Attacks/Breaches
4/30/2014
06:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sefnit Botnet Swaps Tor for SSH

Facebook security researchers spot a Sefnit/Mevade click-fraud and Bitcoin-mining botnet returning to its previous SSH command-and-control communications infrastructure.

A botnet that had confounded researchers by using the Tor anonymizing network has been spotted rearing its ugly head again -- no longer under the cover of Tor, but now back with its original encrypted SSH model.

Facebook's security team posted technical details this week of the throwback SSH version of Sefnit, a.k.a. Mevade, a botnet mainly associated with click fraud and Bitcoin mining.

Millions of machines were spotted in August running Win32/Sefnit installer programs, leading to 4 million Sefnit-based Tor clients appearing on the anonymized network within a two-week period. A spike in Tor traffic at that time initially was thought to be a result of the privacy concerns after the Snowden revelations about the NSA's spying operations, but security researchers later identified it as a botnet with Russian-speaking connections.

The botnet used Tor as a way to obfuscate its C&C traffic, and it allowed the operators to drop larger files on to victim machines, especially in pay-per-install schemes, security experts say.

But Sefnit now appears to have returned to its roots with an SSH-encrypted C&C infrastructure, according to Facebook's findings.

"Facebook has dissected a new variant of Sefnit that appears to no longer utilize Tor. Details and indicators are provided to help security teams audit their hosts for signs of infection," Facebook's security team said in the post.

SSH can be a powerful tool for botnet operators to mask the traffic between their command and control servers and infected bots. It can easily camouflage botnet traffic, too, because SSH is commonly found in enterprise networks and used in outbound traffic. SSH encryption also is immune to various traffic analysis tools and offline decryption.

As of early January, Microsoft had counted 2 million machines still infected with Sefnit. "Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached," blogged MMPC's Geoff McDonald. "Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."

Facebook's security team also has found at least two update mechanisms to Sefnit that don't employ SSH and use different C&C servers, according to a Facebook spokesperson. "SSH is commonly used for remote administration, so it will be important to continue assessing the actions of this malware."

Sefnit/Mevade has traditionally been a large botnet, with 1.4 million to 5 million bots even before the Tor transformation last year. Damballa Security, which initially dubbed the botnet "LazyAlienBikers," said recently that it saw infected machines in more than 80% of the enterprises it monitors.

The Tor move actually backfired on the botnet. The spike in Tor adoption attracted unwanted attention that ultimately exposed the botnet's movements there, experts say. "In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive," Mark Gilbert, a security researcher at Damballa, posted last fall.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/1/2014 | 10:47:56 AM
Re: Business and Safeguard standpoint
Facebook's Security Team identified some key files, domains and artifacts and other indictators of compromise for enterprises to be on the lookout for, but these are just a sampling:

https://www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103
Anthony Schimizzi
50%
50%
Anthony Schimizzi,
User Rank: Apprentice
5/1/2014 | 8:49:42 AM
Re: Business and Safeguard standpoint
User action is required in some way to become infected, whether clicking a link in an email to run the malicious code or more sophisticate like downloading a legitimate video which states you need an updated codec (which is actually the bot code) to view it.  User access control will be one of the first places to look.

Another thing to help the posture of your enterprise network in this scenario would be to granularly inspect traffic outbound at your SDP.  A lot of people really focus on how to prevent and outside attack from emanating and don't put as much attention to what traffic is leaving your network.  A good baseline of operational traffic that will traverse outside the SDP will make your life a lot easier when trying to spot a bump in the wire.  In this case, SSH connections back to a Russian entity.  If a baseline is not in place due to a large amount of public Internet traffic, then alerts and suspicious traffic need to be investigated.  With SSH it can be hard to find that right signal-to-noise ratio for your company.  For example, if you know your company does not have any affiliation with Russia, alerts and notifications from your SIEM should be on your IR/ID team's monitors for SSH traffic or any type of traffic, sourced from inside your network and destined to a Russian ip.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2014 | 7:14:38 PM
Business and Safeguard standpoint
Now that Sefnit is using the SSH protocol what are some things to look out for? What I can see from the article is that it hits home for Remote Adminstation that uses SSH. Meaning what are some methods to protect from this and is user action required to become vulnerable or just an SSH protocol? I just want to see if from an Enterprise perspective how this affects, so that plans can be made. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.