An inside look at Skynet, a Tor based botnet

Srinu K

sr1nu@ymail.com

Disclaimer

The content here I show is only for

education purpose only. I am not responsible for your

actions. The views/ideas/knowledge expressed here

are solely myself and nothing to do with the company

or the organization in which I am currently working.

Skynet Overview

Size: ~ 15 MB

Skynet is bundled with 4 main components.

1. Tor Client for windows

2. Zeus bot

3. CGMiner

4. Opencl.dll

Propagation and Capabilities

Spreading: via Usenet downloads

Capabilities:

1. Tor Communication

2. Credential grabbing

3. DDOS

4. IRC

5. Bit Coin Mining

Geographical distributionBotnet Size: > 12,000 zombies

Skynet binary analysis

Command and control panelsZeus king of botnets

Onion Domains6ceyqong6nxy7hwp.onion

owbm3sjqdnndmydf.onion

4njzp3wzi6leo772.onion

qdzjxwujdtxrjkrz.onion

x3wyzqg6cfbqrwht.onion

niazgxzlrbpevgvq.onion

ua4ttfm47jt32igm.onion

6tkpktox73usm5vq.onion

4bx2tfgsctov65ch.onion

gpt2u5hhaqvmnwhr.onion

7wuwk3aybq5z73m7.onion

742yhnr32ntzhx3f.onion

f2ylgv2jochpzm4c.onion

6m7m4bsdbzsflego.onion

xvauhzlpkirnzghg.onion

h266x4kmvmpdfalv.onion

jr6t4gi4k2vpry5c.onion

ceif2rmdoput3wjh.onion

uzvyltfdj37rhqfy.onion

uy5t7cus7dptkchs.onion

Demo on zeus panel via Tor

IRC CommandsFeature Commands

Get information on the compromised computer

!version

!hardware

Download and execute files !download

Download a binary to memory and inject it into other processes !download.mem

Visit a webpage!visit

!visit.post

SYN and UDP flooding

!syn.stop

!udp.stop

Slowloris flooding !slowloris!slowloris.stop

HTTP flooding !http.bwrape!http.bwrape.stop

Open a SOCKS proxy !socks

Retrieve .onion address of the Hidden Service opened on the compromised computer !ip

Bitcoin Mining

Botnet only mines if the computer is unused for 2 minutes

and if the owner gets back it stops mining immediately.

Skynet installs a WH_MOUSE and a WH_KEYBOARD hook

procedures that monitor the systems for keystrokes or

mouse movements.

Bitcoin Mining #2

Future

Another tor based botnet is “Atrax”. In future we are able to see

more botnets adopt tor as a communication channel.

Credits

Rapid7

Any Questions

Thank You Guys

An inside look at Skynet, a Tor based botnet

Technology

Transcript of An inside look at Skynet, a Tor based botnet

SKYNET SNP-G16-UM SERIES SKYNET GLOBAL POWER … · S I eliably. (866) 588-1750 power@sager.com SKYNET SNP-G16-UM SERIES 240 Watt Open Frame Power Supply

City Protocol Skynet

Botnet Infiltration

Skynet Opendoors Cars Promo 2009

Roadrunners Botnet

Conficker Botnet

Skynet vs planet of apes

What is the SKYNET?

Your Botnet is My Botnet : Analysis of a Botnet Takeover

Resilient Botnet Command and Control with Tor - Dennis Brown - Botnet...Overview Focus on botnet command and control Case studies using Zeus and IRC bots Techniques to use Tor to anonymize

SkyNet Industry Insights

New Skynet Worldwide Express Website Skynet Worldwide Express

Skynet Week 9 H4D Stanford 2016

Your Botnet is My Botnet: Analysis of a Botnet Takeoverchris/research/doc/ccs09_botnet.pdf · Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett ... (such as bank account

Improve DDoS Botnet Tracking With Honeypots - …...DDoS botnet tracking •It’s aimed to learn botnet assisted DDoS attacks –4w: who is being attacked by what botnet families

Benchmarking Porting Costs of the SKYNET High … of the SKYNET High Performance Signal Processing Middleware ... • Overview of SKYNET Middleware Approach • History of ... –

Your Botnet is My Botnet: Analysis of a Botnet Takeover · Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin

Skynet Opendoors Cars 2009

Manual SKYNET

SKYNET XDIAviation eBrochure v010714