Threat Research & Response Blog
Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymize and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent - from about 500,000 users per day to more than 3,000,000.
Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family.
Win32/Sefnit is a well-known family which includes a component capable of performing click fraud. From our observations in the wild, this particular component disappeared near the end of 2011. In June 2013 we discovered a new click fraud component which we originally classified as Mevade.
Despite its recent notoriety due to the Tor activity, there is still a bit of mystery around how the latest version of Sefnit is spreading and the monetization techniques it uses.
In this blog I’ll be going into a bit more detail on the new stealthy click fraud technique used and how it has contributed to Sefnit being largely undetected by AV vendors for the last couple of years. Additionally, we will discuss a few of the attack vectors used by the Sefnit authors to deliver the latest version of the malware.
Interestingly, TrendLabs now believe they have identified the online identities of the actors behind the threat.
An interconnected threat
The Sefnit threat is composed of multiple components dedicated to different tasks. Among the observed samples, we have identified three distinct components. Figure 1 illustrates what is known currently about how these components interconnect as well as their intended purpose. Figure 2 provides sample references.
Figure 1: The Sefnit malware structure
Sefnit’s stealthy new click fraud methodology
The new Sefnit click fraud method is a departure from the method previously used back in 2011. This new, stealthier methodology is believed to be largely responsible for Sefnit being able to evade AV vendor detection during the last couple of years.
The old version of Sefnit relied on click hijacking for performing click fraud. When an infected user was browsing the internet and clicked on a search engine result (such as from Google), sometimes the clicks would be hijacked to travel through advertising agencies to a similar webpage as the intended destination. These clicks are generally considered quite high-value and are hard to detect from an anti-fraud perspective.
Although this is very stealthy from an advertising agency anti-fraud data analytics perspective, it is not stealthy for the user whose click was hijacked. If detection was missing, some observant users would realize they did not land at the intended website, investigate the cause, and submit samples to antimalware researchers for detection. As a result this always brought attention to the malware.
In 2011, the Sefnit authors were observed to have stopped releasing new versions of the component responsible for this click hijacking and consequently were later believed to no longer be active in the wild. At the end of June 2013, we rediscovered Sefnit using a new click fraud strategy.
The Sefnit click fraud component is now structured as a proxy service based on the open-source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements.
In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet. This allowed them to evade attention from antimalware researchers for a couple years. The figure below illustrates how the hosted 3proxy servers are used to relay Internet traffic through the botnet clients to perform a fake advertisement click.
Figure 3: The Sefnit botnet uses the hosted 3proxy servers to redirect internet traffic and perform fake advertisement clicks
A recorded example of this click fraud path is shown below by using the legitimate affiliate search engine mywebsearch.com to simulate a search for "cat" and fake a click on an advertisement provided by Google to defraud the advertiser Groupon.
Figure 4: The landing page for a click fraud instance
The end result is Groupon paying a small amount of money for this fake advertisement "click" to Google. Google takes a portion of the money and pays the rest out to the website hosting the advertisement – mywebsearch. The Sefnit authors likely signed up as an affiliate for mywebsearch, resulting in the Sefnit criminals then receiving a commission on the click.
Sefnit authors avoid raising red flags on their advertisement affiliate accounts by preceding each clickfraud incident with a large time-gap and simulated normal user Internet browsing behaviour.
From experience, the interval between click fraud incidents is once per multiple-day period or longer. If the trojan simulates fake advertisement clicks too quickly, the anti-fraud team within the advertising agency would be able to detect the fraud, cancel the payout to the affiliate, and return the money to the defrauded advertisers.
Delivery by File Scout
We have been able to identify some of the infection vectors for the new version of Sefnit. One of the prominent methods is an installer for an application called "File Scout." When this application is installed, it will also install Trojan:Win32/Sefnit silently in the background:
Figure 5: File Scout installer that silently installs Trojan:Win32/Sefnit as the same time
The installed File Scout application is a tool that replaces the standard "Open with" dialog for unrecognized files with a new dialog:
Figure 6: File Scout replacement for the "Open with" dialog
There is evidence suggesting that this File Scout application is developed by the Trojan:Win32/Sefnit developers. Specifically, it expects a similar format xml structure for the C&C-download and execute commands, both applications are distributed together, and the two applications were compiled 15 minutes apart with the same compiler.
Similarly, Trojan:Win32/Sefnit bears code similarity to some InstallBrain software bundler installers, such as the same string encryption algorithm and the same packer.
We have also seen Trojan:Win32/Sefnit spread through the eMule peer-to-peer file network.
Downloading and running files from any peer-to-peer network as well as downloading applications from untrusted sources puts you at a high risk of being infected by malware.
This latest version of Sefnit shows they are using multiple attack vectors, even going as far as writing their own bundler installers to achieve the maximum number of infections that make this type of clickfraud a financially viable exercise.
The authors have adapted their click fraud mechanisms in a way that takes user interaction out of the picture while maintaining the effectiveness. This removal of the user-interaction reliance in the click fraud methodology was a large factor in the Sefnit authors being able to stay out of the security-researchers' radars over the last couple of years.
Microsoft is working towards thwarting this type of crime as we describe in another blog, "Another way Microsoft is disrupting the malware ecosystem." The more computers we can protect, the less financially viable this type of malware becomes.
We will continue to monitor the family and keep detection in place to limit further fraud by the criminals.