An inside look at Skynet, a Tor based botnet

Srinu K

sr1nu@ymail.com

Disclaimer

The content here I show is only for

education purpose only. I am not responsible for your

actions. The views/ideas/knowledge expressed here

are solely myself and nothing to do with the company

or the organization in which I am currently working.

Skynet Overview

Size: ~ 15 MB

Skynet is bundled with 4 main components.

1. Tor Client for windows

2. Zeus bot

3. CGMiner

4. Opencl.dll

Propagation and Capabilities

Spreading: via Usenet downloads

Capabilities:

1. Tor Communication

2. Credential grabbing

3. DDOS

4. IRC

5. Bit Coin Mining

Geographical distributionBotnet Size: > 12,000 zombies

Skynet binary analysis

Demo

Command and control panelsZeus king of botnets

Onion Domains6ceyqong6nxy7hwp.onion

owbm3sjqdnndmydf.onion

4njzp3wzi6leo772.onion

qdzjxwujdtxrjkrz.onion

x3wyzqg6cfbqrwht.onion

niazgxzlrbpevgvq.onion

ua4ttfm47jt32igm.onion

6tkpktox73usm5vq.onion

4bx2tfgsctov65ch.onion

gpt2u5hhaqvmnwhr.onion

7wuwk3aybq5z73m7.onion

742yhnr32ntzhx3f.onion

f2ylgv2jochpzm4c.onion

6m7m4bsdbzsflego.onion

xvauhzlpkirnzghg.onion

h266x4kmvmpdfalv.onion

jr6t4gi4k2vpry5c.onion

ceif2rmdoput3wjh.onion

uzvyltfdj37rhqfy.onion

uy5t7cus7dptkchs.onion

Demo on zeus panel via Tor

IRC

IRC CommandsFeature Commands

Get information on the compromised computer

!info

!version

!hardware

!idle

Download and execute files !download

Download a binary to memory and inject it into other processes !download.mem

Visit a webpage!visit

!visit.post

SYN and UDP flooding

!syn

!syn.stop

!udp

!udp.stop

Slowloris flooding !slowloris!slowloris.stop

HTTP flooding !http.bwrape!http.bwrape.stop

Open a SOCKS proxy !socks

Retrieve .onion address of the Hidden Service opened on the compromised computer !ip

Bitcoin Mining

Botnet only mines if the computer is unused for 2 minutes

and if the owner gets back it stops mining immediately.

Skynet installs a WH_MOUSE and a WH_KEYBOARD hook

procedures that monitor the systems for keystrokes or

mouse movements.

Bitcoin Mining #2

Future

Another tor based botnet is “Atrax”. In future we are able to see

more botnets adopt tor as a communication channel.

Credits

Rapid7

Any Questions

Thank You Guys