Skip Links

Tor network used to command Skynet botnet

Other botnet operators might use Tor to hide their command and control servers in the future, researchers say

By Lucian Constantin, IDG News Service
December 07, 2012 02:05 PM ET

Page 2 of 3

Content from Usenet is commonly downloaded by users and redistributed through other file-sharing technologies like BitTorrent.

The Skynet malware has several components: an IRC-controlled bot that can launch various types of DDoS attacks and perform several other actions, a Tor client for Windows, a so-called Bitcoin mining application and a version of the Zeus Trojan program, which is capable of hooking into browser processes and stealing log-in credentials for various websites.

While good for anonymity, Tor does have disadvantages for a botnet operation, such as increased latency and sometimes instability.

"Obviously they [the botnet operators] can't tunnel just everything through Tor," Guarnieri said. "If the botnet is performing some heavy, frequent and noisy communication, then it could be problematic."

However, if the goal is just for the infected machines to be able to retrieve commands from a server in a reasonable time without exposing its location, then Tor works well enough, he said. "I'm pretty sure more botherders will definitely replicate this design."

"This is a major reason for concern," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "If a single botherder can stay anonymous for seven months by routing C&C traffic via TOR, then it will definitely stick with other botmasters."

That said, Botezatu believes that Tor might not be suitable for large botnets because the Tor network, which is already relatively slow, might not be able to handle a lot of concurrent connections.

The impact of botnets on the Tor network itself really depends on the scale of abuse, Guarnieri said. One feature of the Skynet botnet is that each infected machine becomes a Tor relay, which ironically makes the network larger and able to sustain the load, he said.

Botnet creators have recently implemented peer-to-peer solutions for command and control purposes rather than Tor-based ones, because they provide the same level of anonymity and increased resiliency without introducing the latency problems, Botezatu said. In addition, peer-to-peer implementations have already been well documented and tested, he said.

The Tor-based approach is not new, said Marco Preuss, head of the German global research and analysis team at antivirus vendor Kaspersky Lab, via email. "In the past years several presentations and research papers mentioned this method for botnets."

"One of the most important disadvantages is the complex implementation -- errors lead to easy detection -- and also the speed is a drawback," Preuss said. Depending on how Tor is used in the botnet infrastructure, there might be solutions to detect and block the traffic, as well as to disable the botnet, he said.

"A single botnet of about ten thousand machines isn't a stringent problem for the global Internet, but, if things escalate, we're sure that node administrators will cooperate with ISPs and law enforcement to take down malicious traffic," Botezatu said. "After all, Tor has been designed for anonymity and privacy, not for cyber crime."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News