The Sefnit Trojan is back using advanced infection and click-fraud techniques, Microsoft researchers said.
Microsoft antivirus researcher Geoff McDonald reported discovering an evolved version of the Sefnit Trojan, which takes money by targeting popular websites, such as Groupon.
“The Sefnit click-fraud component is now structured as a proxy service based on the open-source 3proxy project,” McDonald said on the company’s blog. “The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements. In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet. This allowed them to evade attention from anti-malware researchers for a couple years.
“The Sefnit botnet uses the hosted 3proxy servers to redirect Internet traffic and perform fake advertisement clicks.”
The Trojan allowed malware developers to increase their revenue by using the technique, McDonald said.
“The end result is Groupon paying a small amount of money for this fake advertisement ‘click’ to Google,” he said. “Google takes a portion of the money and pays the rest out to the website hosting the advertisement – Mywebsearch. The Sefnit authors likely signed up as an affiliate for Mywebsearch, resulting in the Sefnit criminals then receiving a commission on the click.”
A Groupon spokesperson said the company actively monitors its network for any illicit activity. “We actively monitor our thousands of global affiliate marketers, and those who violate the rules are removed from the program.”
McDonald said Microsoft uncovered evidence linking Sefnit to the Mevade malware used in the world’s first large-scale Tor botnet.
“Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymize and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent – from about 500,000 users per day to more than three million,” he said.
“Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family.”
As well as its links to Mevade, McDonald said the attack is also using a series of custom-built components to improve its infection rate.
“This latest version of Sefnit shows they are using multiple attack vectors, even going as far as writing their own bundler installers to achieve the maximum number of infections that make this type of click fraud a financially viable exercise,” he said in his blog.