Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer. In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem.

Win32/Sefnit made headlines last August as it took the Tor Network by storm. Tor is an open source project for online anonymity and is commonly used to browse the Internet anonymously. Around August 19, 2013, millions of infected computers running Win32/Sefnit installers are believed to have been woken up and given instructions en masse, to download and install a Sefnit component using the Tor Network for C&C communication. Based on the Tor Network’s connecting-user estimates, evidence suggests this resulted in more than four million Sefnit-installed Tor client services pushed in just over two weeks, as shown in Figure 1.

Win32/Sefnit affects the Tor network

Figure 1: The effect of Win32/Sefnit on the Tor Network connecting-user base

The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers.

The Tor client

The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20. While no high-severity security bulletins have been issued affecting Tor v0.2.3.25, Tor has a history of high-severity vulnerabilities - as illustrated in Figure 2.

 

CVE
Versions Affected
DESCRIPTION
v0.2.2.35 and earlier
Multiple heap-based buffer overflows.
0.2.2.20-alpha and earlier and v0.2.1.28 and earlier
Heap-based buffer-overflow.
v0.2.0.34 and earlier
Treats incomplete IPv4 addresses as valid causing unknown impact.
v0.2.0.33 and earlier
Unspecified heap corruption.

Figure 2: History of vulnerabilities affecting Tor with potential for remote-code execution

Some of these vulnerabilities can be exploited for the remote execution of arbitrary code without authentication – essentially giving an attacker access to take over the machine remotely. This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future.

Cleanup efforts

Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:

These actions and their effect on the Tor Network’s estimated connecting-users is illustrated in Figure 3.

 Tor Network connecting user estimate timeline

Figure 3: Tor Network connecting-user estimate timeline with marked events.

Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached. Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further.

Home users:

Download and run our free Microsoft Safety Scanner to scan and clean your PC.

Network administrators and advanced users:

Download and run our free Microsoft Safety Scanner to scan and clean workstations.

Your anti-virus solution may have removed Sefnit from your workstations while leaving the Sefnit-added Tor service running. The remediation of the Tor service is dependent on the completeness of the removal by other AV scanners. For this reason, we recommend you check your workstations for Tor client services added by Sefnit. You can use the following commands to check and stop the Tor client service using Command Prompt as Administrator:

    1. Query the basic information about the Tor service by issuing the command: “sc query tor.” If the service is found, it should result in something like the following:

Tor service is found

    1. If the Tor service is found, and you weren't expecting it, it’s highly likely that it is a Sefnit-installed service. The configuration should be queried by issuing command “sc qc tor,” which should give you a result like that shown below:

Tor service configuration

    1. If the “BINARY_PATH_NAME” above matches, the Sefnit-added Tor client service can be stopped by the command “sc stop tor”:

Stopping the Tor service

    1. You can then delete the service with the command “sc delete tor”:

Correct Tor service removal

    1. Verify that the service is no longer running by “sc query tor” again. If removed correctly, this should display the following error:

The service is no longer running

We also shared this information with our Microsoft Virus Initiative and Virus Information Alliance partners so that they, too, can help in the clean-up.

Geoff McDonald
MMPC

* January 22, 2014: To clarify, this protection removes the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor.