Medave and Sefnit are malware that are grouped together in the same family of botnets that use Tor to anonymize and hide its network traffic. Medave and Sefnit are attributed for over a 600 percent increase of Tor users – from about 500,000 to more than 4 million.

Medave and Sefnit

The Medave and Sefnit botnet family (Win32/Sefnit) includes a component that’s capable of performing click fraud. Click fraud is the practice of repeatedly clicking on a web advertisement with the intention of generating revenue for the host site or draining revenue from the legitimate advertiser.

In this case, the malware uses infected computers for click fraud and bitcoin mining, leaving millions of machines potentially vulnerable for future attacks. In late 2013, millions of infected computers running Win32/Sefnit installers were instructed to download and install a Sefnit component using the Tor Network for Command and Control (C&C) communication.

The security problem with this botnet is that the Tor client service is silently installed in the background. What does this mean? Well, if you’ve never installed the Tor client on your PC but become infected with this malware, your PC will be running Tor without you even knowing.

At a glance, having the Tor client installed on a previously infected machine does not appear to be harmful. You can download Tor yourself and use it to remain anonymous while browsing the Internet. However, the Tor version (v0.2.3.25) installed by Sefnit does not self-update. Having an outdated application, such as Tor, installed makes your PC vulnerable to attacks such as giving an attacker remote access to take over your PC.

Because the Tor client is outdated, your PC will remain vulnerable even if you are able to remove the Sefnit botnet.

Protecting Your PC

Your antivirus or Internet security solution may have removed Sefnit from your PC. However, as explained earlier, it is possible that the outdated Tor client is still installed on your PC. Therefore, to confirm that the Tor client is not installed, launch the command prompt and type the command "sc query tor." If the service is found and if you didn't install Tor, then it's highly possible that the Sefnit botnet installed it. To remove it, type the following command: "sc delete tor." Type the command "sc query tor" after deleting the service to confirm that it has been removed.