Security Experts:

Researchers Discover Botnet Powered by TOR

Researchers from Rapid7 and the Shadowserver Foundation discovered something unique last week. While browsing files on USENET, they discovered a botnet that has thousands of endpoints, and was able to operate without detection for months. To make matters worse, the botmaster took to Reddit earlier this year in order to brag about it.

MalwareThe botnet’s name is Skynet, taken from the Sci-Fi classic. The base of the code is a modified variant of Zeus, enabling its botmaster with the ability to launch DDoS attacks (simply for laughs), mine Bitcoins (for daily earnings), and banking abilities. The banking abilities supplement the earnings from Bitcoins, as the data taken from the infected hosts are sold. For the curious, the information about Skynet is so complete due to its author, who took to Reddit in order to explain the process.

The botmaster has a nearly foolproof system running. He uses the legit TOR software, which bypasses most AV checks; he uses the TOR Hidden Service protocol for bot communication, which keeps him undetected, and a majority of his infected hosts were willing victims.

“Usenet is a distributed discussion platform established around 1980 and still very popular worldwide. Despite its original intent of simply being a plain text discussion forum (much like bulletin boards), over the years it has become a widely adopted platform for distributing pirated content such as movies and games, which are generally uploaded as RAR archives then split into chunks to circumvent the size limitations of Usenet’s protocol,”  Rapid7’s Claudio Guarnieri explained in a blog post.

Given that the botmaster, who is an unknown male suspected to reside in Germany, targets new releases on USENET alone, he has a stable victim base that’s willing to execute the malware themselves. He uploads a hijacked versions of the latest warez (pirated software) release, and people download and run it.

“Americans are the majority of the victims, about 30%, I really don't know why, I never targeted them...About 20% of the users have good graphic cards, but are not sophisticated enough to install drivers, so my [Bitcoin] miner can't run...80% have an antivirus installed, 5% have a rogue antivirus as system antivirus listed. So they seem to be prone victims. There are also 3 windows SERVERS, I really don't know how my malware ended up there,” the botmaster explained.

His remarks are seven months old now, and Rapid7 speculates that the botnet has grown to an average of 12-15,000 compromised hosts. Frightening, considering that Skynet started as a challenge to circumvent anti-Virus protections.

The botnet is still active, and it’s unclear if there is any viable way to dismantle it. Despite the fact that it isn’t sophisticated – it’s a variant of the Zeus source code that was leaked to the web – it serves as proof that with TOR it is possible “to build an almost cost-free bulletproof botnet,” Guarnieri notes.

“Despite not being particularly sophisticated it represents a nice example of a simple but still effective botnet with a large portfolio of capabilities. The most important factor is certainly the adoption of Tor as the main communication channel and the use of Hidden Services for protecting the backend infrastructure. While it’s surprising that not more botnets adopt the same design, we can likely expect more to follow the lead in the future.”

One of the interesting aspects to using TOR as a communication channel for a botnet is that it seems to limit size. Yet, if you consider the fact that Skynet turns each infected host into a TOR node on its own, then the size restriction is somewhat lifted. However, speed is still an issue traffic-wise, so it’s unlikely that massive bots will use the option – for now.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.