Your one-stop web resource providing safety and security information to manufacturers

The Sefnit Trojan is back using advanced infection and click-fraud techniques, Microsoft researchers said.

Microsoft antivirus researcher Geoff McDonald reported discovering an evolved version of the Sefnit Trojan, which takes money by targeting popular websites, such as Groupon.

Marketing Push for Versatile Malware
New Virus Hits Freezing Point
FBI Warning over Smart Trojan
Aug. Spam Report: Zeus Remains King

“The Sefnit click-fraud component is now structured as a proxy service based on the open-source 3proxy project,” McDonald said on the company’s blog. “The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements. In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet. This allowed them to evade attention from anti-malware researchers for a couple years.

“The Sefnit botnet uses the hosted 3proxy servers to redirect Internet traffic and perform fake advertisement clicks.”

Schneider Bold

The Trojan allowed malware developers to increase their revenue by using the technique, McDonald said.

“The end result is Groupon paying a small amount of money for this fake advertisement ‘click’ to Google,” he said. “Google takes a portion of the money and pays the rest out to the website hosting the advertisement – Mywebsearch. The Sefnit authors likely signed up as an affiliate for Mywebsearch, resulting in the Sefnit criminals then receiving a commission on the click.”

A Groupon spokesperson said the company actively monitors its network for any illicit activity. “We actively monitor our thousands of global affiliate marketers, and those who violate the rules are removed from the program.”

McDonald said Microsoft uncovered evidence linking Sefnit to the Mevade malware used in the world’s first large-scale Tor botnet.

“Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymize and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent – from about 500,000 users per day to more than three million,” he said.

“Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family.”

As well as its links to Mevade, McDonald said the attack is also using a series of custom-built components to improve its infection rate.

“This latest version of Sefnit shows they are using multiple attack vectors, even going as far as writing their own bundler installers to achieve the maximum number of infections that make this type of click fraud a financially viable exercise,” he said in his blog.

Pin It on Pinterest

Share This