The content here I show is only for
education purpose only. I am not responsible for your
actions. The views/ideas/knowledge expressed here
are solely myself and nothing to do with the company
or the organization in which I am currently working.
• Working as a malware analyst at Online Guards
• Having 2+ years of experience working with
• Seasoned Penetration tester and Forensic
• LinkedIn: http://in.linkedin.com/pub/srinu-
Size: ~ 15 MB
Skynet is bundled with 4 main components.
1. Tor Client for windows
2. Zeus bot
Spreading: via Usenet downloads
1. Tor Communication
2. Credential grabbing
5. Bit Coin Mining
Get information on the compromised computer
Download and execute files !download
Download a binary to memory and inject it into other processes !download.mem
Visit a webpage
SYN and UDP flooding
Slowloris flooding !slowloris!slowloris.stop
HTTP flooding !http.bwrape!http.bwrape.stop
Open a SOCKS proxy !socks
Retrieve .onion address of the Hidden Service opened on the compromised computer !ip
Botnet only mines if the computer is unused for 2 minutes
and if the owner gets back it stops mining immediately.
Skynet installs a WH_MOUSE and a WH_KEYBOARD hook
procedures that monitor the systems for keystrokes or
Another tor based botnet is “Atrax”. In future we are able to see
more botnets adopt tor as a communication channel.