Rotbrow: the Sefnit distributor

  • Article

This month's addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.

In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the "Updater and Installer Service" in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a harmless program called FileScout, but where did the FileScout installer come from?

Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called "BitGuard.exe". We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself "Browser Protector" (and sometimes "Browser Defender"). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different – we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.

It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes - exactly the same as the FileScout/Sefnit installer.

Apparently the resource was encrypted. We could see that "Browser Protector" contained the same RC4 decryption code we'd seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was "FilescoutEncryptionKey"), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that "Browser Protector" could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.

While we found that many variants of "Browser Protector" do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.

SHA1s:

Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375
FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3
Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d