Home / malwarePDF  

Trojan:Win32/Sefnit.gen!D


First posted on 04 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Sefnit.gen!D.

Explanation :

Threat behavior

Installation

Variants of this family can be installed by other malware or potentially unwanted software.

You might also download it through peer-to-peer file sharing, thinking it is a legitimate program. For example, we have seen this variant spreading through the eMule sharing program, using the following file names:

  • 25 Pokemon Roms for GBC, GBA, and NDS + Emulators.exe
  • Alicia Keys -- Girl On Fire (JapaneseVersion) 2013.zip
  • Minecraft (1.5.2) with 50 mods + more UPDATED Fixed.exe
  • moredoreen virtue collection chakra clearing,angel therapy and more.exe
  • Naughty Boy - La La La feat. Sam Smith [2013 - single].zip


We have seen Sefnit included in software bundlers that install clean applications. The following is an example of a software bundler that silently installs Sefnit:



This variant copies itself to the following location:

  • <system folder>\config\systemprofile\Local Settings\Application Data\Windows Internet Name Service\wins.exe


Note:
In some cases this file path may correspond to a legitimate clean file as well.

The trojan registers itself as a service in the registry. We have seen it use the name "Windows Internet Name Service". This name is also used by a legitimate service.

It installs a clean Tor service by creating the file tor.exe in the directory %ProgramFiles%\Tor. It adds this as a service under the display name "Tor Win32 Service".

This added Tor service is used by Sefnit to relay HTTP traffic for communication with its command and control (C&C) servers. The Tor service is likely used in this way to avoid network-based intrusion detection systems €“ since this process hides both the data as well as the intended destination of the communication.

Spreads via

eMule
peer-to-peer sharing

This threat spreads by pretending to be a desirable download. It tries to lure you into downloading it, thinking it is something else.

We have seen it use the following file names, among others:

  • 25 Pokemon Roms for GBC, GBA, and NDS + Emulators.exe
  • Alicia Keys -- Girl On Fire (JapaneseVersion) 2013.zip
  • Minecraft (1.5.2) with 50 mods + more UPDATED Fixed.exe
  • moredoreen virtue collection chakra clearing,angel therapy and more.exe
  • Naughty Boy - La La La feat. Sam Smith [2013 - single].zip


Payload

Downloads other malware

The trojan connects to remote servers, known as C&C servers. When connected, it tries to download data that tells it what files to download or actions to take.
Some of the C&C domains known to be used by this trojan include:

  • 6lokc3ut.no
  • 7cxnrxku.no
  • 7yp6xheu.no
  • iqxdx4bc.no
  • l7kitc2s.no
  • lqhggo2s.no
  • lqiw5zec.no
  • lrzxxcmc.no
  • mycg4if7.no
  • ohifq4cv.no
  • pmesnt54.no
  • qcm2m742.no
  • wys2mk65.no
  • y6pqn6ca.no


The trojan connects to these servers by using HTTP over Tor.

Additional information

This threat is only one component of Sefnit. Typically, up to three known components are installed around the same time on an infected PC. For details on these other components, please refer to the Win32/Sefnit family description.

You can also read more about the family in our blog Mevade and Sefnit: Stealthy click fraud.

The Sefnit family is known to use Tor or SSH provided by PuTTY as its C&C communication channel.

Since August 2013, there has been a considerable increase in the Tor network's incoming connecting users - this is believed to be as result of the Sefnit family using Tor for its C&C communication. This is shown in the following graph from the Tor metrics portal:




Running files downloaded from peer-to-peer networks such as eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.



Analysis by Geoff McDonald

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    • <system folder>\config\systemprofile\Local Settings\Application Data\Windows Internet Name Service\wins.exe
    • %ProgramFiles%\Tor\tor.exe
  • You may see services named "Windows Internet Name Service" and "Tor Win32 Service"
  • Your PC will be listening on port 9051 to accept only localhost connections

Last update 04 October 2013

 

TOP

Malware :

Family: