Tor network used to command Skynet botnet

Other botnet operators might use Tor to hide their command and control servers in the future, researchers say

Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7.

The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins -- a type of virtual currency -- using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones.

However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol.

Tor hidden services are most commonly Web servers, but can also be Internet Relay Chat (IRC), Secure Shell (SSH) and other types of servers. These services can only be accessed from inside the Tor network through a random-looking hostname that ends in the .onion pseudo-top-level domain.

Amazon CEO Jeff Bezos on innovation and entrepreneurship
How Netflix has the cloud do the heavy lifting for video transcoding
Werner Vogels: The ‘four commandments’ for 21st century application architecture
Netflix CEO: Cloud currently akin to pre-compiler era
Amazon cloud chief: Two Availability Zones just the beginning

The Hidden Service protocol was designed to hide the IP (Internet Protocol) address of the clients from the service and the IP address of the service from the clients, making it almost impossible for the parties involved to determine each other's physical location or real identity. Like all traffic passing through the Tor network, the traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of other computers acting as Tor relays.

Tor Hidden Services are perfect for a botnet operation, said Claudio Guarnieri, a security researcher at Rapid7 and creator of the Cuckoo Sandbox malware analysis system, in an email on Friday. "As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C."

Guarnieri published a blog post about the Skynet botnet on Thursday. He believes that the botnet is the same one described by a self-confessed botnet operator in a "IAmA" (I am a) thread on Reddit seven months ago. Reddit "IAmA" or "AMA" (ask me anything) threads allow people who perform various jobs or have various occupations to answer questions from other Reddit users.

Despite the wealth of information about the botnet offered by its creator on Reddit seven months ago, the botnet is still alive and strong. In fact, Rapid7 researchers estimate that the botnet's current size is of 12,000 to 15,000 compromised computers, up to 50 percent more than what its operator estimated 7 months ago.

The malware behind this botnet is distributed through Usenet, a system originally built at the beginning of the 1980s as a distributed discussion platform, but now commonly used to distribute pirated software and content, commonly known as "warez."

"We incidentally found it on Usenet and started digging there and realized the operator is automatically repackaging and uploading the malware for every new popular warez release," Guarnieri said. "It could be likely found on other file-sharing platforms too, but we have no proof at this point."

Content from Usenet is commonly downloaded by users and redistributed through other file-sharing technologies like BitTorrent.

The Skynet malware has several components: an IRC-controlled bot that can launch various types of DDoS attacks and perform several other actions, a Tor client for Windows, a so-called Bitcoin mining application and a version of the Zeus Trojan program, which is capable of hooking into browser processes and stealing log-in credentials for various websites.

While good for anonymity, Tor does have disadvantages for a botnet operation, such as increased latency and sometimes instability.

"Obviously they [the botnet operators] can't tunnel just everything through Tor," Guarnieri said. "If the botnet is performing some heavy, frequent and noisy communication, then it could be problematic."

However, if the goal is just for the infected machines to be able to retrieve commands from a server in a reasonable time without exposing its location, then Tor works well enough, he said. "I'm pretty sure more botherders will definitely replicate this design."

"This is a major reason for concern," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "If a single botherder can stay anonymous for seven months by routing C&C traffic via TOR, then it will definitely stick with other botmasters."

That said, Botezatu believes that Tor might not be suitable for large botnets because the Tor network, which is already relatively slow, might not be able to handle a lot of concurrent connections.

The impact of botnets on the Tor network itself really depends on the scale of abuse, Guarnieri said. One feature of the Skynet botnet is that each infected machine becomes a Tor relay, which ironically makes the network larger and able to sustain the load, he said.

Botnet creators have recently implemented peer-to-peer solutions for command and control purposes rather than Tor-based ones, because they provide the same level of anonymity and increased resiliency without introducing the latency problems, Botezatu said. In addition, peer-to-peer implementations have already been well documented and tested, he said.

The Tor-based approach is not new, said Marco Preuss, head of the German global research and analysis team at antivirus vendor Kaspersky Lab, via email. "In the past years several presentations and research papers mentioned this method for botnets."

"One of the most important disadvantages is the complex implementation -- errors lead to easy detection -- and also the speed is a drawback," Preuss said. Depending on how Tor is used in the botnet infrastructure, there might be solutions to detect and block the traffic, as well as to disable the botnet, he said.

"A single botnet of about ten thousand machines isn't a stringent problem for the global Internet, but, if things escalate, we're sure that node administrators will cooperate with ISPs and law enforcement to take down malicious traffic," Botezatu said. "After all, Tor has been designed for anonymity and privacy, not for cyber crime."

"One countermeasure that companies or ISPs could eventually enforce in their firewall is to drop all packets that originate from known TOR nodes, in order to minimize the amount of potentially malicious traffic they receive," Botezatu said. "Of course, they might also end up blacklisting a number of legit Tor users looking for anonymity."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetysecurityRapid7encryptionspywaremalwareprivacybitdefenderkaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?