Infamous Skynet Botnet Author Allegedly Arrested

On the 4th of December the German Federal Criminal Police Office (BKA) issued a press release stating they had arrested two suspects for computer crimes, with the support of GSG 9 (A German special operations unit). The release detailed that the two suspect has reportedly modified, distributed and used existing malware as part of a botnet, which had been responsible for mining over 700,000 euros worth of bitcoins (which have now been confiscated). There was also evidence found of other crimes committed, such as: fraud and distribution of copyrighted pornographic material. The full press release is in German but can be read here.
Skynet is a botnet that uses a modified version of the Zeus banking trojan, communicates using the IRC protocol (through TOR), and primarily mines bitcoins as well as harvesting banking information. The botnet is thought to be one of the first to use a TOR hidden service for a command and control server in order to evade sinkholing. The author gained a large amount of media publicity in late 2012 due to his usual openness about his illegal activities, mainly on twitter and reddit (in the form of an “Ask Me Anything” thread).

Although it cannot be confirmed that the pair arrested were those behind the Skynet botnet, the author hasn’t tweeted since the alleged arrest and multiple sources who have worked closely with him have confirmed he was arrested. The story syncs up with the skynet author’s operations such as selling banking information, mining bitcoin, using modified malware, and running a porn site.

A day prior to the alleged arrest the author appeared to be working on upgrading the Skynet malware to use a modified version of the leaked carberp bootkit, allowing the malware to start before antiviruses and run with kernel mode privileges. 

Update (12/5/13 2:09): 
According to researchers at botconf, GData have confirmed the arrest is that of the Skynet author.

Update (12/6/13 12:39):
A single tweet was posted from @skynetbnet’s twitter account stating that the authorities had the wrong guy, no tweets have been made since. It would seem the tweet is an automated message or he requested a friend post it in the event of his arrest. Multiple people have in fact confirmed that the Skynet author has been arrested.

Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …