I remember reading about this on reddit awhile back and thought “wow”.
Now it appears Rapid7 has a full breakdown of this botnet, which you can read about here.
“Skynet runs all its C&C servers as Hidden Services and all compromised computers are configured to be part of the Tor network as well.
The advantages of this approach are:
- The botnet traffic is encrypted, which helps prevent detection by network monitors.
- By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers.
- Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing.
- The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service.
Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers.”