Mevade (also known as Sefnit) is a botnet that engages in click-fraud and cryptocurrency mining. Mevade is noticeable for two reasons. Firstly, it is huge: at some point, several millions of computers had been infected. And secondly, when it hosted its C&C servers on Tor hidden services, it almost took down the Tor network. In this presentation we will give an overview of what is known about Mevade and how the botnet has evolved over time. A large part of the presentation will focus on the research performed on the non-Tor C&C communication and the somewhat unusual choice of domain names for C&C communication. We will also discuss about links between Mevade and other kinds of adware and malware. We are actively following this botnet and the developments around it and will of course present any developments taking place in the months prior to the conference.
Outline of presentation:
- History of Mevade
- Overview of the malware
- Cryptocurrency mining and the Stratum mining protocol used by Mevade
- Network communication Using Tor for C&C
- Links to other kinds of botnet and malware
- New developments