Pierluigi Paganini
December 10, 2012
On September 2012 the German security firm G Data Software detected a botnet with a particular feature, it is controlled from an Internet Relay Chat (IRC) server running as a hidden service of the Tor.
There are pro and cons for this design choice, of course the greatest advantage resides in the difficulty for the localization of the command and control servers (C&C), due the encryption of the connections interior to the network and the unpredictability of the routing of the information, most important disadvantages are the complex implementation and latency in the communication.
Usually botnets host Command & Control (C&C) machines on hacked or rented server but this exposes the malicious structures to the risk to being taken down or hijacked. Security firm generally takeover C&C and the associated domains hijacking traffic to different controlled host with a technique that is known as “sinkholing”.
Thanks to sinkholing it is possible to study the botnet deeply and decapitate it, but sometimes it is not possible to follow this approach because botmasters acquire hosting services from provider that guarantees the operators that they won’t respond to abuse complaints nor cooperate with takedown requests. These providers are commonly known as “bulletproof hosting” and they are well known to the cybercrime industry.
The idea is not new, security engineer Dennis Brown proposed it for the first time during the Defcon Conference in 2010, but the discovery I’m presenting confirms the efficiency of the concept and its diffusion. Security experts from security firm Rapid7 have detected a botnet controlled by servers located in the Tor network.
The botnet, named Skynet, can fulfill different tasks such as mining bitcoin or to provide bot agents to involve is cyber attacks such as DDoS attacks or spamming, to do this it includes several components such an IRC-controlled bot, a Tor client for Windows, a Bitcoin mining application and a variant of the famous Zeus malware to steal banking credentials.
The malware is able to receive command submitted through the IRC channels the bot connects,the IRC server is provided as Tor Hidden Service and use the following nickname pattern: [NED-XP-687126]USERNAME. The malicious code include also modules for packet flooding to use to DDoS attacks.
Recently I wrote many articles highlighting the great interest in the bitcoin currency schema demonstrated by cybercrime, one of the most common monetization schema is the possibility to abuse of victims computation capabilities to mine coins. The author of Skynet have demonstrated great attention in Bitcoin Mining, the malware includes the “CGMiner” open-source bitcoin miner which is able to support CPU and GPU for mining process. The Skynet bot installs a couple of hocks to detect user’s activity on the PC (WH_MOUSE and a WH_KEYBOARD) in this way it could start mining bitcoins only after two minutes of inactivity and immediately stops when some user interacts again with his desktop. The original idea proposed on Reddit describe the mining with following statements:
“My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immidiatly, so it doesn’t suck your fps at MW3. Also it mines as low priority so movies don’t lag. I also set up a very safe threshold, the cards work at around 60% so they don’t get overheated and the fans don’t spin as crazy.”
The mining activities are managed by botmaster with an open source application called “Bitcoin Mining Proxy” that allow the assignment of pools to the miners.
Another interesting feature of the Skynet botnet is that each bot becomes itself a Tor relay increasing the size of the network and increasing the maximum sustainable load.
Resuming the principal advantages of botnet based on Tor are:
- The botnet traffic is encrypted, which helps prevent detection by network monitors.
- By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
- Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing.
- The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.
Every machine in the botnet is under complete control of botmaster that steal sensible information and banking credentials from the victim, but what is really interesting is that Command and Control (C&C) servers are accessible only from within the Tor network through Hidden Service protocol. The Hidden Service protocol was designed to provide a huge list of services such as Internet Relay Chat (IRC) masquerading the IP addresses of the server that provide them and of the clients that access to it, none of the actors involved is able to determine identity of other participants.
The Italian Claudio Guarnieri, researcher at Rapid seven has published an interesting post on community.rapid7.com on the botnet, he suggested that the botnet is the same described in a post, published on Reddit some months ago, titled “IAmA a malware coder and botnet operator, AMA”.
“Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers.” said Guarnieri.
Rapid7 researchers provided interesting information on actual status of the botnet that has reached a number of bots between 12,000 and 15,000, a surprising size that exceeded expectations of its creators described in the post on Reddit. The malicious code that infected the victims was distributed through the famous worldwide distributed Internet discussion system Usenet.
“People download software from Usenet and install it in the offices or at friends pretty often. Also Usenet isn’t that hard anymore, as easy as buying a premium account for an onc click hoster. Most Providers have their own Usenet client for idiot proof downloads”
Every content shared through Usenet is commonly downloaded by users and redistributed through other file-sharing technologies such as BitTorrent.
Regarding the malware Guarnieri wrote on the blog:
“The malware sample we retrieved from Usenet has an unusually large size (almost 15MB) and has a fairly low detection rate”
The choice of Tor network appears efficient despite Tor network has a great disadvantage in its latency and instability, it must be considered that during the ordinary exercise bots receive from C&C server few information that consist in commands and control messages, in this optic Tor works well enough.
What is striking of the story is the amazing growth of the botnet, despite the author has described it seven months ago, it stayed undetected for a long period by routing C&C traffic via TOR, many other botmasters could follow same approach for their architectures with unpredictable consequences.
Botnet based on Tor network doesn’t represent unique efficient innovation recently detected, the implementation of peer to peer protocol for communication scope inside the structure rather than Tor-based ones, provide same level of anonymity but is able to increase resiliency and overcome the problems of latency described.
The size of Skynet botnet doesn’t represent a serious problem but the potentiality expressed by its structure yes, if it will be able to infect new machines it could be soon a dangerous cyber threat.
Detect packet originated from Tor nodes is quite simple with firewalling techniques but drop all traffic preventively could blacklist legit Tor users that adopt the famous network to ensure their anonymity, don’t forget that Tor network gives the opportunity to many people to avoid censorship and traffic interception, it’s widely used by whistleblowers and political activists.
Add words to the excellent Claudio’s post would be foolish and presumptuous, I compliment the excellent analysis and I report its findings in full:
The lessons learned are:
- Exploitation is not required to build a decently-sized botnet. Always be careful when using any Internet service, especially file sharing.
- It is possible to build an almost cost-free bulletproof botnet. In its democratic nature Tor is a great tool, both for legitimate users as well as for cybercriminals unfortunately.
Lesson for botnet operators:
- As The Grugq says, “keep your mouth shut”. Talking about your business on Reddit is not such a smart idea.
Pierluigi Paganini
