an inside look at skynet, a tor based botnet
TRANSCRIPT
![Page 2: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/2.jpg)
Disclaimer
The content here I show is only for
education purpose only. I am not responsible for your
actions. The views/ideas/knowledge expressed here
are solely myself and nothing to do with the company
or the organization in which I am currently working.
![Page 3: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/3.jpg)
Skynet Overview
Size: ~ 15 MB
Skynet is bundled with 4 main components.
1. Tor Client for windows
2. Zeus bot
3. CGMiner
4. Opencl.dll
![Page 4: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/4.jpg)
Propagation and Capabilities
Spreading: via Usenet downloads
Capabilities:
1. Tor Communication
2. Credential grabbing
3. DDOS
4. IRC
5. Bit Coin Mining
![Page 5: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/5.jpg)
Geographical distributionBotnet Size: > 12,000 zombies
![Page 6: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/6.jpg)
Skynet binary analysis
Demo
![Page 7: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/7.jpg)
Command and control panelsZeus king of botnets
![Page 8: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/8.jpg)
Onion Domains6ceyqong6nxy7hwp.onion
owbm3sjqdnndmydf.onion
4njzp3wzi6leo772.onion
qdzjxwujdtxrjkrz.onion
x3wyzqg6cfbqrwht.onion
niazgxzlrbpevgvq.onion
ua4ttfm47jt32igm.onion
6tkpktox73usm5vq.onion
4bx2tfgsctov65ch.onion
gpt2u5hhaqvmnwhr.onion
7wuwk3aybq5z73m7.onion
742yhnr32ntzhx3f.onion
f2ylgv2jochpzm4c.onion
6m7m4bsdbzsflego.onion
xvauhzlpkirnzghg.onion
h266x4kmvmpdfalv.onion
jr6t4gi4k2vpry5c.onion
ceif2rmdoput3wjh.onion
uzvyltfdj37rhqfy.onion
uy5t7cus7dptkchs.onion
![Page 9: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/9.jpg)
Demo on zeus panel via Tor
![Page 10: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/10.jpg)
IRC
![Page 11: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/11.jpg)
IRC CommandsFeature Commands
Get information on the compromised computer
!info
!version
!hardware
!idle
Download and execute files !download
Download a binary to memory and inject it into other processes !download.mem
Visit a webpage!visit
!visit.post
SYN and UDP flooding
!syn
!syn.stop
!udp
!udp.stop
Slowloris flooding !slowloris!slowloris.stop
HTTP flooding !http.bwrape!http.bwrape.stop
Open a SOCKS proxy !socks
Retrieve .onion address of the Hidden Service opened on the compromised computer !ip
![Page 12: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/12.jpg)
Bitcoin Mining
![Page 13: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/13.jpg)
Botnet only mines if the computer is unused for 2 minutes
and if the owner gets back it stops mining immediately.
Skynet installs a WH_MOUSE and a WH_KEYBOARD hook
procedures that monitor the systems for keystrokes or
mouse movements.
Bitcoin Mining #2
![Page 14: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/14.jpg)
Future
Another tor based botnet is “Atrax”. In future we are able to see
more botnets adopt tor as a communication channel.
![Page 15: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/15.jpg)
Credits
Rapid7
![Page 16: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/16.jpg)
Any Questions
![Page 17: An inside look at Skynet, a Tor based botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052316/55a6b6551a28ab012c8b4806/html5/thumbnails/17.jpg)
Thank You Guys