The notorious Sefnit malware family that has been out of commission for the last two years is being used in a new click-fraud scam.
Geoff McDonald, a researcher at Microsoft's Malware Protection Centre, has reported new click-fraud activity linked to the malware.
He added that the Mevade Trojan, that made headlines recently for being the first large botnet to use Tor to 'anonymise' and hide its network traffic, can be linked to Sefnit, and that Microsoft has concluded the two are from the same family.
In his blog, McDonald said Sefnit is a well-known threat, which includes a component capable of performing click-fraud.
"From our observations in the wild, this particular component disappeared near the end of 2011. In June 2013, we discovered a new click-fraud component, which we originally classified as Mevade."
He says despite its "recent notoriety due to the Tor activity", researchers are unclear as to how this latest version is spreading, or how it is monetising itself.
Old malware, new tricks
McDonald says Sefnit's new click-fraud method differs from the old one, and is believed to be the reason why it has evaded detection over the past two years.
The old version of Sefnit relied on click hijacking for performing click-fraud. "When an infected user was browsing the Internet and clicked on a search engine result, sometimes the clicks would be hijacked to travel through advertising agencies to a similar Web page as the intended destination. These clicks are generally considered quite high-value and are hard to detect from an anti-fraud perspective."
He says that although it is stealthy, the user whose click was hijacked might notice his click did not direct him to his intended Web site, and could possibly investigate the cause, and alert security researchers. This would put the malware under the spotlight.
However, in 2011, Sefnit authors released no new versions of the component responsible for this click hijacking and security researchers believed they were no longer active in the wild, until June this year, when Selfnit's new click-fraud strategy was exposed.
McDonald says the current click-fraud element is structured as a proxy service based on the open source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements.
Because of this, the updated Sefnit version displays no clear visible user symptoms to draw attention to the botnet, which is why the malware has flown under the radar for several years.
The culprits
Earlier this month, Trend Micro reported in a blog that those responsible for Mevade and, therefore, Sefnit, have been "a bit less careful about hiding their identities".
It added that the culprits operate out of Kharkov, Ukraine and Israel, and have been up to their tricks since at least 2010.
"One of the main actors is known as 'Scorpion'. Another actor uses the nickname 'Dekadent'. Together, they are part of a well-organised and probably well financed cyber crime gang."
Trend Micro said these threat actors can be "strongly associated" with installations of adware and hijacking search results, and that it suspects the Mevade botnet is monetised by installing adware and toolbars onto affected systems.
The blog added that although there is the perception that adware and toolbars are less dangerous than data-stealing malware, in reality there is a fortune to be made from fraudulent advertising.
"We would also like to point out that Mevade has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high."
Share