• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Security
  • Skynet, the potential use of Tor as a bulletproof botnet

Skynet, the potential use of Tor as a bulletproof botnet

Pierluigi Paganini December 10, 2012

On September 2012 the German security firm G Data Software detected a botnet with a particular feature, it is controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor.

There are pro and cons for this design choice, of course the greatest advantage resides in the difficulty for the localization of the command and control servers (C&C), due the encryption of the connections interior to the network and the unpredictability of the routing of the information, most important disadvantages are the complex implementation and latency in the communication.

Usually botnets host Command & Control (C&C) machines on hacked or rented server but this exposes the malicious structures to the risk to being taken down or hijacked. Security firm generally takeover C&C and the associated domains hijacking traffic to different controlled host with a technique that is known as “sinkholing”.

Thanks to sinkholing it is possible to study the botnet deeply and decapitate it, but sometimes it is not possible to follow this approach because botmasters acquire hosting services from provider that guarantees the operators that they won’t respond to abuse complaints nor cooperate with takedown requests. These providers are commonly known as “bulletproof hosting” and they are well known to the cybercrime industry.

The idea is not new, security engineer Dennis Brown proposed it for the first time during the Defcon Conference in 2010, but the discovery I’m presenting confirms the efficiency of the concept and its diffusion. Security experts from security firm Rapid7 have detected a botnet controlled by servers located in the Tor network.

The botnet, named Skynet, can fulfill different tasks such as mining bitcoin or to provide bot agents to involve is cyber attacks such as DDoS attacks or spamming, to do this it includes several components such an IRC-controlled bot, a Tor client for Windows, a Bitcoin mining application and a variant of the famous Zeus malware to steal banking credentials.

The malware is able to receive command submitted through the IRC channels the bot connects,the IRC server is provided as Tor Hidden Service and use the following nickname pattern: [NED-XP-687126]USERNAME. The malicious code include also modules for packet flooding to use to DDoS attacks.

Recently I wrote many articles highlighting the great interest in the bitcoin currency schema demonstrated by cybercrime, one of the most common monetization schema is the possibility to abuse of victims computation capabilities to mine coins.  The author of Skynet have demonstrated great attention in Bitcoin Mining, the malware includes the “CGMiner” open-source bitcoin miner which is able to support CPU and GPU for mining process. The Skynet bot installs a couple of hocks to detect user’s activity on the PC (WH_MOUSE and a WH_KEYBOARD) in this way it could start mining bitcoins only after two minutes of inactivity and immediately stops when some user interacts again with his desktop. The original idea proposed on Reddit describe the mining with following statements:

  “My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immidiatly, so it doesn’t suck your fps at MW3. Also it mines as low priority so movies don’t lag. I also set up a very safe threshold, the cards work at around 60% so they don’t get overheated and the fans don’t spin as crazy.”

The mining activities are managed by botmaster with an open source application called “Bitcoin Mining Proxy” that allow the assignment of pools to the miners.

Another interesting feature of the Skynet botnet is that each bot becomes itself a Tor relay increasing the size of the network and increasing the maximum sustainable load.

Resuming the principal advantages of botnet based on Tor are:

  • The botnet traffic is encrypted, which helps prevent detection by network monitors.
  • By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
  • Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing.
  • The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.

Every machine in the botnet is under complete control of botmaster that steal sensible information and banking credentials from the victim, but what is really interesting is that Command and Control (C&C) servers are  accessible only from within the Tor network through Hidden Service protocol. The Hidden Service protocol was designed to provide a huge list of services such as Internet Relay Chat (IRC) masquerading the IP addresses of the server that provide them and of the clients that access to it, none of the actors involved is able to determine identity of other participants.

The Italian Claudio Guarnieri, researcher at Rapid seven has published an interesting post on community.rapid7.com on the botnet, he suggested that the botnet is the same described in a post, published on Reddit some months ago, titled “IAmA a malware coder and botnet operator, AMA”.

“Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers.” said Guarnieri.

Rapid7 researchers provided interesting information on actual status of the botnet that has reached a number of bots between 12,000 and 15,000, a surprising size that exceeded expectations of its creators described in the post on Reddit. The malicious code that infected the victims was distributed through the famous worldwide distributed Internet discussion system Usenet.

“People download software from Usenet and install it in the offices or at friends pretty often. Also Usenet isn’t that hard anymore, as easy as buying a premium account for an onc click hoster. Most Providers have their own Usenet client for idiot proof downloads”

Every content shared through Usenet is commonly downloaded by users and redistributed through other file-sharing technologies such as BitTorrent.

Regarding the malware Guarnieri wrote on the blog:

“The malware sample we retrieved from Usenet has an unusually large size (almost 15MB) and has a fairly low detection rate”

The choice of Tor network appears efficient despite Tor network has a great disadvantage in its latency and instability, it must be considered that during the ordinary exercise bots receive from C&C server few information that consist in commands and control messages, in this optic Tor works well enough.

What is striking of the story is the amazing growth of the botnet, despite the author has described it seven months ago, it stayed undetected for a long period by routing C&C traffic via TOR, many other botmasters could follow same approach for their architectures with unpredictable consequences.

Botnet based on Tor network doesn’t represent unique efficient innovation recently detected, the implementation of peer to peer protocol for communication scope inside the structure rather than Tor-based ones, provide same level of anonymity but is able to increase resiliency and overcome the problems of latency described.

The size of Skynet botnet doesn’t represent a serious problem but the potentiality expressed by its structure yes, if it will be able to infect new machines it could be soon a dangerous cyber threat.

Detect packet originated from Tor nodes is quite simple with firewalling techniques but drop all traffic preventively could blacklist legit Tor users that adopt the famous network to ensure their anonymity, don’t forget that Tor network gives the opportunity to many people to avoid censorship and traffic interception, it’s widely used by whistleblowers and political activists.

Add words to the excellent Claudio’s post would be foolish and presumptuous, I compliment the excellent analysis and I report its findings in full:

The lessons learned are:

  • Exploitation is not required to build a decently-sized botnet. Always be careful when using any Internet service, especially file sharing.
  • It is possible to build an almost cost-free bulletproof botnet. In its democratic nature Tor is a great tool, both for legitimate users as well as for cybercriminals unfortunately.

Lesson for botnet operators:

  • As The Grugq says, “keep your mouth shut”. Talking about your business on Reddit is not such a smart idea.

Pierluigi Paganini


facebook linkedin twitter

anonymity Bitcoin botnet Cybercrime DDoS malware Skynet Tor Zeus

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT