Attacks/Breaches
4/30/2014
06:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sefnit Botnet Swaps Tor for SSH

Facebook security researchers spot a Sefnit/Mevade click-fraud and Bitcoin-mining botnet returning to its previous SSH command-and-control communications infrastructure.

A botnet that had confounded researchers by using the Tor anonymizing network has been spotted rearing its ugly head again -- no longer under the cover of Tor, but now back with its original encrypted SSH model.

Facebook's security team posted technical details this week of the throwback SSH version of Sefnit, a.k.a. Mevade, a botnet mainly associated with click fraud and Bitcoin mining.

Millions of machines were spotted in August running Win32/Sefnit installer programs, leading to 4 million Sefnit-based Tor clients appearing on the anonymized network within a two-week period. A spike in Tor traffic at that time initially was thought to be a result of the privacy concerns after the Snowden revelations about the NSA's spying operations, but security researchers later identified it as a botnet with Russian-speaking connections.

The botnet used Tor as a way to obfuscate its C&C traffic, and it allowed the operators to drop larger files on to victim machines, especially in pay-per-install schemes, security experts say.

But Sefnit now appears to have returned to its roots with an SSH-encrypted C&C infrastructure, according to Facebook's findings.

"Facebook has dissected a new variant of Sefnit that appears to no longer utilize Tor. Details and indicators are provided to help security teams audit their hosts for signs of infection," Facebook's security team said in the post.

SSH can be a powerful tool for botnet operators to mask the traffic between their command and control servers and infected bots. It can easily camouflage botnet traffic, too, because SSH is commonly found in enterprise networks and used in outbound traffic. SSH encryption also is immune to various traffic analysis tools and offline decryption.

As of early January, Microsoft had counted 2 million machines still infected with Sefnit. "Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached," blogged MMPC's Geoff McDonald. "Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."

Facebook's security team also has found at least two update mechanisms to Sefnit that don't employ SSH and use different C&C servers, according to a Facebook spokesperson. "SSH is commonly used for remote administration, so it will be important to continue assessing the actions of this malware."

Sefnit/Mevade has traditionally been a large botnet, with 1.4 million to 5 million bots even before the Tor transformation last year. Damballa Security, which initially dubbed the botnet "LazyAlienBikers," said recently that it saw infected machines in more than 80% of the enterprises it monitors.

The Tor move actually backfired on the botnet. The spike in Tor adoption attracted unwanted attention that ultimately exposed the botnet's movements there, experts say. "In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive," Mark Gilbert, a security researcher at Damballa, posted last fall.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/1/2014 | 10:47:56 AM
Re: Business and Safeguard standpoint
Facebook's Security Team identified some key files, domains and artifacts and other indictators of compromise for enterprises to be on the lookout for, but these are just a sampling:

https://www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103
Anthony Schimizzi
50%
50%
Anthony Schimizzi,
User Rank: Apprentice
5/1/2014 | 8:49:42 AM
Re: Business and Safeguard standpoint
User action is required in some way to become infected, whether clicking a link in an email to run the malicious code or more sophisticate like downloading a legitimate video which states you need an updated codec (which is actually the bot code) to view it.  User access control will be one of the first places to look.

Another thing to help the posture of your enterprise network in this scenario would be to granularly inspect traffic outbound at your SDP.  A lot of people really focus on how to prevent and outside attack from emanating and don't put as much attention to what traffic is leaving your network.  A good baseline of operational traffic that will traverse outside the SDP will make your life a lot easier when trying to spot a bump in the wire.  In this case, SSH connections back to a Russian entity.  If a baseline is not in place due to a large amount of public Internet traffic, then alerts and suspicious traffic need to be investigated.  With SSH it can be hard to find that right signal-to-noise ratio for your company.  For example, if you know your company does not have any affiliation with Russia, alerts and notifications from your SIEM should be on your IR/ID team's monitors for SSH traffic or any type of traffic, sourced from inside your network and destined to a Russian ip.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2014 | 7:14:38 PM
Business and Safeguard standpoint
Now that Sefnit is using the SSH protocol what are some things to look out for? What I can see from the article is that it hits home for Remote Adminstation that uses SSH. Meaning what are some methods to protect from this and is user action required to become vulnerable or just an SSH protocol? I just want to see if from an Enterprise perspective how this affects, so that plans can be made. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.