The rapid rise in using the Tor anonymity networks for connections shows how many computers suffered from infection with the Sefnit Trojan — over four million.
Since this past August, when Tor was reaching new heights in clients connecting to it, Microsoft has been working to bring that number down. That is when Mevade bots had a component that used Tor for C&C communication
Microsoft then started to add signatures to its security solutions for detecting and removing these new Sefnit versions from computers running Windows.
But the Tor component did not go away initially. That put users in danger of having their computers compromised by attackers.
“The Tor client service left behind on a previously-infected machine may seem harmless at first glance — Tor is a good application used to anonymize traffic and usually poses no threat,” said Microsoft antivirus researcher Geoff McDonald in a blog post. “Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update.”
While there are no current high-severity vulnerabilities affecting this version, Tor has a history of these types of vulnerabilities, and quite a few of them allow attackers to execute malicious code on the targets’ computers.
“This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future,” McDonald said.
Microsoft decided to retroactively clean the machines that still had the Sefnit-added Tor service, and did so for half of them — around 2 million — in two months.
But while two million cleaned computers is better than none, two million more remain at risk.
Most of those computers are probably not running Microsoft security software, so the only thing left to do is to either install and use one of those solutions, or remove the Tor component manually.
In order to help these users, Microsoft compiled a guideon what to do.