Hackers use blockchain to create bulletproof botnets

A man stands in front of a photo showing the activities of a so-called

A man stands in front of a photo showing the activities of a so-called “botnet” during a workshop on computers and cybercrime.
Photo: BORIS ROESSLER / DPA / AFP (Getty Images)

Google last week announced that it had partially disrupted the operations of a huge botnet, a gargantuan network of more than a million Windows computers infected with malware. In the world of cybersecurity, that would be news in itself, but this particular network was using a Integration of blockchain which makes it hard to beat.

Botnets are essentially armies of “zombie” devices, servers infected with malware and linked to a malicious network, which can then be used to commit large-scale criminal activity. Most people whose device has been compromised and are part of a botnet have no idea what happened, and their computer is essentially functioning as an unwitting accomplice in cybercrime.

In this particular case, the criminal organization behind the botnet would be a family of malware known as “Glupteba”. Last week, Google’s Threat Analysis Group (TAG) published context on the Glupteba botnet, showing that the network was used to mine cryptocurrency, also known as “cryptojacking. “The CPU power diverted from the masses and masses of infected devices essentially acted as free rocket fuel for criminals, who could use it to support their lives. energy-intensive business.

So obviously the disturbance of something like that is good. But, as it is the eternal problem with botnets, the real problem is not necessarily how to destroy parts of an infected network, but how to keep them down. At the same time as Google claimed to have disrupted Gluteba, it also had to admit that the infected network would soon rebuild itself and regain its full strength thanks to an innovative resilience mechanism based on the Bitcoin blockchain.

This new cryptography-based mechanism, which has long been theorized on but hasn’t necessarily been seen in the wild before, could present unfortunate new ground for cybercriminals, which could make them increasingly resilient to disruption from law enforcement.

An evolving problem

The main problem for any cybercriminal who wants to exploit a botnet is how to keep control over his zombified hordes.

Botnets are usually set up be controlled by a centralized party, generally referred to as a “botmaster” or “annoyance”. Breeders use what is called command and control (C2) server — a machine that sends instructions to all infected machines, effectively acting as the main standard for criminals to control their zombies. Via C2, breeders can lead on a large scale malicious campaigns, such as data theft, malware attacks, or, in the case of Glupteba, cryptojacking.

But, in order to manage his herds, the botmaster needs a channel through which to stay connected to them and give commands – and this is where things can get tricky. Many C2 botnet infrastructures use web protocols like HTTP, which means they need to be logged into a specific web domain to stay in touch with their herd. The domain acts as C2’s portal to the Internet and, therefore, the wide area network of infected devices.

However, since it’s not that hard to take down a website, it means C2s – and therefore botnets themselves – can be disrupted quite easily. The police can bring them down by simply neutralizing the domains associated with C2, or by obtaining its DNS provider, like Cloudflare, to close access, or by finding and entering a domain itself.

To get around this problem, criminals have increasingly looked for innovative ways to stay connected to their herds of robots. In particular, criminals have sought to use alternative platforms, such as social media or, in some cases, Tor, to act as C2 hubs. A 2019 study by the MIT Internet Policy Research Initiative points out that some of these methods have had average success but generally do not have long longevity:

More recently, botnets have experimented with esoteric C&C mechanisms, including social media and cloud services. The Flashback Trojan retrieved instructions from a Twitter account. Whitewell Trojan used Facebook as a meeting point to redirect bots to the C&C server … The results were mixed. Network administrators rarely block these services because they are ubiquitous and C&C traffic is therefore more difficult to distinguish. On the other hand, C&C channels are centralized again and companies like Twitter and Google are rushing to crack down on them.

What happens frequently is a mole game between cops and criminals, in which the police disassemble several times domains or any other web infrastructure used, only for the same criminals to reconstitute themselves and the botnet to be operational again through a different medium.

However, Glupteba appears to have been a game-changer: According to Google and other security analysts who have looked at the gang’s activities, the criminal enterprise appears to have found the perfect way to protect themselves from disruption. How? ‘Or’ What? By leveraging Bitcoin’s tamper-proof infrastructure blockchain.

Bulletproof via Blockchain

For cybercriminals, the question of how to stay connected to their robot herds can be resolved through the creation of a back-up mechanism. If the primary C2 server and its associated domain get Removed by the cops, malware in infected devices can be designed to search the web for another backup C2 domain, which then resuscitates the entire infected network.

Typically, criminals hard-code these backup web domains into the malware itself. (Hard coding is the practice of embedding data directly into the source code of a particular program.) This way the botmaster can save amounts of backups. But, ultimately, there is a limit to the effectiveness of this strategy. At some point, the botnet will run out of new addresses because only a limited amount can be encoded into the malware.

In Glupteba’s case, however, the gang avoided this problem altogether: instead of hard-coding web domains into malware, they hard-coded three Bitcoin wallet addresses into them. With these addresses, Glupteba has managed to set up a foolproof interface between its herds of robots and its C2 infrastructure via a little-known feature known as “OP_Return. ”

OP_Return is a controversial feature of Bitcoin wallets that allows the entry of arbitrary text in transactions. It basically works as the crypto equivalent of Venmo’s “memo” field. Glupteba has taken advantage of this functionality by using it as a communication channel. The malware in infected devices is designed so that if any of the botnet’s C2 servers goes offline, the devices scan the public Bitcoin blockchain for transactions associated with Glupteba’s wallets. In these wallets, through the OP_Return field, cybercriminals can constantly enter new domain addresses, which their botnet is designed to recognize and redirect to.

Channel analysis, a blockchain analytics company, played a key role in helping Google’s security team investigate all of this. In an interview with Gizmodo, Erin Plante, the company’s senior director of investigations and special programs, said that criminals’ use of blockchain presents unique and potentially overwhelming challenges for law enforcement.

“When the botnet loses communication with a C2 domain, usually because there is some kind of law enforcement action, the botnet knows it needs to scan the entire public Bitcoin blockchain and looks for transactions between these three Bitcoin addresses, ”said Plante. In other words, whenever a C2 domain is deleted, Glupteba can automatically replenish itself through a new domain address sent through the gang’s crypto wallets.

The decentralized nature of the blockchain means that there is really no way to to block these messages pass or invalidate the associated cryptographic addresses, said Plante. Indeed, as crypto-amateurs have often underlined, the blockchain is considered “uncensored” and “tamper-proof” because it has no overall management authority or entity. As such, nobody can turn off the lights on Glupteba’s malicious activity.

Can Glupteba be stopped?

So, uh, what to do? Currently, the options aren’t great, says Shane Huntley, director of Google’s TAG team.

“This back-up mechanism is very resilient,” Huntley said in an email to Gizmodo. “As long as the attackers have the keys to the wallets, they can direct the botnet to find new servers.”

Plante seems equally pessimistic. “It is certainly a model that, if it is replicated on ransomware or other cybercrime activity, it is a frightening possibility,” she said. “At this point, besides by removing a single C2 domain to restart it a few days later, no one has been able to find a way to stop this. “

Huntley said there were likely other examples of criminals using blockchain in this way, but the practice is certainly not considered “common” at this time.

“However, the mitigating factor is that whenever they do, it will be public and other action may be taken,” Huntley said, referring to the implicitly public nature of the blockchain. Due to its open format, Huntley said the Google Threat Team is able to continue to trace the transactions of criminals. “We’ve seen them direct the botnet to new servers before and those servers have been taken down as well. “

In other words, the botnet will live as long as the hackers make sure to update it. And security professionals will have to keep tracking its updates until the hackers give up or are apprehended in real life.

Comments are closed.