Microsoft Destroys Bitcoin Mining Botnet Sefnit

Microsoft has gone on the offensive against Sefnit: remotely removing an old version of Tor from two million computers.

AccessTimeIconJan 22, 2014 at 4:31 p.m. UTC
Updated Sep 11, 2021 at 10:17 a.m. UTC

Microsoft has gone on the offensive against the 'Sefnit' botnet and it has remotely removed Sefnit from many computers. But, contrary our original report, it left the Tor clients behind.

Sefnit is a curious form of Tor-based malware that managed to infect millions of computers and turn them into zombies for click fraud and bitcoin mining.

It was first detected last summer, after the Tor Project noticed a 600% increase in Tor use. The spike coincided with the highly publicised revelations about NSA’s snooping programmes, namely Prism.

However, privacy concerns and paranoia had nothing to do with the surge. In September it became evident that the cause of the massive increase in Tor users had nothing to do with the NSA and whistleblower Edward Snowden: the culprit was Sefnit.

Remote solution

Sefnit was propagated in several ways, and it quickly found its way to several software bundles – complete with a vulnerable version of the Tor Browser. The malware installed the Tor client in the background, and even when Sefnit was removed the infected computer would still connect to the Tor network. Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor, said Microsoft.

Since Microsoft had no way of reaching the affected users, it decided to wipe the infections remotely, reports Hacker News. Microsoft updated definitions for its anti-malware suites and the new signatures allowed Microsoft Security Essentials, Windows Defender, Microsoft Safety Scanner and other tools to detect and remove Sefnit malware.

Bitcoin mining botnets

have been around for a while. The most recent case of mining malware propagation involved Yahoo’s European servers, which served infected ads for a few days before the company identified the breach. Several mining botnets were identified and put out of action in late 2013.

Rising hash difficulty

However, bitcoin mining botnets are starting to look like dinosaurs. PCs have not been used for bitcoin mining for months and even a huge botnet is an extremely inefficient way of mining. As the hash difficulty goes up, returns go down. In other words, malware designers will simply stop bothering with bitcoin mining malware altogether.

There is a problem though. Some PCs can still mine scrypt-based currencies quite efficiently. If litecoins or other altcoins based on ASIC-proof algorithms ever become popular, they could present a tempting target for cyber criminals.

Computer Image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.