Tor network used to command Skynet botnet

Other botnet operators might use Tor to hide their command and control servers in the future, researchers say

Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7.

The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins -- a type of virtual currency -- using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones.

However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol.

Tor hidden services are most commonly Web servers, but can also be Internet Relay Chat (IRC), Secure Shell (SSH) and other types of servers. These services can only be accessed from inside the Tor network through a random-looking hostname that ends in the .onion pseudo-top-level domain.

Amazon CEO Jeff Bezos on innovation and entrepreneurship
How Netflix has the cloud do the heavy lifting for video transcoding
Werner Vogels: The ‘four commandments’ for 21st century application architecture
Netflix CEO: Cloud currently akin to pre-compiler era
Amazon cloud chief: Two Availability Zones just the beginning

The Hidden Service protocol was designed to hide the IP (Internet Protocol) address of the clients from the service and the IP address of the service from the clients, making it almost impossible for the parties involved to determine each other's physical location or real identity. Like all traffic passing through the Tor network, the traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of other computers acting as Tor relays.

Tor Hidden Services are perfect for a botnet operation, said Claudio Guarnieri, a security researcher at Rapid7 and creator of the Cuckoo Sandbox malware analysis system, in an email on Friday. "As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C."

Guarnieri published a blog post about the Skynet botnet on Thursday. He believes that the botnet is the same one described by a self-confessed botnet operator in a "IAmA" (I am a) thread on Reddit seven months ago. Reddit "IAmA" or "AMA" (ask me anything) threads allow people who perform various jobs or have various occupations to answer questions from other Reddit users.

Despite the wealth of information about the botnet offered by its creator on Reddit seven months ago, the botnet is still alive and strong. In fact, Rapid7 researchers estimate that the botnet's current size is of 12,000 to 15,000 compromised computers, up to 50 percent more than what its operator estimated 7 months ago.

The malware behind this botnet is distributed through Usenet, a system originally built at the beginning of the 1980s as a distributed discussion platform, but now commonly used to distribute pirated software and content, commonly known as "warez."

"We incidentally found it on Usenet and started digging there and realized the operator is automatically repackaging and uploading the malware for every new popular warez release," Guarnieri said. "It could be likely found on other file-sharing platforms too, but we have no proof at this point."

Content from Usenet is commonly downloaded by users and redistributed through other file-sharing technologies like BitTorrent.

The Skynet malware has several components: an IRC-controlled bot that can launch various types of DDoS attacks and perform several other actions, a Tor client for Windows, a so-called Bitcoin mining application and a version of the Zeus Trojan program, which is capable of hooking into browser processes and stealing log-in credentials for various websites.

While good for anonymity, Tor does have disadvantages for a botnet operation, such as increased latency and sometimes instability.

"Obviously they [the botnet operators] can't tunnel just everything through Tor," Guarnieri said. "If the botnet is performing some heavy, frequent and noisy communication, then it could be problematic."

However, if the goal is just for the infected machines to be able to retrieve commands from a server in a reasonable time without exposing its location, then Tor works well enough, he said. "I'm pretty sure more botherders will definitely replicate this design."

"This is a major reason for concern," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "If a single botherder can stay anonymous for seven months by routing C&C traffic via TOR, then it will definitely stick with other botmasters."

That said, Botezatu believes that Tor might not be suitable for large botnets because the Tor network, which is already relatively slow, might not be able to handle a lot of concurrent connections.

The impact of botnets on the Tor network itself really depends on the scale of abuse, Guarnieri said. One feature of the Skynet botnet is that each infected machine becomes a Tor relay, which ironically makes the network larger and able to sustain the load, he said.

Botnet creators have recently implemented peer-to-peer solutions for command and control purposes rather than Tor-based ones, because they provide the same level of anonymity and increased resiliency without introducing the latency problems, Botezatu said. In addition, peer-to-peer implementations have already been well documented and tested, he said.

The Tor-based approach is not new, said Marco Preuss, head of the German global research and analysis team at antivirus vendor Kaspersky Lab, via email. "In the past years several presentations and research papers mentioned this method for botnets."

"One of the most important disadvantages is the complex implementation -- errors lead to easy detection -- and also the speed is a drawback," Preuss said. Depending on how Tor is used in the botnet infrastructure, there might be solutions to detect and block the traffic, as well as to disable the botnet, he said.

"A single botnet of about ten thousand machines isn't a stringent problem for the global Internet, but, if things escalate, we're sure that node administrators will cooperate with ISPs and law enforcement to take down malicious traffic," Botezatu said. "After all, Tor has been designed for anonymity and privacy, not for cyber crime."

"One countermeasure that companies or ISPs could eventually enforce in their firewall is to drop all packets that originate from known TOR nodes, in order to minimize the amount of potentially malicious traffic they receive," Botezatu said. "Of course, they might also end up blacklisting a number of legit Tor users looking for anonymity."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurityRapid7encryptionspywaremalwareprivacybitdefenderkaspersky lab

More about AMA GroupAmazon Web ServicesKasperskyKasperskyNetflixRapid7SSHZones

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts