NEW BLOG POST: Upgrading to Windows 10 not only means decreased risk; it also means multi-layered defense against ransomware and other advanced attacks. Read the post
Alert level: Severe Detected with Windows Defender Antivirus
Also detected as: No associated aliases
Microsoft security software detects and removes this family of threats.
Some Sefnit versions can monitor Internet Explorer or Mozilla Firefox to hijack search results when you use search engines such as Bing, Yahoo!, and Google.
They can be downloaded by other malware, or bundled with other software and downloaded through peer-to-peer file sharing networks.
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
You should also run a full scan. A full scan might find other, hidden malware.
Get more help
If you’re using Windows XP, see our Windows XP end of support page
Sefnit is installed by a malicious installer for an application called File Scout. We detect File Scout as Win32/Filcout. An example of a software bundler that silently installs Sefnit during installation:
Sefnit can be downloaded and installed by a software bundler called InstallBrain. We detect versions of InstallBrain that install Sefnit as Win32/Brantall. The installer for it might look like:
Win32/Rotbrow might have the program names BrowserProtect, BProtect, or BitGuard. Versions of these programs that install Sefnit are the ones that we detect as Win32/Rotbrow. They are often installed along with legitimate programs like the Babylon toolbar
You might also have downloaded it through peer-to-peer file sharing networks, thinking it is a legitimate application. For example, we have seen Trojan:Win32/Sefnit.AT and Trojan:Win32/Sefnit.gen!D spread through the eMule sharing program, pretending to be legitimate programs.
The Sefnit family has the following components:
- An updater and installer service, like Trojan:Win32/Sefnit.AU
- A click-fraud component, like Trojan:Win32/Sefnit.AS and Trojan:Win32/Sefnit.BM
- A peer-to-peer file-sharing service, like Trojan:Win32/Sefnit.AT and Trojan:Win32/Sefnit.gen!D
- A bitcoin mining component, like Trojan:Win32/Sefnit.BF
The updater and installer service uses these file names:
- <system folder>\FlashPlayerUpdateService.exe - Adobe Flash Player Update Service
- BleServicesCtrl.exe - Bluetooth LE Services Control Protocol
- Wins.exe - Windows Internet Name Service
- TrustedInstaller.exe - Windows Modules Installer
- winthemes_service.dll - Windows Themes
- themes.dll - Windows Themes
- winthemes.dll - Windows Themes
- %APPDATA%\updater\updater.dll – Update Service
- wnetprof.exe - Windows Network List Service
- wncs.dll - Windows Network Connection Service
Note: Some of these file names and service names might be used by legitimate processes.
The click-fraud component uses these file names:
- <system folder>\wncs.exe
- <system folder>\wnetprof.exe
- <system folder>\themes.dll
- <system folder>\winthemes.dll
- <system folder>\winthemes_service.dll
- <system folder>\Drivers\BleServicesCtrl.exe
- <system folder>\Drivers\blds.exe
- <system folder>\TrustedInstaller.exe
- <system folder>\uti.exe
The peer-to-peer file-sharing component uses the file name (system folder)\config\systemprofile\Local Settings\Application Data\Windows Internet Name Service\wins.exe.
The bitcoin mining component uses these file names:
- <system folder>\dfrg\mst.exe
- <system folder>\dfrg\cda.gz
- <system folder>\dfrg\upd.exe
- <system folder>\dfrg\runner.exe
- <system folder>\dfrg\task_registrar.exe
- <system folder>\dfrg\ssleay32.dll
- <system folder>\dfrg\cpu\cpu.exe
- <system folder>\dfrg\cpu\libwinpthread-1.dll
- <system folder>\dfrg\cda\pthreadvc2.dll
- <system folder>\dfrg\cda\cudart32_50_35.dll
Sefnit might use any of these methods to automatically start in your PC, depending on the sample:
- Create jobs to ensure that it automatically runs on a regular basis on your PC
- Change your registry settings to that it automatically runs its DLL component when you start Windows (some samples have both an EXE and a DLL component)
- Register itself as a service that automatically runs when Windows starts
If it creates a job, the job might be called:
- TrustedInstaller Update
- CPU Grid Computing
- Grid Computing Updater
- The network connection monitor
If it installs a DLL component, the DLL component might have these file names:
Downloads other malware
Sefnit connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that controls what files to download, or which actions to take.
Some of the C&C servers used by this trojan are:
The trojan uses different methods to contact the servers, depending on the variant. It uses these protocols:
- HTTP over Tor
- SSH by using the legitimate application PuTTY
Uses your PC for click fraud
Sefnit uses the 3proxy service to proxy HTTP traffic and imitate a user browsing the Internet and clicking on advertisements.
Other versions of Sefnit can monitor Internet Explorer and Firefox to hijack the search results for various search engines like Bing, Yahoo!, and Google.
Some variants install a Tor service on your PC with the name Tor Win32 Service. This a legitimate service that is used by the trojan to pass its traffic off as anonymous. The amount of users connecting to Tor network's increased considerably starting in August 2013. This increase is believed to be a result of the Sefnit family using Tor for its C&C communication. The following graph shows the network traffic increase from the Tor metrics portal:
Running files downloaded from peer-to-peer file sharing programs like eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.
- Another way Microsoft is disrupting the malware ecosystem explains click-fraud in greater detail
- Mevade and Sefnit: Stealthy click fraud talks about how Mevade and Sefnit are the same family
- Rotbrow: the Sefnit distributor talks about how Rotbrow distributes Sefnit
- Tackling the Sefnit botnet Tor hazard discusses how Sefnit is affecting the Tor network
- Sefnit's Tor botnet C&C details explains how Sefnit's Tor botnet works
Analysis by Geoff McDonald
The following could indicate that you have this threat on your PC:
- You installed a file from a peer-to-peer sharing network and shortly after you see an installer like either of these: