotbrow.
Sefnit is installed by a malicious installer for an application called File Scout. We detect File Scout as Win32/Filcout. An example of a software bundler that silently installs Sefnit during installation:

Sefnit can be downloaded and installed by a software bundler called InstallBrain. We detect versions of InstallBrain that install Sefnit as Win32/Brantall. The installer for it might look like:

Win32/Rotbrow might have the program names BrowserProtect, BProtect, or BitGuard. Versions of these programs that install Sefnit are the ones that we detect as Win32/Rotbrow. They are often installed along with legitimate programs like the Babylon toolbar
You might also have downloaded it through peer-to-peer file sharing networks, thinking it is a legitimate application. For example, we have seen Trojan:Win32/Sefnit.AT and Trojan:Win32/Sefnit.gen!D spread through the eMule sharing program, pretending to be legitimate programs.
The Sefnit family has the following components:
The updater and installer service uses these file names:
- <system folder>\FlashPlayerUpdateService.exe - Adobe Flash Player Update Service
- BleServicesCtrl.exe - Bluetooth LE Services Control Protocol
- Wins.exe - Windows Internet Name Service
- TrustedInstaller.exe - Windows Modules Installer
- winthemes_service.dll - Windows Themes
- themes.dll - Windows Themes
- winthemes.dll - Windows Themes
- %APPDATA%\updater\updater.dll – Update Service
- wnetprof.exe - Windows Network List Service
- wncs.dll - Windows Network Connection Service
Note: Some of these file names and service names might be used by legitimate processes.
The click-fraud component uses these file names:
The peer-to-peer file-sharing component uses the file name (system folder)\config\systemprofile\Local Settings\Application Data\Windows Internet Name Service\wins.exe.
The bitcoin mining component uses these file names:
Sefnit might use any of these methods to automatically start in your PC, depending on the sample:
- Create jobs to ensure that it automatically runs on a regular basis on your PC
- Change your registry settings to that it automatically runs its DLL component when you start Windows (some samples have both an EXE and a DLL component)
- Register itself as a service that automatically runs when Windows starts
If it creates a job, the job might be called:
- AdobeFlashPlayerUpdate
- TrustedInstaller Update
- CPU Grid Computing
- Grid Computing Updater
- The network connection monitor
If it installs a DLL component, the DLL component might have these file names:
Payload
Downloads other malware
Sefnit connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that controls what files to download, or which actions to take.
Some of the C&C servers used by this trojan are:
- 6tlpoektcb3gudt3.onion
- 7fyipi6vxyhpeouy.onion
- 7sc6xyn3rrxtknu6.onion
- assetsstatistic.com
- full-statistic.com
- fullstatistic.com
- ijqqxydixp4qbzce.onion
- jameslipon.no-ip.biz
- kimberlybroher.no-ip.biz
- l77ukkijtdca2tsy.onion
- lorpzyxqxscsmscx.onion
- lqqciuwa5yzxewc3.onion
- lqqth7gagyod22sc.onion
- mdyxc4g64gi6fk7b.onion
- olivasonny.no-ip.biz
- onhiimfoqy4acjv4.onion
- patricevaillancourt.sytes.net
- pomyeasfnmtn544p.onion
- qxc7mc24mj7m4e2o.onion
- reserve-statistic.com
- reservestatistic.net
- securitystatistic.com
- service-stat.com
- service-statistic.com
- service-update.net
- srvupd.com
- srvupd.net
- stockstatistic.com
- storestatistic.com
- svcupd.net
- timothymahoney.ddns.me.uk
- updservice.net
- updsrv.net
- updsvc.com
- updsvc.net
- wsytsa2omakx655w.onion
- ye63peqbnm6vctar.onion
The trojan uses different methods to contact the servers, depending on the variant. It uses these protocols:
- HTTP
- HTTP over Tor
- SSH by using the legitimate application PuTTY
Uses your PC for click fraud
Some variants of the family, such as Trojan:Win32/Sefnit.AS, use your PC's Internet connection to do click fraud.
Sefnit uses the 3proxy service to proxy HTTP traffic and imitate a user browsing the Internet and clicking on advertisements.
Other versions of Sefnit can monitor Internet Explorer and Firefox to hijack the search results for various search engines like Bing, Yahoo!, and Google.
Additional information
Some variants install a Tor service on your PC with the name Tor Win32 Service. This a legitimate service that is used by the trojan to pass its traffic off as anonymous. The amount of users connecting to Tor network's increased considerably starting in August 2013. This increase is believed to be a result of the Sefnit family using Tor for its C&C communication. The following graph shows the network traffic increase from the Tor metrics portal:

Running files downloaded from peer-to-peer file sharing programs like eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.
Recommended reading
Analysis by Geoff McDonald