Tor network used to command Skynet botnet
Other botnet operators might use Tor to hide their command and control servers in the future, researchers say
IDG News Service - Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7.
The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins -- a type of virtual currency -- using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones.
However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol.
Tor hidden services are most commonly Web servers, but can also be Internet Relay Chat (IRC), Secure Shell (SSH) and other types of servers. These services can only be accessed from inside the Tor network through a random-looking hostname that ends in the .onion pseudo-top-level domain.
The Hidden Service protocol was designed to hide the IP (Internet Protocol) address of the clients from the service and the IP address of the service from the clients, making it almost impossible for the parties involved to determine each other's physical location or real identity. Like all traffic passing through the Tor network, the traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of other computers acting as Tor relays.
Tor Hidden Services are perfect for a botnet operation, said Claudio Guarnieri, a security researcher at Rapid7 and creator of the Cuckoo Sandbox malware analysis system, in an email on Friday. "As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C."
Guarnieri published a blog post about the Skynet botnet on Thursday. He believes that the botnet is the same one described by a self-confessed botnet operator in a "IAmA" (I am a) thread on Reddit seven months ago. Reddit "IAmA" or "AMA" (ask me anything) threads allow people who perform various jobs or have various occupations to answer questions from other Reddit users.
Despite the wealth of information about the botnet offered by its creator on Reddit seven months ago, the botnet is still alive and strong. In fact, Rapid7 researchers estimate that the botnet's current size is of 12,000 to 15,000 compromised computers, up to 50 percent more than what its operator estimated 7 months ago.
The malware behind this botnet is distributed through Usenet, a system originally built at the beginning of the 1980s as a distributed discussion platform, but now commonly used to distribute pirated software and content, commonly known as "warez."
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Market Overview: Digital Customer Experience Delivery Platforms Forrester states that businesses today struggle to understand and use the tools necessary to create and manage unified, multichannel digital customer experiences across...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts