Microsoft Destroys Bitcoin Mining Botnet Sefnit

Microsoft has gone on the offensive against Sefnit: remotely removing an old version of Tor from two million computers.

AccessTimeIconJan 22, 2014 at 4:31 p.m. UTC
Updated Sep 11, 2021 at 10:17 a.m. UTC

Microsoft has gone on the offensive against the 'Sefnit' botnet and it has remotely removed Sefnit from many computers. But, contrary our original report, it left the Tor clients behind.

Sefnit is a curious form of Tor-based malware that managed to infect millions of computers and turn them into zombies for click fraud and bitcoin mining.

It was first detected last summer, after the Tor Project noticed a 600% increase in Tor use. The spike coincided with the highly publicised revelations about NSA’s snooping programmes, namely Prism.

However, privacy concerns and paranoia had nothing to do with the surge. In September it became evident that the cause of the massive increase in Tor users had nothing to do with the NSA and whistleblower Edward Snowden: the culprit was Sefnit.

Remote solution

Sefnit was propagated in several ways, and it quickly found its way to several software bundles – complete with a vulnerable version of the Tor Browser. The malware installed the Tor client in the background, and even when Sefnit was removed the infected computer would still connect to the Tor network. Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor, said Microsoft.

Since Microsoft had no way of reaching the affected users, it decided to wipe the infections remotely, reports Hacker News. Microsoft updated definitions for its anti-malware suites and the new signatures allowed Microsoft Security Essentials, Windows Defender, Microsoft Safety Scanner and other tools to detect and remove Sefnit malware.

Bitcoin mining botnets

have been around for a while. The most recent case of mining malware propagation involved Yahoo’s European servers, which served infected ads for a few days before the company identified the breach. Several mining botnets were identified and put out of action in late 2013.

Rising hash difficulty

However, bitcoin mining botnets are starting to look like dinosaurs. PCs have not been used for bitcoin mining for months and even a huge botnet is an extremely inefficient way of mining. As the hash difficulty goes up, returns go down. In other words, malware designers will simply stop bothering with bitcoin mining malware altogether.

There is a problem though. Some PCs can still mine scrypt-based currencies quite efficiently. If litecoins or other altcoins based on ASIC-proof algorithms ever become popular, they could present a tempting target for cyber criminals.

Computer Image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.