Skynet uses Tor for botnet anonymity (December 14, 2012)

By

DellSonicWall Threats research team received reports of a new botnet that uses Tor anonymity service as a means to communicate with its Comamnd and Control (C&C) servers. The Onion Router (Tor) has traditionally been used by individuals to protect privacy and confidentiality against network surveillance. But using Tor services to cloak communication between botnet and C&C servers is a distinctive feature of this particular malware, likely to be mimicked by other botnets in future. Reports indicate that the malware is spreading through Usenet. The malware has been named Skynet by its creator as seen in the code:

screenshot

The components and behavior of Skynet are similar to the one described in a popular Reddit IAmA thread by author throwaway236236. The Skynet sample we analyzed is around 15mb in size which is substantially large. The file contains the following embedded modules:

  • Tor client
  • Zeus Bot
  • CGminer Bitcoin mining utility
  • OpenCL.dll that is needed for CGMiner

Infection Cycle:

When executed, the malware adds the following files to the system:

  • %USERPROFILE%Local SettingsTempOpenCL.dll
  • %USERPROFILE%Local SettingsTemptmp5c295ddc.bat. A batch file to delete the main executable
  • %USERPROFILE%AdminApplication Datator. This folder contains few tor specific files
  • A folder and exe with random names in %AppData%. This exe is a copy of the main executable

It then creates legitimate svchost processes in suspended state and then injects malicious code in to them. The injected code has functionality to detect the presence of AV solutions on the system. Malicious code injected is individually detected as follows:

  • Malicious Injection 1 [GAV: Suspicious#avcheck (Trojan)]
  • Malicious Injection 2 [GAV: Suspicious#avcheck (Trojan)]
  • Malicious Injection 3 [GAV: Zbot.AAN_66 (Trojan)]

It adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%USERPROFILE%Application DataRandom_nameRandom_name.exe”

The Tor component:

Traffic in a Tor network is subject to multiple layers of encryption as it bounces between a number of nodes before reaching its destination. Tor Hidden Services are used to provide anonymity to servers; these hidden services can be accessed only through Tor-specific .onion pseudo domains. We observed the following parameters being passed to an instance of svchost.exe indicating that a Tor Hidden Service is created locally on the infected machine:
–HiddenServiceDir “C:Documents and SettingsAdminApplication Datatorhidden_service” — HiddenServicePort “55080 127.0.0.1:55080”

During our analysis we observed Skynet interact with the following .onion pseudo domains:

  • f2ylgv2jochpzm4c.onion
  • uy5t7cus7dptkchs.onion
  • 6m7m4bsdbzsflego.onion
  • h266x4kmvmpdfalv.onion
  • uzvyltfdj37rhqfy.onion
  • 7wuwk3aybq5z73m7.onion
  • jr6t4gi4k2vpry5c.onion
  • ceif2rmdoput3wjh.onion
  • 742yhnr32ntzhx3f.onion
  • xvauhzlpkirnzghg.onion
  • ua4ttfm47jt32igm.onion
  • 6ceyqong6nxy7hwp.onion
  • owbm3sjqdnndmydf.onion
  • ua4ttfm47jt32igm.onion

We observed Skynet requesting the following resources from the links above:

  • iplist.txt
  • reverseproxy.txt

By using Tor servies, Skynet achieves the following:

  • It becomes difficult to trace the real location of the C&C servers
  • Mutiple layers of encryption of the communication with C&C makes its difficult to ascertain the traffic content
  • Usage of hidden services for IRC and BitCoin mining servers allows for anonymity

IRC component of Skynet:

IRC has been a popular service used by botnets for command and control. It has prone to easy detection but with the help of Tor services Skynet has taken it to the next level. We observed a number of IRC commands issued during our analysis of Skynet:

  • Nick [USA-XP-638XXX]XXXXXXX
  • User 535XXXX
  • Join #USA
  • Join #4net2
  • Join #4net3
  • Join #4net4
  • Join #4net5
  • Join #4netallin
  • Join #4net1

The author provided a screenshot of multiple bot infected machines connected to his IRC channel:

screenshot

DDOS capabilities of Skynet:

During our analysis we observed Slowloris components in the code indicating that Skynet has DDOS capabilities. We saw the following commands in the code which further strengthen the indication of Skynet’s DDOS capabilities:

  • !syn
  • !syn.stop
  • !udp
  • !udp.stop

Skynet uses IRC coupled with Tor to issue DDOS commands to its victim machines while effectively cloaking this communication channel.

Zeus component in Skynet:

The Zeus botnet has been used to steal banking information from millions of infected machines. After its source was leaked in 2011, there were reports of new variants of Zeus. The author of Skynet claims to have a modified version of Zeus, he also provided a screenshot of his control panel on Reddit.

The Zeus component uses a local Socks proxy as a relay to the Tor network in order to communicate with its C&C server. We observed the following request to port 42349 when Skynet is executed:
localhost:42349/z/config.bin

screenshot

Bitcoin Mining component of Skynet:

Skynet drops a number of files on the system during its execution, OpenCL.dll is one such file. OpenCl.dll is a necessary component for running CGMiner which is a bitcoin miner. Skynet activates this component when the victim machine is inactive for a period of two minutes. We observed 100% CPU utilization by the Bitcoin mining module. The process is started by passing the following parameters to an instance of svchost.exe:
“C:WINDOWSsystem32svchost.exe” -o http://95.211.7.6:81 -u usXXX -p XXXXXXX -w 128 -I d -k poclbm –api-listen

screenshot

We observed the following Bitcoin Mining Proxy being contacted during our analysis:

  • 95.211.7.6:81

The author provided a screenshot of his BitCoin mining control panel in the Reddit IAmA thread:

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Skynet.ZS (Trojan)
  • GAV: Suspicious#avcheck (Trojan)
  • GAV: Zbot.AAN_66 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.