Sefnit Trojan endangers users even after removal

Remember when in late August 2013 the Tor anonymity network was hit with a sudden and massive influx of active clients connecting to it?

It was later discovered that the spike happened due to Mevade bots getting equipped with a component that used Tor for C&C communication. Also, that the Mevade threat is an old one: the Sefnit click-fraud Trojan that has been around since 2009.

This rapid rise in Tor connections has served to see just how many computers were infected with the malware, and the number was staggering: over four million.

Since then, Microsoft has been working to diminish that number. The company started by adding signatures to its security solutions for detecting and removing these new Sefnit versions from computers running Windows.

But the Tor component was not initially removed, and put users in danger of having their computers compromised by those and other attackers.

“The Tor client service left behind on a previously-infected machine may seem harmless at first glance – Tor is a good application used to anonymize traffic and usually poses no threat,” shared Microsoft antivirus researcher Geoff McDonald in a blog post. “Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update.”

While there are no current high-severity vulnerabilities affecting this version, Tor has a history of such vulnerabilities being discovered, and many of them allow attackers to execute malicious code on the targets’ computers.

“This Tor service is a security risk to the machines even after Sefnit has been removed, since it is probable that a serious security vulnerability will be identified in the future. In summary, this means that a malicious actor may be able to infect millions of machines with any malware at some point in the future,” writes McDonald.

So, Microsoft has decided to retroactively clean the machines that still had the Sefnit-added Tor service, and practically managed to do so for half of them – around 2 million – in just two months (click on the screenshot to enlarge it):


But while two million cleaned computer is better than none, two million more remain at risk.

Many of these unreached machines probably not running Microsoft security software, so the only thing left to do is to either install and use one of those solutions, or remove the Tor component manually.

In order to help these users, Microsoft has compiled a short step-by-step guide on how to do it.

Don't miss