Sefnit Botnet Swaps Tor for SSH
Thu, 05/01/2014 - 11:09am
A botnet that had confounded researchers by using the Tor anonymizing network has been spotted rearing its ugly head again — no longer under the cover of Tor, but now back with its original encrypted SSH model.
Facebook's security team posted technical details this week of the throwback SSH version of Sefnit, a.k.a. Mevade, a botnet mainly associated with click fraud and Bitcoin mining.
Millions of machines were spotted in August running Win32/Sefnit installer programs, leading to 4 million Sefnit-based Tor clients appearing on the anonymized network within a two-week period. A spike in Tor traffic at that time initially was thought to be a result of the privacy concerns after the Snowden revelations about the NSA's spying operations, but security researchers later identified it as a botnet with Russian-speaking connections.
The botnet used Tor as a way to obfuscate its C&C traffic, and it allowed the operators to drop larger files on to victim machines, especially in pay-per-install schemes, security experts say.
But Sefnit now appears to have returned to its roots with an SSH-encrypted C&C infrastructure, according to Facebook's findings.
Source: Dark Reading