Tor network used to command Skynet botnet

Other botnet operators might use Tor to hide their command and control servers in the future, researchers say

By Lucian Constantin, IDG News Service |  Security

The malware behind this botnet is distributed through Usenet, a system originally built at the beginning of the 1980s as a distributed discussion platform, but now commonly used to distribute pirated software and content, commonly known as "warez."

"We incidentally found it on Usenet and started digging there and realized the operator is automatically repackaging and uploading the malware for every new popular warez release," Guarnieri said. "It could be likely found on other file-sharing platforms too, but we have no proof at this point."

Content from Usenet is commonly downloaded by users and redistributed through other file-sharing technologies like BitTorrent.

The Skynet malware has several components: an IRC-controlled bot that can launch various types of DDoS attacks and perform several other actions, a Tor client for Windows, a so-called Bitcoin mining application and a version of the Zeus Trojan program, which is capable of hooking into browser processes and stealing log-in credentials for various websites.

While good for anonymity, Tor does have disadvantages for a botnet operation, such as increased latency and sometimes instability.

"Obviously they [the botnet operators] can't tunnel just everything through Tor," Guarnieri said. "If the botnet is performing some heavy, frequent and noisy communication, then it could be problematic."

However, if the goal is just for the infected machines to be able to retrieve commands from a server in a reasonable time without exposing its location, then Tor works well enough, he said. "I'm pretty sure more botherders will definitely replicate this design."

"This is a major reason for concern," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "If a single botherder can stay anonymous for seven months by routing C&C traffic via TOR, then it will definitely stick with other botmasters."

That said, Botezatu believes that Tor might not be suitable for large botnets because the Tor network, which is already relatively slow, might not be able to handle a lot of concurrent connections.

The impact of botnets on the Tor network itself really depends on the scale of abuse, Guarnieri said. One feature of the Skynet botnet is that each infected machine becomes a Tor relay, which ironically makes the network larger and able to sustain the load, he said.

Botnet creators have recently implemented peer-to-peer solutions for command and control purposes rather than Tor-based ones, because they provide the same level of anonymity and increased resiliency without introducing the latency problems, Botezatu said. In addition, peer-to-peer implementations have already been well documented and tested, he said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness