Jul 16, 2015
Disclaimer
The content here I show is only for
education purpose only. I am not responsible for your
actions. The views/ideas/knowledge expressed here
are solely myself and nothing to do with the company
or the organization in which I am currently working.
Skynet Overview
Size: ~ 15 MB
Skynet is bundled with 4 main components.
1. Tor Client for windows
2. Zeus bot
3. CGMiner
4. Opencl.dll
Propagation and Capabilities
Spreading: via Usenet downloads
Capabilities:
1. Tor Communication
2. Credential grabbing
3. DDOS
4. IRC
5. Bit Coin Mining
Geographical distributionBotnet Size: > 12,000 zombies
Skynet binary analysis
Demo
Command and control panelsZeus king of botnets
Onion Domains6ceyqong6nxy7hwp.onion
owbm3sjqdnndmydf.onion
4njzp3wzi6leo772.onion
qdzjxwujdtxrjkrz.onion
x3wyzqg6cfbqrwht.onion
niazgxzlrbpevgvq.onion
ua4ttfm47jt32igm.onion
6tkpktox73usm5vq.onion
4bx2tfgsctov65ch.onion
gpt2u5hhaqvmnwhr.onion
7wuwk3aybq5z73m7.onion
742yhnr32ntzhx3f.onion
f2ylgv2jochpzm4c.onion
6m7m4bsdbzsflego.onion
xvauhzlpkirnzghg.onion
h266x4kmvmpdfalv.onion
jr6t4gi4k2vpry5c.onion
ceif2rmdoput3wjh.onion
uzvyltfdj37rhqfy.onion
uy5t7cus7dptkchs.onion
Demo on zeus panel via Tor
IRC
IRC CommandsFeature Commands
Get information on the compromised computer
!info
!version
!hardware
!idle
Download and execute files !download
Download a binary to memory and inject it into other processes !download.mem
Visit a webpage!visit
!visit.post
SYN and UDP flooding
!syn
!syn.stop
!udp
!udp.stop
Slowloris flooding !slowloris!slowloris.stop
HTTP flooding !http.bwrape!http.bwrape.stop
Open a SOCKS proxy !socks
Retrieve .onion address of the Hidden Service opened on the compromised computer !ip
Bitcoin Mining
Botnet only mines if the computer is unused for 2 minutes
and if the owner gets back it stops mining immediately.
Skynet installs a WH_MOUSE and a WH_KEYBOARD hook
procedures that monitor the systems for keystrokes or
mouse movements.
Bitcoin Mining #2
Future
Another tor based botnet is “Atrax”. In future we are able to see
more botnets adopt tor as a communication channel.
Credits
Rapid7
Any Questions
Thank You Guys