Latest news
Researchers uncover Tor-powered Skynet botnet
Posted on 12.12.2012
Rapid7 researchers have recently unearthed an unusual piece of malware that turned out to be crucial to the formation of an elusive botnet - dubbed Skynet by the researchers - whose existence has been documented in a very popular Reddit "I Am A" thread.
The Trojan in question has DDoS and Bitcoin-mining capabilities, but it's main function is to steal banking credentials.
The botnet operator spreads the malware via the Usenet discussion forum, which is also a popular platform for distributing pirated content. In order to hide its malicious nature, the file "weighs" 15MB, a great part of which is junk data.
The rest consists of a ZeuS bot, a Tor client for Windows, the CGMiner bitcoin mining tool, and a copy of a DLL file used by CGMiner for CPU and GPU hash cracking.
The malware creates and injects itself into new and existing processes, and adds a registry key to assure its persistence after a system reboot.
"In order to initialize its components, the malware creates multiple legitimate processes in suspended state, overwrites their memory with the desired malicious executables and resumes their execution," the researchers explain.
"From the command line arguments we can guess that the malware does not only use Tor to connect to its backend infrastructure but also creates a Tor Hidden Service on the infected system itself."
The botmaster uses Tor as the botnet's internal communication protocol, but has also cleverly chosen to take advantage of the Tor Hidden Services functionality to run all of its C&C servers as Hidden Services.
"By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers," the researchers explain.
"Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing, and the operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service."
In addition to all this, the botnet traffic is encrypted and difficult to detect.
"Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers," they concluded.
The bots can receive DDoS-attack-related commands via through IRC channels they connect to, and the ZeuS bots collect all the credentials they can get their hands on.
The CGMiner bitcoin mining tool starts working every time the system hasn't been interacted with via keyboard or mouse for two minutes, and stops immediately after detecting this kind of activity, so that the users might not suspect being infected.
The Skynet malware has a rather low detection rate (7 out of 42 AV solutions used by VirusTotal), and the researchers have been the first ones to test it with the service, even though it seems like they might not be the first ones who analyzed the malware.
But there are bigger problems than that.
The botnet has obviously been flying under the radar for at least half a year, and possibly more, and its use of Tor for internal communication and the use of Hidden Services for protecting the backend infrastructure has made it practically impervious to takedowns.
It will be interesting to see how security researchers solve this particular puzzle in order to shut down this botnet and other similar that are bound to appear.
The Trojan in question has DDoS and Bitcoin-mining capabilities, but it's main function is to steal banking credentials.
The botnet operator spreads the malware via the Usenet discussion forum, which is also a popular platform for distributing pirated content. In order to hide its malicious nature, the file "weighs" 15MB, a great part of which is junk data.
The rest consists of a ZeuS bot, a Tor client for Windows, the CGMiner bitcoin mining tool, and a copy of a DLL file used by CGMiner for CPU and GPU hash cracking.
The malware creates and injects itself into new and existing processes, and adds a registry key to assure its persistence after a system reboot.
"In order to initialize its components, the malware creates multiple legitimate processes in suspended state, overwrites their memory with the desired malicious executables and resumes their execution," the researchers explain.
"From the command line arguments we can guess that the malware does not only use Tor to connect to its backend infrastructure but also creates a Tor Hidden Service on the infected system itself."
The botmaster uses Tor as the botnet's internal communication protocol, but has also cleverly chosen to take advantage of the Tor Hidden Services functionality to run all of its C&C servers as Hidden Services.
"By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers," the researchers explain.
"Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing, and the operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service."
In addition to all this, the botnet traffic is encrypted and difficult to detect.
"Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers," they concluded.
The bots can receive DDoS-attack-related commands via through IRC channels they connect to, and the ZeuS bots collect all the credentials they can get their hands on.
The CGMiner bitcoin mining tool starts working every time the system hasn't been interacted with via keyboard or mouse for two minutes, and stops immediately after detecting this kind of activity, so that the users might not suspect being infected.
The Skynet malware has a rather low detection rate (7 out of 42 AV solutions used by VirusTotal), and the researchers have been the first ones to test it with the service, even though it seems like they might not be the first ones who analyzed the malware.
But there are bigger problems than that.
The botnet has obviously been flying under the radar for at least half a year, and possibly more, and its use of Tor for internal communication and the use of Hidden Services for protecting the backend infrastructure has made it practically impervious to takedowns.
It will be interesting to see how security researchers solve this particular puzzle in order to shut down this botnet and other similar that are bound to appear.
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
