In the process of analyzing a seemingly new and fairly small botnet called Skynet, Rapid7 security researchers determined that this was precisely the same network described by its creator in a particularly bold ‘Ask Me Anything’ (AMA) on the social news site Reddit earlier this year.
Claudio Guarnieri authored the write-up on Rapid7’s Security Street blog and claims that the 12,000 to 15,000 computer botnet is fueled by a customized, Zeus Trojan variant. The researcher describes Skynet as a “Tor-powered Trojan with DDoS, Bitcoin mining and banking capabilities” that is currently distributing itself on Usenet. The bot has number of interesting functionalities that Gaurnieri and company tinkered with, but it appears that the bot’s primary function and largest source of income is its use of the Zeus banking Trojan.
The Skynet malware is unusually large, weighing in at 15MB, and has an unusually low detection rate of seven out of 42 on VirusTotal. It is a Tor-enabled IRC bot whose binary is bloated with junk data in order to seem legitimate to prospective downloaders. Within Skynet are four resources, a Zeus bot, Tor client for Windows, the CGMiner Bitcoin mining tool, and OpenCL.dll, which is apparently used by CGMiner for CPU and GPU hash cracking.
Once executed, the malware copies into a randomized AppData directory where it eventually disguises itself either as Internet Explorer or svchost.exe. It then overwrites the memories of a number of legitimate processes with malicious executables.
Skynet’s operator uses the Hidden Services functionality, provided by Tor, as the botnet’s internal communication protocol. Tor is an online anonymization service with a number of legitimate, non-criminal uses, but one which is also used for a number of nefarious purposes as well. In this case, simply put, Tor Hidden Services lets Skynet resolve to and contact a hidden server whose IP address is never revealed in the process, making it difficult to blacklist the malicious domain in use.
“Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets,” writes Guarnieri. “Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers.”
Another interesting aspect of Skynet is that its mining capacity only kicks in when its host machines are idle, so as to not interrupt legitimate computer use by infected users.
As mentioned above, the malware proliferates mostly on Usenet. Usenet is an old-school, distributed discussion board developed in the late-1970s and widely used by early computer and Internet enthusiasts throughout the 1980s. Usenet has had something of resurgence over the last decade as it was adapted for use by file sharers seeking to distribute and obtain pirated software, movies, games, and other content, according to Guarnieri.
“People download software from Usenet and install it in the offices or at friends pretty often,” Skynet’s operator explained using a throwaway account for his Reddit AMA. “Also Usenet isn’t that hard anymore… Most providers have their own Usenet client for idiot proof downloads”
As always, where traffic goes, so goes malware, which is why Guarnieri characterizes Usenet in its current state as a “malware minefield.” Distributing malware on Usenet (and on torrents for that matter) is actually fairly easy. Guarnieri explains that while the security industry focuses largely on the more widely deployed infection vectors, like exploit kits, cybercriminals quietly push their malware on file-sharing networks like Usenet, where there is no need to exploit victims, because they’re going to execute the files themselves.