Network security professionals from the company Rapid7 found, perhaps one of the first botnet that infected computers with connection management server was carried out with the help of technology TOR, providing anonymous access to the Internet.
The discoverers of the botnet, known as Skynet, the artificial intelligence in the Terminator movies about, warned that as soon as this practice can take to other botnets, which greatly complicate the detection and neutralization of the managed server.
Technology was established TOR U.S. military experts in the hope that with the help of activists were persecuted in countries with totalitarian regimes can freely communicate with their peers and associates in subversive activities against the state. Anonymization multilevel network TOR almost eliminates the possibility of interception and interception of messages. In addition, through a network of TOR-repeaters in the filtered Internet, you can access any private resources through the use of “off TOR-nodes” in countries with less strict regime of access. As time went on it became clear that the technology of the present TOR opened a Pandora’s box, not only for human rights, but also for the real criminals.
Detected botnet Skynet, according to researchers, is a true multi-processor. In particular, Skynet supports Distributed Denial of Service (DDoS), the generation of the virtual currency Bitcoin using computational resources of the GPU on infected machines, the execution of arbitrary code by the operator, as well as details of the kidnapping for access to Web sites and bank accounts victims. Skynet The main difference lies in the fact that access to its management servers is possible only through the TOR network protocol Tor Hidden Service.
Traditionally protocol Tor Hidden Service is used for anonymous access to regular web sites, as well as IRC chat servers and some other services, including remote management via SSH (Secure Shell). Address of that service looks like a random string of characters with the extension. Onion as a pseudo-top-level domain. According to representatives of the company Rapid7, at the moment there is no way to track down and neutralize the botnet control servers, hidden with the protocol TOR Hidden Service.
According to the company Rapid7 botnet Skynet now covers about 12-15 thousands of infected computers. In the seven months since the detection of the first signs of a botnet, the number of infected machines increased by almost 50%. The structure of a botnet client, which is installed on the victim machine, includes a special boat with control for IRC-chat (this bot is able to run multiple types of DDoS-attacks and other actions), own TOR-client for Windows, the module for the ‘production’ Bitcoin – currency (through complex calculations on the GPU), and a special version of the famous Trojan Zeus with the opportunity to add to the browser and steal data for access to Web sites and bank accounts. Despite the fact that the TOR network has several drawbacks, including high latency and low bandwidth to send commands to the botnet nodes that is enough when starting the DDoS-attack.
Another interesting fact – every infected computer in the botnet itself becomes Skynet TOR-repeater, making the TOR network is larger and more resistant to stress, and with it becomes more stable and working through it botnet.
According to experts from Bitdefender antivirus companies and ‘Kaspersky Lab’ botnets with control TOR are not that invincible. Have the means to deal with such threats, and at the level of Internet service providers in the form of block traffic from all the known output TOR-nodes. On the other hand, it can eventually destroy the very concept of the original TOR, where the output nodes, in theory, should be supported by volunteers in the ‘free countries’ in order to provide services to their anonymity less fortunate colleagues, seeking protection from persecution.