Microsoft Destroys Bitcoin Mining Botnet Sefnit

Microsoft has gone on the offensive against Sefnit: remotely removing an old version of Tor from two million computers.

AccessTimeIconJan 22, 2014 at 4:31 p.m. UTC
Updated Sep 2, 2021 at 12:36 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Microsoft has gone on the offensive against the 'Sefnit' botnet and it has remotely removed Sefnit from many computers. But, contrary our original report, it left the Tor clients behind.

Sefnit is a curious form of Tor-based malware that managed to infect millions of computers and turn them into zombies for click fraud and bitcoin mining.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • It was first detected last summer, after the Tor Project noticed a 600% increase in Tor use. The spike coincided with the highly publicised revelations about NSA’s snooping programmes, namely Prism.

    However, privacy concerns and paranoia had nothing to do with the surge. In September it became evident that the cause of the massive increase in Tor users had nothing to do with the NSA and whistleblower Edward Snowden: the culprit was Sefnit.

    Remote solution

    Sefnit was propagated in several ways, and it quickly found its way to several software bundles – complete with a vulnerable version of the Tor Browser. The malware installed the Tor client in the background, and even when Sefnit was removed the infected computer would still connect to the Tor network. Microsoft Malware Protection Center (MMPC) has protections to remove the services started by the Sefnit malware, but it does not uninstall Tor, remove any Tor binaries, or prevent users from using Tor, said Microsoft.

    Since Microsoft had no way of reaching the affected users, it decided to wipe the infections remotely, reports Hacker News. Microsoft updated definitions for its anti-malware suites and the new signatures allowed Microsoft Security Essentials, Windows Defender, Microsoft Safety Scanner and other tools to detect and remove Sefnit malware.

    have been around for a while. The most recent case of mining malware propagation involved Yahoo’s European servers, which served infected ads for a few days before the company identified the breach. Several mining botnets were identified and put out of action in late 2013.

    Rising hash difficulty

    However, bitcoin mining botnets are starting to look like dinosaurs. PCs have not been used for bitcoin mining for months and even a huge botnet is an extremely inefficient way of mining. As the hash difficulty goes up, returns go down. In other words, malware designers will simply stop bothering with bitcoin mining malware altogether.

    There is a problem though. Some PCs can still mine scrypt-based currencies quite efficiently. If litecoins or other altcoins based on ASIC-proof algorithms ever become popular, they could present a tempting target for cyber criminals.

    Computer Image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.