Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/30/2014
06:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sefnit Botnet Swaps Tor for SSH

Facebook security researchers spot a Sefnit/Mevade click-fraud and Bitcoin-mining botnet returning to its previous SSH command-and-control communications infrastructure.

A botnet that had confounded researchers by using the Tor anonymizing network has been spotted rearing its ugly head again -- no longer under the cover of Tor, but now back with its original encrypted SSH model.

Facebook's security team posted technical details this week of the throwback SSH version of Sefnit, a.k.a. Mevade, a botnet mainly associated with click fraud and Bitcoin mining.

Millions of machines were spotted in August running Win32/Sefnit installer programs, leading to 4 million Sefnit-based Tor clients appearing on the anonymized network within a two-week period. A spike in Tor traffic at that time initially was thought to be a result of the privacy concerns after the Snowden revelations about the NSA's spying operations, but security researchers later identified it as a botnet with Russian-speaking connections.

The botnet used Tor as a way to obfuscate its C&C traffic, and it allowed the operators to drop larger files on to victim machines, especially in pay-per-install schemes, security experts say.

But Sefnit now appears to have returned to its roots with an SSH-encrypted C&C infrastructure, according to Facebook's findings.

"Facebook has dissected a new variant of Sefnit that appears to no longer utilize Tor. Details and indicators are provided to help security teams audit their hosts for signs of infection," Facebook's security team said in the post.

SSH can be a powerful tool for botnet operators to mask the traffic between their command and control servers and infected bots. It can easily camouflage botnet traffic, too, because SSH is commonly found in enterprise networks and used in outbound traffic. SSH encryption also is immune to various traffic analysis tools and offline decryption.

As of early January, Microsoft had counted 2 million machines still infected with Sefnit. "Our actions so far have put a dent in the number of users at risk, but more work is needed to address an estimated two million machines that have yet to be reached," blogged MMPC's Geoff McDonald. "Many of the unreached machines are likely not running Microsoft security software, and we need your help to reduce this risk further."

Facebook's security team also has found at least two update mechanisms to Sefnit that don't employ SSH and use different C&C servers, according to a Facebook spokesperson. "SSH is commonly used for remote administration, so it will be important to continue assessing the actions of this malware."

Sefnit/Mevade has traditionally been a large botnet, with 1.4 million to 5 million bots even before the Tor transformation last year. Damballa Security, which initially dubbed the botnet "LazyAlienBikers," said recently that it saw infected machines in more than 80% of the enterprises it monitors.

The Tor move actually backfired on the botnet. The spike in Tor adoption attracted unwanted attention that ultimately exposed the botnet's movements there, experts say. "In the security arms race, sometimes the bad guys screw up too. But you can be sure they've taken the lessons learned from this progression, and will continue to find new ways to remain more elusive," Mark Gilbert, a security researcher at Damballa, posted last fall.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/1/2014 | 10:47:56 AM
Re: Business and Safeguard standpoint
Facebook's Security Team identified some key files, domains and artifacts and other indictators of compromise for enterprises to be on the lookout for, but these are just a sampling:

https://www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103
Anthony Schimizzi
50%
50%
Anthony Schimizzi,
User Rank: Apprentice
5/1/2014 | 8:49:42 AM
Re: Business and Safeguard standpoint
User action is required in some way to become infected, whether clicking a link in an email to run the malicious code or more sophisticate like downloading a legitimate video which states you need an updated codec (which is actually the bot code) to view it.  User access control will be one of the first places to look.

Another thing to help the posture of your enterprise network in this scenario would be to granularly inspect traffic outbound at your SDP.  A lot of people really focus on how to prevent and outside attack from emanating and don't put as much attention to what traffic is leaving your network.  A good baseline of operational traffic that will traverse outside the SDP will make your life a lot easier when trying to spot a bump in the wire.  In this case, SSH connections back to a Russian entity.  If a baseline is not in place due to a large amount of public Internet traffic, then alerts and suspicious traffic need to be investigated.  With SSH it can be hard to find that right signal-to-noise ratio for your company.  For example, if you know your company does not have any affiliation with Russia, alerts and notifications from your SIEM should be on your IR/ID team's monitors for SSH traffic or any type of traffic, sourced from inside your network and destined to a Russian ip.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2014 | 7:14:38 PM
Business and Safeguard standpoint
Now that Sefnit is using the SSH protocol what are some things to look out for? What I can see from the article is that it hits home for Remote Adminstation that uses SSH. Meaning what are some methods to protect from this and is user action required to become vulnerable or just an SSH protocol? I just want to see if from an Enterprise perspective how this affects, so that plans can be made. 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.