Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An inside look at skynet, a tor based botnet


Published on

null Hyderabad Chapter - August 2013 Meet

  • Be the first to comment

An inside look at skynet, a tor based botnet

  1. 1. The content here I show is only for education purpose only. I am not responsible for your actions. The views/ideas/knowledge expressed here are solely myself and nothing to do with the company or the organization in which I am currently working.
  2. 2. Srinu K • Working as a malware analyst at Online Guards • Having 2+ years of experience working with malware • Seasoned Penetration tester and Forensic investigator • LinkedIn: neo/39/806/712
  3. 3. Size: ~ 15 MB Skynet is bundled with 4 main components. 1. Tor Client for windows 2. Zeus bot 3. CGMiner 4. Opencl.dll
  4. 4. Spreading: via Usenet downloads Capabilities: 1. Tor Communication 2. Credential grabbing 3. DDOS 4. IRC 5. Bit Coin Mining
  5. 5. Botnet Size: > 12,000 zombies
  6. 6. Zeus king of botnets
  7. 7. 6ceyqong6nxy7hwp.onion owbm3sjqdnndmydf.onion 4njzp3wzi6leo772.onion qdzjxwujdtxrjkrz.onion x3wyzqg6cfbqrwht.onion niazgxzlrbpevgvq.onion ua4ttfm47jt32igm.onion 6tkpktox73usm5vq.onion 4bx2tfgsctov65ch.onion gpt2u5hhaqvmnwhr.onion 7wuwk3aybq5z73m7.onion 742yhnr32ntzhx3f.onion f2ylgv2jochpzm4c.onion 6m7m4bsdbzsflego.onion xvauhzlpkirnzghg.onion h266x4kmvmpdfalv.onion jr6t4gi4k2vpry5c.onion ceif2rmdoput3wjh.onion uzvyltfdj37rhqfy.onion uy5t7cus7dptkchs.onion
  8. 8. Feature Commands Get information on the compromised computer !info !version !hardware !idle Download and execute files !download Download a binary to memory and inject it into other processes !download.mem Visit a webpage !visit ! SYN and UDP flooding !syn !syn.stop !udp !udp.stop Slowloris flooding !slowloris!slowloris.stop HTTP flooding !http.bwrape!http.bwrape.stop Open a SOCKS proxy !socks Retrieve .onion address of the Hidden Service opened on the compromised computer !ip
  9. 9. Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immediately. Skynet installs a WH_MOUSE and a WH_KEYBOARD hook procedures that monitor the systems for keystrokes or mouse movements.
  10. 10. Another tor based botnet is “Atrax”. In future we are able to see more botnets adopt tor as a communication channel.
  11. 11. Rapid7