Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Botnet IT

Tor Network Used To Command Skynet Botnet 105

Posted by samzenpus
from the bad-stuff dept.
angry tapir writes "Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7. The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins — a type of virtual currency — using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones. However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol."
This discussion has been archived. No new comments can be posted.

Tor Network Used To Command Skynet Botnet

Comments Filter:
  • by mlw4428 (1029576) on Sunday December 09, 2012 @07:38PM (#42237791)
    That's the cost of sane privacy controls -- sometimes it can be used for bad purposes. Society should be looking inwards at the cause of this. Spying on people, tracking their every movement, and abusing the legal systems of countries created a need (and a demand) for a type of security system that would protect you to the n-th degree. Now we've got a solution and it will be abused. What needs to happen is companies that make software need to invest into security and response. We're never going to stop the threat, but we can minimize the damage and downtime.
    • Re: (Score:2, Insightful)

      by flyneye (84093)

      Or, is it some bullshit plot and propaganda cooked up by our asshat federal government to justify screwing the crap out of the creaTORs.
      In this age of federal lies and manipulation by Repubmocrat swine , does not the wisdom " don't believe what you read in the media" take on that third dimension in bold print and multi colored neon?
      In a perfect world the paperboy would only bring the funnies.

      • by dririan (1131339) on Sunday December 09, 2012 @08:33PM (#42238165)
        The person you replied to with your tin foil hat spiel actually made a pretty decent point. Even if this is somehow some "bullshit plot and propaganda" (why would they wait until now to do this, by the way?), people creating tools to give themselves privacy because they don't have it otherwise because of "[s]pying on people, tracking their every movement, and abusing the legal systems of countries created a need (and a demand) for a type of security system that would protect you to the n-th degree" (quoting OP, not you) has inadvertently given criminals the same amount of privacy to do nasty things (such as hosting C&C for a botnet), and also that this would have been avoided by giving people privacy and treating them like humans. If this actually is some "bullshit plot and propaganda", there is absolutely nothing stopping it from becoming real.

        Hell, I'm absolutely positive that this isn't [slashdot.org] the [slashdot.org] first [slashdot.org] time [slashdot.org] a criminal has ever used Tor to cover up crimes. So unless you actually think Silk Road was created by the government, pretty sure OP is right, and this is a problem that they brought upon themselves by removing people's privacy in the first place.
        • by flyneye (84093)

          Well, the television interview with the creator of Tor, in which he complained bitterly of the harassment he is receiving from homeland security, the FBI and God knows what other 3 letter offices, was pretty much a big clue, Scooby Doo.

          • by dririan (1131339)
            What does that have to do with criminals using Tor? The federal government speaking to the creator of Tor doesn't mean that no crimes are ever committed using it.
            • by flyneye (84093)

              "Security researchers have identified a botnet controlled by its creators over the Tor anonymity network.
              Forensic evidence found in the first sentence of the /. story names the creators as the criminals in question.
              Media interviews and reports of harassment of the creator prior to this development lend the suspicion that they have an erection for them to begin with in spite of this evolving from a Naval project.
              I do recommend that you sharply increase your caffeine intake before operating any powered equipm

              • by dririan (1131339)

                Security researchers have identified a botnet controlled by its creators over the Tor anonymity network.

                The creators of the botnet control it over the Tor network. They aren't saying that the creators of Tor created the botnet (they didn't mention the creators of Tor at all, just the creators of the botnet), they are only saying that the people that did make the botnet use Tor for C&C. May I suggest investing in additional caffeine today? :)

              • Dude, go back to Grade 2 and actually pay attention in the reading comprehension classes. I know it is difficult to understand how the doing words join up with the naming words, but you'll get it after the first two or three years.

                The verb "to control" is being used to bind the noun botnet to the possesive noun its creators. This invokes a fairly fundamental rule of English and clearly states that the creators in question are those of the botnet.

                The second subsection of the sentance contains a p

                • by flyneye (84093)

                  There are an inordinate amount of pronouns and sentences starving for commas, which would FIX poor journalism.
                  Either way, I still expect my scenario to play out.

      • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Sunday December 09, 2012 @11:15PM (#42239109) Homepage

        The asshat federal US government sponsored the creation of Tor [wikipedia.org]. Governments who want to crack down on the use of Tor are already doing so openly without resorting to the cloak and dagger tactics you seek to imagine.

        But carry on. The disconnected phrasing of your post hints that observable reality does not significantly influence your thinking.

        • The disconnected phrasing of your post hints that observable reality does not significantly influence your thinking.

          Of course not. Everyone knows, after all, that conspiracies are hidden, and thus not observable. The observable reality therefore lies to you in order to hide the conspiracy. ;-)

        • by flyneye (84093)

          Yes and lately they've been detaining him and harassing him, making travel difficult, etc. It's been on T.V., Radio and /.
          Realistically, I've observed phrasing of your post hints that some influence has disconnected your thinker.

        • by flyneye (84093)

          carrion...

  • by Anonymous Coward

    A perfect opportunity to continue their campaign on the evils of anonymity and tools that enable it.

    • by Anonymous Coward

      A perfect opportunity to continue their campaign on the evils of anonymity and tools that enable it.

      TOR is the creation of a US Navy project. And you got +2 Insightful for posting that drivel? Get your heads out of your asses, mods.

  • FUD (Score:5, Insightful)

    by cultiv8 (1660093) on Sunday December 09, 2012 @07:52PM (#42237875) Homepage
    Why is this such a surprise? If anyone wants to hide a server/service behind the cloak of anonymity, then yes, a tor hidden service is the way to do it. People do it for good reasons (eg. journalists under threat of death for publishing accounts of gov't actions) and nefarious reasons (silk road comes to mind). Hell, even Yelp blocks access from tor nodes [google.com] b/c (they say) a large majority of bot traffic comes from the tor network. Is this really the first time a botnet has used tor, or is this the first time a botnet has been caught?

    Next thing you know, they'll say the bad guys and terrorists use VPN to access the internet.
    • I think it was only brought up because of Tor's recent mentions in news...meh

      They probably will say they use VPN, how horrid!

    • Watch your terms there.

      nefarious: extremely wicked or villainous; iniquitous

      silk road: illegal marketplace

      What is illegal isn't necessarily nefarious. Leaping down to lift a child out off of a subway track knowing that you'll get killed is actually illegal because it's suicide.

      Legality is not morality.

      Otherwise, good post. Please carry on.

    • Even less of a surprise if you have seen this [youtube.com] from 2010.

  • by mysidia (191772) on Sunday December 09, 2012 @07:53PM (#42237879)

    DoS attack against the ToR hidden service; from inside the ToR network.

    • by Meneth (872868)

      DoS attack against the ToR hidden service; from inside the ToR network.

      Cute idea, but it won't work. TOR hides things really well, and even if you managed to find one server, the admins could easily start another instance of its software on another machine.

      • by Agent ME (1411269)

        and even if you managed to find one server,

        That's why he said from inside the TOR network.

        • Tor's bandwidth and latency are sufficiently abysmal that it acts as a throttle. Overwhelming a number of servers via the Tor network would probably be not much easier than overwhelming the entire Tor network.

          • by mysidia (191772)

            Tor's bandwidth and latency are sufficiently abysmal that it acts as a throttle.

            What happens when you have 10,000,000 government operated Tor nodes designed for the sole purpose of DoS'ing one hidden service?

            The limited bandwidth and latency of ToR services should help, not hurt a DoS attack against the service itself....

            • If you have that many tor routers, chances are you have access to enough information to perform packet timing based searches for the machine hosting the hidden service, which, in my opinion is a much less destructive and less wasteful use of one's resources. I also suspect you would only need a much more reasonable number (maybe 10k-100k) of servers.
  • There's a lot of good that Tor provides for keeping channels of free speech open in oppressive countries. But this seems to be setting a trend of mis-use... and how long will it be before Tor's primary traffic is Cracker?
  • Yeah, and? (Score:5, Interesting)

    by girlintraining (1395911) on Sunday December 09, 2012 @07:55PM (#42237907)

    This is just the bot net people being lazy and taking the easy approach. It's already been shown you can design decentralized networks that require no "bootstrap" information like DNS in order to find other nodes and communicate. But it is beyond the abilities of these low-level social miscreants to create, so they're piggybacking on a network that they think can hide their malicious activity. Tor only anonymizes the source of the data; Anything between the exit node and destination is sent in the clear and likely they've made some mistake that'll allow it to be blockable.

    Of course, this is exactly what the oppressive governments of the world (and those who oppress by claiming they're "liberating" others), have been looking for to shut down the Tor network. You can expect more attempts at legislating it away to come soon. Fundamentally though it doesn't solve the problem, which is that the criminal underworld has figured out how to do what industrialists figured out 50 years ago: If you take just a little from a lot of people, you can get very rich, and those people won't fight back because the cost of retaliation is higher than the loss. As a result, people everywhere are being nickel and dimed to death.

    Botnets are simply the illegal mirror counterpart to the legal crime of draining pensions and unethical banking to turn a profit: Harm many only a little, and you too can be rich.

    • by brit74 (831798)

      Of course, this is exactly what the oppressive governments of the world (and those who oppress by claiming they're "liberating" others), have been looking for to shut down the Tor network.

      If, by "oppressive governments", you mean places like Saudi Arabia, Iran, or China, I don't think they're looking for excuses to shutdown Tor. They've always seen it as the enemy, and just make it illegal by fiat. They have zero need for excuses to shutdown Tor.

      • Re:Yeah, and? (Score:5, Insightful)

        by girlintraining (1395911) on Sunday December 09, 2012 @08:29PM (#42238129)

        If, by "oppressive governments", you mean places like Saudi Arabia, Iran, or China, I don't think they're looking for excuses to shutdown Tor. They've always seen it as the enemy, and just make it illegal by fiat. They have zero need for excuses to shutdown Tor.

        I was also including a certain world superpower with a penchant taking away the rights of their citizens because the terrorists want to take away their rights. This superpower's main diplomat in the middle east is a predator drone that rains hellstone and fire randomly on people who are terrorists only slightly more often than they're innocent civilians. This superpower also has a global and far-reaching spy network to track almost all wireless communications in realtime, worldwide, and has stated it's slowly building in an "internet kill switch" that could disable the entire internet, worldwide, mostly for shits and giggles.

        But yeah, Iran, China, etc., they're kinda bad too...

        • by murdocj (543661)

          I think you missed a couple of anti-American slams, try again.

          • So you're asking for more while not even able to address what you've already been served with? Nuh-uh.

            It may come as a shock to you, but 'I don't like what you said, yet have no refutation other than pouting and implying "anti-american-ness"' is not a valid fucking argument.

          • by ultranova (717540)

            I think you missed a couple of anti-American slams, try again.

            She(?) missed the biggest: neoconservatism. USA insists on spreading an ideology that results in stagnating wages, constant economic crises, and preying on the common people by the scum on top. It's rather unreasonable to harm people and expect them to not hate you for it.

      • On the other hand, other increasingly oppressive governments like US, UK, and European countries at large are well served by these excuses.
    • by c0lo (1497653)

      It's already been shown you can design decentralized networks that require no "bootstrap" information like DNS in order to find other nodes and communicate.

      [Citation needed].
      No, I'm not being sarcastic and don't intend to cast a malicious doubt over the statement:
      I'm just signaling my (potential) gratitude for some relevant links (would they be made available).
      Thanks in advance.

    • Re:Yeah, and? (Score:4, Informative)

      by PhrostyMcByte (589271) <phrosty@gmail.com> on Sunday December 09, 2012 @08:56PM (#42238333) Homepage

      Tor only anonymizes the source of the data; Anything between the exit node and destination is sent in the clear and likely they've made some mistake that'll allow it to be blockable.

      One feature of Tor is "hidden services", where the traffic is encrypted end-to-end and even the service itself is anonymous, identified only through a .onion address. I'd guess this is what they're using.

      Some Tor nodes filter certain exits -- ie. to not allow porn through their node. if this works for hidden services I imagine this botnet could be blacklisted fairly easily if enough of the node operators got in on the act.

      • by Agent ME (1411269)

        Nodes can't filter access of .onion addresses because none of the Tor nodes (besides the one hosting the hidden service if you're counting it) know who the connection is for or from.

        • by Clarious (1177725)

          Although I haven't read tor document in depth, I think blocking certain tor hidden services is doable. A tor node with hidden service will 'advertise' it services on randomly chosen nodes (introductions point), those who want to connect to the hidden service choose one random node (rendezvous point), ask those introductions point to relay the message to the hidden service node, which will initiate the connection by connecting to the chosen rendezvous point (extra step of redirection, I know). So if a node o

    • "Anything between the exit node and destination is sent in the clear and likely they've made some mistake that'll allow it to be blockable."

      If you'll Read The Fine Article, you'll notice that this particular botnet is using Tor hidden services to obscure the location of the command server; they're not routing botnet traffic through Tor to a command server on the clearnet; that would be silly, as you just pointed out.
    • Tor hidden services do not use exit nodes. There should be no traffic outside of the tor network.

    • by Kjella (173770)

      Tor only anonymizes the source of the data; Anything between the exit node and destination is sent in the clear and likely they've made some mistake that'll allow it to be blockable.

      They control both ends of the communication, they could easily use for example HTTPS as their transport protocol. If they didn't that's rather naive and will probably be fixed in the next release.

  • can it launch missiles?

    and if it does you better hope the guys don't trun there keys

  • by Requiem18th (742389) on Sunday December 09, 2012 @08:02PM (#42237955)

    Citizen encryption has so tremendous potential that we can't allow goverments and criminals to be the only ones using it. We really need to start pushing encryption into the masses.

    • by c0lo (1497653)

      We really need to start pushing encryption into the masses.

      Push? How? Like... a global vaccination program?

      • by neiras (723124)

        Push? How? Like... a global vaccination program?

        Careful, we might get the anti-crypters all hot and bothered.

        "But there's PROOF that encryption makes people cheat on their partners! And I have nothing to hide, anyway!"

      • Kinda, we should nudge mozilla in the direction of including EFF's "HTTPS Anywhere" extension by default, it's a very harmless extension that tries to connect by https before fallin gback and using http. Same goes for GPG/PGP in Thunderbird. It shouldn't be a separate add-on.

        Tor Park needs to be a turn-key solution. Also, people should have easy access to onion sites. Even if hosting a hidden service remains black magic, accessing one shouldn't.

        And serisouly I need to start making a tutorial for these thing

    • Then MISS, Make It Simple. Email clients and browsers with encryption facilities preloaded.

  • by Kwyj1b0 (2757125) on Sunday December 09, 2012 @08:22PM (#42238093)

    From the little I've read, it seems that they use a distributed host of volunteer servers to run the TOR network, so it might not be that easy to 'shut-down' the entire network (lack of centralized host) - If I'm wrong, I'd love to know why.

    My concern is that they will make TOR access illegal. Clearly, we can't count on Google/Microsoft/Amazon/Apple/Facebook/Big-Biz to raise a finger - they prey off identifying and targeting customers. Privacy and anonymity must hurt their bottom line. So unlike SOPA/PIPA, I doubt that any major group will oppose a new law against this. And most people won't care - hell, if Wikipedia didn't have a blackout, I doubt SOPA would have got any news time on a 'major' news network at all.

    Is there a way to detect TOR access uniquely? Or does the encryption make it look like any VPN/secure connection? I recollect reading about a method that could identify IP address accessing TOR (don't remember the details), I'm not sure if that hole was plugged (or if it can be plugged).

    • by Anonymous Coward

      From the little I've read, it seems that they use a distributed host of volunteer servers to run the TOR network, so it might not be that easy to 'shut-down' the entire network (lack of centralized host) - If I'm wrong, I'd love to know why.

      "They"? The Tor network is run by all its users... it's not like it requires some sort of specialized servers. Every (or most of) Tor node can act as both Tor client and Tor server.

      My concern is that they will make TOR access illegal.

      "They"? Who? Also, based on what would they make Tor illegal? If they can't make PGP illegal, there's also no basis to declare Tor illegal, as it works over the same principles.

      Besides, you do know that Tor was invented by the US military, right? I mean... the US government runs Tor nodes. Why the fuck would they make that illega

  • by detritus. (46421)

    There have been bot nets that have used Bittorrent DHT too, so should we shut that down as well?

  • by sco08y (615665) on Sunday December 09, 2012 @09:25PM (#42238521)

    The old tautology, "if you outlaws firearms, only outlaws will have firearms" applies to Tor. (In fact, I'd go as far as to argue that many cryptographic mechanisms are covered by the second amendment, especially if you consider cryptography's military purpose, and that some ciphers have been regulated by the DOD as munitions. They cover the same role in protecting your property, identity and reputation from aggression, and as the "well regulated militia" clause demands, pseudonymous discussions are necessary tools to help people discuss political matters.)

    The simple truth is you can shut down all the law-abiding people with Tor nodes, and the botnet creators will just run Tor nodes on their network. It would be absolutely trivial for botnet owners to get together and set up huge Tor networks and put access up for pay on the black market.

    • What an incredibly good idea. Here's hoping one of them does. An enormous illegal expansion of the number of TOR exit nodes would be fascinating. And possibly fantastic. Even if it is stolen resources. It would probably last a very long time, too, given that typical botnet infestations can go for years without being removed.

      • by sco08y (615665)

        What an incredibly good idea. Here's hoping one of them does. An enormous illegal expansion of the number of TOR exit nodes would be fascinating. And possibly fantastic. Even if it is stolen resources. It would probably last a very long time, too, given that typical botnet infestations can go for years without being removed.

        I would imagine they'd use a protocol that allowed them to charge for transmission. If that's not feasible, it's probably why we haven't seen it yet.

  • Bitcoins are a virtual currency? Oh, please do tell! Thank you for letting slashdot know..this is the first we've heard of it!
    • Well, yknow...
      A /. article is not a /. article if its not mentioning bitcoins.
      A 'green' article is not a 'green' article without mentioning CO2.
      It is the law! :-D
  • Tor is suitable for this, because it is very slow. Human operators have limited patience to get through extreme slowness of access to their Jihad blogs and favorite torrent directories, but bots have unlimited patience.

"There is nothing new under the sun, but there are lots of old things we don't know yet." -Ambrose Bierce

Working...