Home / malware Trojan:Win32/Sefnit.AS
First posted on 29 October 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Sefnit.AS.
Explanation :
Threat behavior
Installation
Variants of this family can be installed by other malware or potentially unwanted software.
We have seen it included in software bundlers that install clean applications. The following is an example of a software bundler that silently installs Sefnit:
This variant copies itself to the following location:
- <system folder>\TrustedInstaller.exe
- <system folder>\uti.exe
- <system folder>\wncs.dll
- <system folder>\wnetprof.exe
- <system folder>\wnetprofmon.exe
Note:
In some cases this file path may correspond to a legitimate clean file as well.
The trojan registers itself as a service in the registry. We have seen it use the names:
- Windows Internet Name Service
- Bluetooth LE Services Control Protocol
- Network connection monitor
- Windows Network Connection Service
Note:
In some cases these names may correspond to legitimate clean services.
It may add two scheduled jobs so it runs on a regular basis:
- %windir% \Tasks\<job name>.job
- %windir% \Tasks\<job name>2.job
Where <job name> changes depending on the variant, for example TrustedInstaller Update.job and TrustedInstaller Update 2.job.
Payload
Uses your PC for click fraud
This threat acts as a network proxy to perform click fraud.
A hacker can use your PC to relay Internet traffic that simulates a user browsing the Internet and clicking on ads. We have seen this threat using the open-source 3proxy service to do this. It does this in the background, so you are unlikely to notice anything unusual.
For more information about how Sefnit performs click fraud, see our blog Mevade and Sefnit: Stealthy click fraud, and to read about what click fraud is and how malware can use your PC to do it, see Another way Microsoft is disrupting the malware ecosystem.
Downloads other malware
The trojan connects to remote servers, known as C&C servers. When connected, it tries to download data that tells it what files to download or actions to take.
Some of the C&C domains known to be used by this trojan include:
- assetsstatistic.com
- fullstatistic.com
- full-statistic.com
- reserve-statistic.com
- reservestatistic.net
- securitystatistic.com
- service-stat.com
- service-statistic.com
- service-update.net
- stockstatistic.com
- storestatistic.com
- updservice.net
Additional information
This threats uses a C&C infrastructure that mixes HTTP and SSH. Standard HTPP is used to download and read an encrypted XML file that specifies download-and-run commands as well as the C&C server to be used for SSH. Clean library code from the PuTTY project is used to implement the SSH client.
This threat is only one component of Sefnit. Typically, up to three known components are installed around the same time on an infected PC. For details on these other components, please refer to the Win32/Sefnit family description.
You can also read more about the family in our blog Mevade and Sefnit: Stealthy click fraud.
Since August 2013, there has been a considerable increase in the Tor network's incoming connecting users - this is believed to be as result of the Sefnit family using Tor for its C&C communication. This is shown in the following graph from the Tor metrics portal:
Running files downloaded from peer-to-peer networks such as eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.
Analysis by Geoff McDonald
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
- <system folder>\TrustedInstaller.exe
- <system folder>\uti.exe
- <system folder>\wncs.dll
- <system folder>\wnetprof.exe
- <system folder>\wnetprofmon.exe
- You may see an outgoing SSH connection from your PC to an untrusted remote PC
Last update 29 October 2013
