Microsoft Destroys Bitcoin Mining Botnet Sefnit

Nermin Hajdarbegovic
Jan 22, 2014 at 16:31 UTC
Updated Jan 28, 2014 at 15:19 UTC

Microsoft has gone on the offensive against the ‘Sefnit’ botnet and it has remotely removed Sefnit from many computers. But, contrary our original report, it left the Tor clients behind.

Sefnit is a curious form of Tor-based malware that managed to infect millions of computers and turn them into zombies for click fraud and bitcoin mining.

It was first detected last summer, after the Tor Project noticed a 600% increase in Tor use. The spike coincided with the highly publicised revelations about NSA’s snooping programmes, namely Prism.

However, privacy concerns and paranoia had nothing to do with the surge. In September it became evident that the cause of the massive increase in Tor users had nothing to do with the NSA and whistleblower Edward Snowden: the culprit was Sefnit.

Remote solution

Sefnit was propagated in several ways, and it quickly found its way to several software bundles – complete with a vulnerable version of the Tor Browser. The malware installed the Tor client in the background, and even when Sefnit was removed the infected computer would still connect to the Tor network. Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor, said Microsoft.

Since Microsoft had no way of reaching the affected users, it decided to wipe the infections remotely, reports Hacker News. Microsoft updated definitions for its anti-malware suites and the new signatures allowed Microsoft Security Essentials, Windows Defender, Microsoft Safety Scanner and other tools to detect and remove Sefnit malware.

Bitcoin mining botnets have been around for a while. The most recent case of mining malware propagation involved Yahoo’s European servers, which served infected ads for a few days before the company identified the breach. Several mining botnets were identified and put out of action in late 2013.

Rising hash difficulty

However, bitcoin mining botnets are starting to look like dinosaurs. PCs have not been used for bitcoin mining for months and even a huge botnet is an extremely inefficient way of mining. As the hash difficulty goes up, returns go down. In other words, malware designers will simply stop bothering with bitcoin mining malware altogether.

There is a problem though. Some PCs can still mine scrypt-based currencies quite efficiently. If litecoins or other altcoins based on ASIC-proof algorithms ever become popular, they could present a tempting target for cyber criminals.

Computer Image via Shutterstock

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.