Rapid7 researchers have recently unearthed an unusual piece of malware that turned out to be crucial to the formation of an elusive botnet – dubbed Skynet by the researchers – whose existence has been documented in a very popular Reddit “I Am A” thread.
The Trojan in question has DDoS and Bitcoin-mining capabilities, but it’s main function is to steal banking credentials.
The botnet operator spreads the malware via the Usenet discussion forum, which is also a popular platform for distributing pirated content. In order to hide its malicious nature, the file “weighs” 15MB, a great part of which is junk data.
The rest consists of a ZeuS bot, a Tor client for Windows, the CGMiner bitcoin mining tool, and a copy of a DLL file used by CGMiner for CPU and GPU hash cracking.
The malware creates and injects itself into new and existing processes, and adds a registry key to assure its persistence after a system reboot.
“In order to initialize its components, the malware creates multiple legitimate processes in suspended state, overwrites their memory with the desired malicious executables and resumes their execution,” the researchers explain.
“From the command line arguments we can guess that the malware does not only use Tor to connect to its backend infrastructure but also creates a Tor Hidden Service on the infected system itself.”
The botmaster uses Tor as the botnet’s internal communication protocol, but has also cleverly chosen to take advantage of the Tor Hidden Services functionality to run all of its C&C servers as Hidden Services.
“By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers,” the researchers explain.
“Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing, and the operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.”
In addition to all this, the botnet traffic is encrypted and difficult to detect.
“Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers,” they concluded.
The bots can receive DDoS-attack-related commands via through IRC channels they connect to, and the ZeuS bots collect all the credentials they can get their hands on.
The CGMiner bitcoin mining tool starts working every time the system hasn’t been interacted with via keyboard or mouse for two minutes, and stops immediately after detecting this kind of activity, so that the users might not suspect being infected.
The Skynet malware has a rather low detection rate (7 out of 42 AV solutions used by VirusTotal), and the researchers have been the first ones to test it with the service, even though it seems like they might not be the first ones who analyzed the malware.
But there are bigger problems than that.
The botnet has obviously been flying under the radar for at least half a year, and possibly more, and its use of Tor for internal communication and the use of Hidden Services for protecting the backend infrastructure has made it practically impervious to takedowns.
It will be interesting to see how security researchers solve this particular puzzle in order to shut down this botnet and other similar that are bound to appear.