Experts presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol

Security experts Antonio Pirozzi and Pierluigi Paganini presented BOTCHAIN, the first fully functional Botnet built upon the Bitcoin Protocol.

Security expert Antonio Pirozzi, director at ZLab malware lab at Cybaze firm, presented at the EU Cyber Threat Conference in Dublin conducted a research along with Pierluigi Paganini (aka @securityaffairs), about how crooks could abuse blockchain for malicious purposes.

The presentation titled “BOTCHAIN aka The Dark side of Blockchain” includes details about the first fully functional Botnet built upon the Bitcoin Protocol named “BOTCHAIN”.

The blockchain is a system “read-only” by design, it is resilient to data modification and provides the recording of transactions between two parties in a verifiable and reliable way without the need of a third-party. These properties make blockchain a privileged technology for different applications (i.e. healthcare applications, supply chain tracking, smart contracts, identity management) but it could also be abused by cybercriminals to carry out malicious activities.

Pirozzi explains that cybercriminals already have exploited blockchain in attacks in the wild, for example in the case of the popular carding store Joker’s Stash when they have adopted a peer-to-peer DNS system based on blockchain.

The Automated Vending Cart (AVC) website was launched in 2017 using blockchain DNS alongside its Tor (.onion) domain to hide malicious activities and set up a bulletproof their platform. Blockchain-based TLDs like .bit .bazar and .coin  provides cybercriminal with a new level of covertness for their online marketplace.

Pirozzi has cited a recent study conducted by researchers from the RWTH Aachen University (Germany) that demonstrates how blockchain could be used as a permanent storage for any kind of data, even illegal stuff such as child pornography content and terrorist propaganda. The experts analyzed Bitcoin transactions and found at least 274 links to child abuse content or links to dark web services.

Pirozzi and Paganini have practically demonstrated how cybercriminal could abuse blockchain for their malicious purpose.

“Cybercriminal could abuse the “OP_RETURN” field of a Bitcoin Transaction to deliver malware control mechanism, botnet commands, or malware distribution mechanism as also presented during the Black Hat ASIA 2016 conference by INTERPOL ‘s Christian Karam and KASPERSKY’s VITALY Kamluk” said Pirozzi.

“Our research demonstrates that it is possible to abuse blockchain technology to set up a command and control mechanism for a malware that leverage blockchain. BOTCHAIN it the first fully functional Botnet built upon the Bitcoin protocol.” Added Paganini. ”many threat actors, including APT groups, already have technical capabilities to develop such kind of botnet, for this reason, it is crucial to explore how attackers can abuse blockchain”

Pirozzi explained that in the past, other researchers teams also investigated the possibilities to use blockchain technology as an infrastructure for BOTNET, most important researches are ZombieCoin, Botract, and UnblockableChains, the former two are based on Ethereum.

“BOTCHAIN is the first fully functional BOTNET built upon the Bitcoin protocol, unlike other similar botnets, BOTCHAIN, has as High availability characteristics because zombies does not have any hardcoded C2 address, attackers could use any wallet as C2, unlike Zombiecoin it uses a hidden service for the C2 dynamic discovery like the SKYNET BOTNET of 2012”. Explained Pirozzi.

“Over the year crooks have adopted different techniques to build more resilient and covert topologies for their botnet, from simple IRC or HTTP to UDP over TCP or P2P Network or DGA or abusing cloud services. All these techniques are vulnerable to takedown made by law enforcement and security firms once the network topology has been discovered. In this PoC, the discovery and analysis of one single BOT won’t expose the entire botnet or portion of it.”

“Of course, there is an economic aspect to consider when dealing with botnet using Bitcoin blockchain-based botnet. We have analyzed it in our research and I can tell you that it is not a problem for persistent actors that want to use it in targeted attacks.” Paganini said.

Gavin Andreson, chief scientist at the Bitcoin Foundation, declared that “using C&C on the blockchain would be “very expensive” due to the transaction fees hackers would have to pay. He also noted that botnet operators don’t want there to be any permanent record of their crimes.”

Pirozzi also said:

“If you pay too low transaction fees, your transaction might never be confirmed and will become stuck, this is a limit for botnet operators but there are specific moments in the Bitcoin market that are more convenient to make a transaction because transaction fees per byte become low. Crooks could exploit these specific moments to conduct a malicious massive campaign”.

It is a common opinion for some security experts and law enforcement agencies that cybercriminals could start abusing Blockchain for malicious purposes.

The research includes some suggestions and open points to mitigate this kind of threats. Security experts explained that one possible solution is to use blacklist for miners in order to avoid the validations of blocks in which resides malicious contents, but the open issue remains the identifications of that specific blocks that could be very hard due to the introduction of obfuscation mechanisms.

Many experts believe that quantum computers will allow modifying the data inside each transaction, but this not possible now and probably the introduction of quantum cryptography will prevent it.

At the time it is impossible to take down the communication between bot and C2 also if we are able to identify the transactions involved, this aspect must be carefully analyzed.

Below a video PoC of BotChain:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Botchain, Blockchain)

[adrotate banner=”5″]

[adrotate banner=”13″]