Hackers are using the blockchain to create bulletproof botnets

A man stands in front of a photo showing the activities of a so-called “botnet” during a workshop on computer and cybercrime. Photo: BORIS ROESSLER/DPA/AFP (Getty Images)

Last week, Google announced that it had partially disrupted the operation of a massive botnet — a massive network of more than a million malware-infected Windows computers. In the world of cybersecurity, that would be news in itself, but this particular network used an alarming blockchain integration that makes it hard to beat.

botnets are basically armies of “zombie” devices – servers infected with malware and connected to a malicious network, which can then be used to commit large-scale criminal activities. Most people whose devices have been compromised and become part of a botnet have no idea it happened, and their computers are essentially functioning as an unwitting accomplice to cybercrime.

In this particular case, the criminal organization behind the botnet is believed to be a malware family known as “Glupteba”. Last week, Google’s Threat Analysis Group (TAG) published context on the Glupteba botnet, showing that the network was used to mine cryptocurrency, otherwise known as “cryptojacking.” The hijacked CPU power of the masses and masses of infected devices essentially acted as free rocket fuel for the criminals, who could use it to energy-intensive enterprise.

So it’s clear that disruption of something like that is good. But as it is the eternal problem With botnets, the real problem isn’t necessarily how to disable parts of an infected network, but how to keep them out. At the same time that Google said it had disrupted Gluteba, it also had to admit that the infected network would soon recover and restore itself to full strength through an innovative resilience mechanism based on the Bitcoin blockchain.

This new cryptocurrency-based mechanism, which has long been theorized about though not necessarily seen in the wild before, could be an unfortunate new territory for cybercriminals, making them increasingly resilient to disruption by law enforcement.

An evolving problem

The main issue for any cybercriminal wanting to use a botnet is how to maintain control of their zombified hordes.

Botnets are usually set up to be managed by a single centralized party, commonly referred to as a “botmaster” or a “slanderer.” Shepherds use what is called a command-and-control (C2) server – a machine that sends instructions to all infected machines and basically acts as the main switchboard for the criminals to control their zombies. Shepherds can steer on a large scale via C2s malicious campaigns, such as data theft, malware attacks or, in the case of Glupteba, cryptojacking.

But to manage his flocks, the bot master needs a channel to stay connected to them and give them commands – and this is where things can get tricky. Many botnet C2 infrastructures use basic web protocols such as HTTP, which means they must be connected to a specific web domain to stay in touch with their flock. The domain acts as the C2’s portal to the Internet and thus the vast network of infected devices.

However, since it’s not that hard to take down a website, it means that C2s – and thus botnets themselves – can be disrupted quite easily. Law enforcement officers can take them down by disabling only the domains associated with the C2, either by getting the DNS provider, like Cloudflare, to block access, or by finding and confiscating a domain yourself.

To get around this, criminals have increasingly sought innovative ways to stay connected to their bot herds. In particular, criminals have tried to use alternative platforms, such as social media or, in some cases, Tor, to act as C2 hubs. A study 2019 by the MIT Internet Policy Research Initiative points out that some of these methods have had moderate success, but generally do not last long:

More recently, botnets have experimented with esoteric C&C mechanisms, including social media and cloud services. The Flashback Trojan retrieved instructions from a Twitter account. Whitewell Trojan used Facebook as a meeting point to redirect bots to the C&C server… The results were mixed. Network administrators rarely block these services because they are ubiquitously used and therefore C&C traffic is more difficult to distinguish. On the other hand, C&C channels are centralized again and companies like Twitter and Google are quickly tackling them.

What often happens is a game of whacking between police and criminals, where the police knock down repeatedly domains or whatever other web infrastructure is used, only to have the same criminals reconstruct and get the botnet up and running again through a different medium.

However, Glupteba appears to have changed the game: According to both Google and other security analysts who have investigated the gang’s activities, the criminal enterprise appears to have found the perfect way to desensitize itself to disruption. How? By leveraging the tamper-resistant infrastructure of the Bitcoin blockchain.

Bulletproof via Blockchain

For cyber criminals, the issue of how to stay connected to their bots can be solved by creating a backup mechanism. If the primary C2 server and its domain are removed by the police, the malware on infected devices can be designed to search the Internet for another, backup C2 domain, which then brings the entire infected network to life.

Typically, criminals will hard-code these backup web domains into the malware itself. (Hard encryption is the practice of embedding data directly into the source code of a particular program.) In this way, the botmaster can register masses of backups. Ultimately, however, there is a limit to the effectiveness of this strategy. At some point, the botnet will run out of new addresses, as only a finite amount can be encoded into the malware.

In the case of Glupteba, however, the gang got around this problem completely: instead of hard-coding web domains in the malware, they hard-coded three Bitcoin wallet addresses into it. With these addresses, Glupteba has managed to establish a foolproof interface between its bots and its C2 infrastructure through a little-known feature known as the “OP_Return.”

The OP_Return is a controversial feature of Bitcoin wallets that allows arbitrary text to be entered in transactions. It basically functions as the crypto equivalent of Venmo’s “memo” field. Glupteba has taken advantage of this feature by using it as a communication channel. The malware on the infected devices is designed so that should one of the botnet’s C2 servers go offline, the devices scan the public Bitcoin blockchain for transactions related to Glupteba’s wallets. Within those wallets, the cybercriminals can continuously enter new domain addresses via the OP_Return field, which are recognized by the botnet and redirected to them.

chain analysis, a blockchain analytics firm, played a key role in helping Google’s security team investigate all of this. In an interview with Gizmodo, Erin Plante, the company’s senior director of investigations and special programs, said that criminals’ use of the blockchain poses unique, potentially insurmountable challenges for law enforcement.

“When the botnet loses communication with a C2 domain – usually because there is some kind of law enforcement action – the botnet knows how to scan the entire public Bitcoin blockchain and look for transactions between those three Bitcoin addresses,” Plante said. In other words, every time a C2 domain is deleted, Glupteba can automatically reassemble using a new domain address sent through the gang’s crypto wallets.

The decentralized nature of the blockchain means that there isn’t really a way to block cannot pass through these messages or disable the associated crypto addresses, Plante said. Indeed, as crypto enthusiasts often pointed out, the blockchain is considered “uncensorable” and “fraud-proof” because it has no overarching authority or management entity. As such, no one can turn off the light for Glupteba’s malicious activity.

Can Glupteba be stopped?

So, what to do? Right now, the options aren’t great, said Shane Huntley, director of Google’s TAG team.

“This backup mechanism is very resilient,” Huntley said in an email to Gizmodo. “As long as the attackers have the keys to the wallets, they can let the botnet search for new servers.”

Plante seems equally pessimistic. “It’s certainly a model that, if replicated to ransomware or other cybercriminal activity, is a scary possibility,” she said. “Right now, other than deleting a single C2 domain and running it again a few days later, no one has found a way to stop this.”

Huntley said there were likely other examples of criminals using the blockchain in this way, but the practice was definitely not considered “common” at this point.

“The mitigating factor, however, is that when they do this, it will be public and further action can be taken,” Huntley said, referring to the blockchain’s implicit public nature. Because of the open format, Huntley said Google’s threat team is able to continue tracking the criminals’ transactions. “We’ve already seen that they have routed the botnet to new servers and those servers have now been taken offline as well.”

In other words, the botnet will continue to exist as long as the hackers want to update it. And security professionals will have to keep up with the updates until the hackers give up or are apprehended in real life.

Stay tuned for more such real estate news and updates at zavalinka.in

Leave a Comment