Attacks/Breaches
4/30/2014
06:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sefnit Botnet Swaps Tor for SSH

Facebook security researchers spot a Sefnit/Mevade click-fraud and Bitcoin-mining botnet returning to its previous SSH command-and-control communications infrastructure.

A botnet that had confounded researchers by using the Tor anonymizing network has been spotted rearing its ugly head again -- no longer under the cover of Tor, but now back with its original encrypted SSH model.

Facebook's security team posted technical details this week of the throwback SSH version of Sefnit, a.k.a. Mevade, a botnet mainly associated with click fraud and Bitcoin mining.

Millions of machines were spotted in August running Win32/Sefnit installer programs, leading to 4 million Sefnit-based Tor clients appearing on the anonymized network within a two-week period. A spike in Tor traffic at that time initially was thought to be a result of the privacy concerns after the Snowden revelations about the NSA's spying operations, but security researchers later identified it as a botnet with Russian-speaking connections.

The botnet used Tor as a way to obfuscate its C&C traffic, and it allowed the operators to drop larger files on to victim machines, especially in pay-per-install schemes, security experts say.

But Sefnit now appears to have returned to its roots with an SSH-encrypted C&C infrastructure, according to Facebook's findings.

"Facebook has dissected a new variant of Sefnit that appears to no longer utilize Tor. Details and indicators are provided to help security teams audit their hosts for signs of infection," Facebook's security team said in the post.

SSH can be a powerful tool for botnet operators to mask the traffic between their command and control servers and infected bots. It can easily camouflage botnet traffic, too, because SSH is commonly found in enterprise networks and used in outbound traffic. SSH encryption also is immune to various traffic analysis tools and offline decryption.

As of early January, Microsoft had counted 2 million machines still infected with Sefnit. "Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached," blogged MMPC's Geoff McDonald. "Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."

Facebook's security team also has found at least two update mechanisms to Sefnit that don't employ SSH and use different C&C servers, according to a Facebook spokesperson. "SSH is commonly used for remote administration, so it will be important to continue assessing the actions of this malware."

Sefnit/Mevade has traditionally been a large botnet, with 1.4 million to 5 million bots even before the Tor transformation last year. Damballa Security, which initially dubbed the botnet "LazyAlienBikers," said recently that it saw infected machines in more than 80% of the enterprises it monitors.

The Tor move actually backfired on the botnet. The spike in Tor adoption attracted unwanted attention that ultimately exposed the botnet's movements there, experts say. "In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive," Mark Gilbert, a security researcher at Damballa, posted last fall.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/1/2014 | 10:47:56 AM
Re: Business and Safeguard standpoint
Facebook's Security Team identified some key files, domains and artifacts and other indictators of compromise for enterprises to be on the lookout for, but these are just a sampling:

https://www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103
Anthony Schimizzi
50%
50%
Anthony Schimizzi,
User Rank: Apprentice
5/1/2014 | 8:49:42 AM
Re: Business and Safeguard standpoint
User action is required in some way to become infected, whether clicking a link in an email to run the malicious code or more sophisticate like downloading a legitimate video which states you need an updated codec (which is actually the bot code) to view it.  User access control will be one of the first places to look.

Another thing to help the posture of your enterprise network in this scenario would be to granularly inspect traffic outbound at your SDP.  A lot of people really focus on how to prevent and outside attack from emanating and don't put as much attention to what traffic is leaving your network.  A good baseline of operational traffic that will traverse outside the SDP will make your life a lot easier when trying to spot a bump in the wire.  In this case, SSH connections back to a Russian entity.  If a baseline is not in place due to a large amount of public Internet traffic, then alerts and suspicious traffic need to be investigated.  With SSH it can be hard to find that right signal-to-noise ratio for your company.  For example, if you know your company does not have any affiliation with Russia, alerts and notifications from your SIEM should be on your IR/ID team's monitors for SSH traffic or any type of traffic, sourced from inside your network and destined to a Russian ip.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2014 | 7:14:38 PM
Business and Safeguard standpoint
Now that Sefnit is using the SSH protocol what are some things to look out for? What I can see from the article is that it hits home for Remote Adminstation that uses SSH. Meaning what are some methods to protect from this and is user action required to become vulnerable or just an SSH protocol? I just want to see if from an Enterprise perspective how this affects, so that plans can be made. 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio