A botnet that had confounded researchers by using the Tor anonymizing network has been spotted rearing its ugly head again -- no longer under the cover of Tor, but now back with its original encrypted SSH model.
Facebook's security team posted technical details this week of the throwback SSH version of Sefnit, a.k.a. Mevade, a botnet mainly associated with click fraud and Bitcoin mining.
Millions of machines were spotted in August running Win32/Sefnit installer programs, leading to 4 million Sefnit-based Tor clients appearing on the anonymized network within a two-week period. A spike in Tor traffic at that time initially was thought to be a result of the privacy concerns after the Snowden revelations about the NSA's spying operations, but security researchers later identified it as a botnet with Russian-speaking connections.
The botnet used Tor as a way to obfuscate its C&C traffic, and it allowed the operators to drop larger files on to victim machines, especially in pay-per-install schemes, security experts say.
But Sefnit now appears to have returned to its roots with an SSH-encrypted C&C infrastructure, according to Facebook's findings.
"Facebook has dissected a new variant of Sefnit that appears to no longer utilize Tor. Details and indicators are provided to help security teams audit their hosts for signs of infection," Facebook's security team said in the post.
SSH can be a powerful tool for botnet operators to mask the traffic between their command and control servers and infected bots. It can easily camouflage botnet traffic, too, because SSH is commonly found in enterprise networks and used in outbound traffic. SSH encryption also is immune to various traffic analysis tools and offline decryption.
As of early January, Microsoft had counted 2 million machines still infected with Sefnit. "Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached," blogged MMPC's Geoff McDonald. "Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."
Facebook's security team also has found at least two update mechanisms to Sefnit that don't employ SSH and use different C&C servers, according to a Facebook spokesperson. "SSH is commonly used for remote administration, so it will be important to continue assessing the actions of this malware."
Sefnit/Mevade has traditionally been a large botnet, with 1.4 million to 5 million bots even before the Tor transformation last year. Damballa Security, which initially dubbed the botnet "LazyAlienBikers," said recently that it saw infected machines in more than 80% of the enterprises it monitors.
The Tor move actually backfired on the botnet. The spike in Tor adoption attracted unwanted attention that ultimately exposed the botnet's movements there, experts say. "In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive," Mark Gilbert, a security researcher at Damballa, posted last fall.