The botnet has obviously been flying under the radar for at least half a year, and possibly more, and its use of Tor for internal communication and the use of Hidden Services for protecting the backend infrastructure has made it practically impervious to takedowns. The Skynet malware has a rather low detection rate (7 out of 42 AV solutions used by VirusTotal), and the researchers have been the first ones to test it with the service, even though it seems like they might not be the first ones who analyzed the malware. The CGMiner bitcoin mining tool starts working every time the system hasn’t been interacted with via keyboard or mouse for two minutes, and stops immediately after detecting this kind of activity, so that the users might not suspect being infected. The bots can receive DDoS-attack-related commands via through IRC channels they connect to, and the ZeuS bots collect all the credentials they can get their hands on. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers,” they concluded. “Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. In addition to all this, the botnet traffic is encrypted and difficult to detect. onion pseudo top-level domain, which is not exposed to possible sinkholing, and the operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.” In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers,” the researchers explain. “By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. The botmaster uses Tor as the botnet’s internal communication protocol, but has also cleverly chosen to take advantage of the Tor Hidden Services functionality to run all of its C&C servers as Hidden Services. “From the command line arguments we can guess that the malware does not only use Tor to connect to its backend infrastructure but also creates a Tor Hidden Service on the infected system itself.” “In order to initialize its components, the malware creates multiple legitimate processes in suspended state, overwrites their memory with the desired malicious executables and resumes their execution,” the researchers explain. The malware creates and injects itself into new and existing processes, and adds a registry key to assure its persistence after a system reboot. The rest consists of a ZeuS bot, a Tor client for Windows, the CGMiner bitcoin mining tool, and a copy of a DLL file used by CGMiner for CPU and GPU hash cracking. In order to hide its malicious nature, the file “weighs” 15MB, a great part of which is junk data. The botnet operator spreads the malware via the Usenet discussion forum, which is also a popular platform for distributing pirated content. The Trojan in question has DDoS and Bitcoin-mining capabilities, but it’s main function is to steal banking credentials. Rapid7 researchers have recently unearthed an unusual piece of malware that turned out to be crucial to the formation of an elusive botnet – dubbed Skynet by the researchers – whose existence has been documented in a very popular Reddit “I Am A” thread.
0 kommentar(er)
