Researchers from security firm Rapid 7 have come across an interesting new botnet. It has been dubbed Skynet and it’s capable of many things, including distributed denial-of-service (DDOS) attacks, Bitcoin mining, and banking credentials theft.According to experts, the malware that powers Skynet is distributed via Usenet, and it utilizes the Tor anonymity network for internal communications protocols and for its Hidden Services functionality.
The sample analyzed by Rapid 7 is almost 15 megabytes in size, which makes it more difficult to detect.
The core of the malware is a simple Tor-enabled IRC bot, but Skynet comes with 4 additional resources: a Windows Tor client, a Bitcoing mining tool, a library used for CPU and GPU hash cracking by the mining tool, and a ZeuS bot.
By relying on Tor, the cybercriminals can encrypt their botnet traffic to avoid detection by network monitors, they can protect their creation from sinkholing, they can easily move around the command and control servers, and they can efficiently hide them.
Currently, the size of the botnet is around 12,000-15,000 compromised computers, mostly located in Central Europe, particularly the Netherlands and Germany.
For profit, the author relies mostly on Bitcoin mining and on the commercialization of credentials stolen by ZeuS.
One noteworthy fact is that the creator of Skynet is actually the hacker who published a lengthy post on Reddit back in May, in which he detailed all his malicious activities.
“Despite not being particularly sophisticated it represents a nice example of a simple but still effective botnet with a large portfolio of capabilities,” Rapid 7 researcher Claudio Guarnieri explained.
“The most important factor is certainly the adoption of Tor as the main communication channel and the use of Hidden Services for protecting the backend infrastructure. While it’s surprising that not more botnets adopt the same design, we can likely expect more to follow the lead in the future.”