U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Malware

Sefnit botnet-Microsoft has silently uprooted Tor Browser from more than 2 Million PC

Microsoft has uprooted Tor Browser from more than 2 Million Systems to eradicate Sefnit botnet. It has done it silently without user agreement. It was August 2013 when security experts noted a spike in Tor traffic network caused by cybercriminals activities, the malware specialists discovered a botnet based on Mevade malware, in mid-August the number […]

Sefnit botnet-Microsoft has silently uprooted Tor Browser from more than 2 Million PC

Microsoft has uprooted Tor Browser from more than 2 Million Systems to eradicate Sefnit botnet. It has done it silently without user agreement.

It was August 2013 when security experts noted a spike in Tor traffic network caused by cybercriminals activities, the malware specialists discovered a botnet based on Mevade malware, in mid-August the number of Tor users had skyrocketed from 500,000 to close to 3 million. The security expert speculated that traffic was generated by communication of bots with C&C servers hidden in the Tor network. Bot agent for the Mevade malware family used “Sefnit” code dated 2009 that included Tor connectivity. The malware implemented a backup mechanism for its C&C communications with a Tor component.

“The botnet of Sefnit hosted proxies are used to relay HTTP traffic to pretend to click on advertisements,” said Microsoft Malware Protection Center researcher Geoff McDonald.

The botnet was infecting millions of computers for click fraud and bitcoin mining, so in October 2013, Microsoft decided decided to go on the attack with a stealth offensive to decapitate the Tot-botnet based on the Sefnit malware, an agent belonging to the same click-fraud scam family malicious code of Mevade  .

Microsoft decided to silently remotely remove older versions Tor Browser software from nearly 2 Million systems, the operation was conducted without informing both Microsoft customers neither the Tor developers.

Sefnit caused Tor traffic spike

Microsoft experts remarked that Sefnit malware silently installed a Tor client on infected machines, even if it  is removed the Tor service will be left and still regularly connect to the Tor Network. The Sefnit removal according Microsoft requests the execution of a specific procedures hard to explain to its customers, that’s why Microsoft decided to remotely erase every component belonging to the botnet.

“’The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.‘” States the official blog post.

Sefnit caused Tor traffic spike TIMELINE

To sanitize the infected machines, Microsoft has updated all its security products including information and instructions to detect the presence of malicious Tor client service and remove it.

We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.” Reports Microsoft.

Microsoft points out several vulnerabilities in the Tor version v0.2.3.25  used by Sefnit, unfortunately the bundle is not upgradeable to the successive version, so the company decided to close loophole uninstalling the browser instead to simply delete the Sefnit code.

Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20.

Sefnit caused Tor browser flaws

The side effect was that the decision of Microsoft impacted also all the Tor users that intentionally have installed the anonymizing browser, 2 Million systems were cleaned with this technique.

It is very concerning the fact that the company could arbitrary decide to remove a software on any system based on its OS.

The Internet community has considered the decision of Microsoft to remove Tor browsers without any alert, too arrogant. Many experts are questioning about why Microsoft has not followed the same policy for its IE browser which is known to be suffering from hundreds of vulnerabilities, many of which are critical and which expose the safety of customers at serious risk.

Pierluigi Paganini

(Security Affairs –  Microsoft, Sefnit)