English

Good Quality. Small Moq

View All Products

High Quality Products, Reasonable Prices And Satisfactory Service

View All Products

One Stop Service

View All Products

Hackers are using blockchain to make a bulletproof botnet

2021-12-15 01:46:05 By : Ms. Joey Lin

Last week, Google announced that it had partially disrupted a huge botnet—a huge network of more than 1 million Windows computers infected with malware. In the field of cybersecurity, this is news in itself, but this particular network is using shocking blockchain integration, making it hard to beat.

A botnet is basically an army of "zombie" devices-servers that have been infected with malware and bound to a malicious network, and can then use such devices to conduct large-scale criminal activities. Most people whose devices have been compromised and become part of a botnet do not know that it happened, and their computers basically act as unwitting accomplices to cybercrimes.

In this particular case, the criminal organization behind the botnet is believed to be a family of malware called "Glupteba". Last week, Google’s Threat Analysis Group (TAG) posted a context on the Glupteba botnet, indicating that the network was used to mine cryptocurrency, also known as “cryptojacking”. The hijacked CPU power of hordes of infected devices is basically free rocket fuel for criminals, which they can use to support their energy-intensive businesses.

So, obviously, it is good to disrupt such a thing. However, just like the eternal problem of botnets, the real problem is not necessarily how to destroy certain parts of the infected network, but how to stop them. While Google said that it has disrupted Gluteba, it also has to admit that the infected network will soon be reorganized and fully restored through an innovative elastic mechanism based on the Bitcoin blockchain.

This new encryption-based mechanism has been theorized for a long time, but it may not have been seen in the wild before. It may bring unfortunate new areas for cybercriminals-and so on may make them increasingly resist interference from law enforcement agencies. .

Apple's most exquisite earbuds to date get active noise reduction, transparency modes and spatial audio-all in the discreet form of MagSafe rechargeable, matching style and function.

The main problem for any cybercriminals who want to operate a botnet is how to maintain control of their zombie horde.

Botnets are usually set up to be controlled by a centralized party, usually called "botmaster" or "botherder". Herders uses a so-called command and control (C2) server-a machine that sends instructions to all infected machines, effectively acting as the main switch for criminals to control zombies. Through C2, herders can direct large-scale malicious activities, such as data theft, malware attacks, or, in the case of Glupteba, encryption hijacking.

However, in order to manage its herd, botmaster needs a channel to keep in touch with them and issue orders-this is where things get tricky. Many botnet C2 infrastructures use basic network protocols, such as HTTP, which means that they must connect to a specific network domain to keep in touch with their community. This domain acts as C2's Internet portal and therefore is an extended network of infected devices.

However, because it is not difficult to shut down a website, this means that C2s (and the botnet itself) can be easily destroyed. Law enforcement can paralyze C2-associated domains only by disabling them—either by having their DNS providers (such as Cloudflare) shut down access, or by finding and occupying the domain itself.

To solve this problem, criminals are increasingly looking for innovative ways to keep in touch with their robot swarms. In particular, criminals try to use alternative platforms (such as social media, or Tor in some cases) to act as C2 centers. A 2019 study by the Massachusetts Institute of Technology Internet Policy Research Program pointed out that some of these methods have achieved moderate success, but generally do not exhibit a long lifespan:

Recently, botnets have tried esoteric C&C mechanisms, including social media and cloud services. The Flashback Trojan retrieves instructions from the Twitter account. Whitewell Trojan uses Facebook as a rendezvous point to redirect the bots to the C&C server... the results have been mixed. Network administrators rarely block these services because they are ubiquitous, so C&C traffic is more difficult to distinguish. On the other hand, C&C channels were concentrated again, and companies such as Twitter and Google quickly cracked down.

What often happens is a mole-mouse game between police and criminals, where the police repeatedly delete domains or any other network infrastructure in use. As a result, the same criminals reorganize and restart the botnet through the following methods and re-run different medium.

However, Glupteba seems to have changed the rules of the game: According to Google and other security analysts who have investigated the gang’s activities, the criminal group seems to have found the perfect way to keep itself undisturbed. how? By utilizing the tamper-proof infrastructure of the Bitcoin blockchain.

For cybercriminals, the problem of how to keep in touch with their zombies can be solved by creating a backup mechanism. If the main C2 server and its associated domain are shut down by the police, the malware in the infected device can be designed to search for another backup C2 domain on the network, and then restart the entire infected network.

Often, criminals will hard-code these backup web domains into the malware itself. (Hard coding is the practice of embedding data directly into the source code of a particular program.) In this way, botmasters can register hordes of backups. However, in the end, the effectiveness of this strategy is limited. At some point, the botnet will run out of new addresses because only a limited number can be coded into malware.

However, in Glupteba's case, the group completely avoided this problem: instead of hard-coding the network domain into the malware, they hard-coded three Bitcoin wallet addresses into it. Through these addresses, Glupteba managed to establish a reliable interface between its robot swarm and its C2 infrastructure through a little-known function "OP_Return".

OP_Return is a controversial feature of Bitcoin wallets, which allows arbitrary text to be entered into transactions. It basically acts as the encrypted equivalent of Venmo's "memo" field. Glupteba takes advantage of this feature by using it as a communication channel. The malware in the infected device is carefully designed. If one of the botnet's C2 servers goes offline, these devices will scan the public Bitcoin blockchain for transactions related to the Glupteba wallet. In these wallets, through the OP_Return field, cybercriminals can permanently enter a new domain address, and its botnet is designed to identify and redirect to the new domain address.

Chainalysis is a blockchain analysis company that has played a key role in helping Google's security team investigate all these aspects. In an interview with Gizmodo, Erin Plante, the company's senior director of investigations and special projects, stated that the use of blockchain by criminals presents unique and possibly insurmountable challenges to law enforcement.

"When a botnet loses communication with the C2 domain-usually because of some kind of law enforcement action-the botnet knows to scan the entire public Bitcoin blockchain and look for transactions between these three Bitcoin addresses," Plante Say. In other words, every time the C2 domain is deleted, Glupteba can automatically rebuild it through the new domain address sent by the gang's encrypted wallet.

Plante said that the decentralized nature of the blockchain means that there is actually no way to prevent these messages from passing through or invalidate the associated encrypted addresses. In fact, as crypto enthusiasts often point out, blockchain is considered "uncensorable" and "tamper-proof" because it does not have any overall authority or management entity. Therefore, no one can shut down Glupteba's malicious activities.

So, uh, what should I do? Shane Huntley, the director of the Google TAG team, said there are not many options.

"This backup mechanism is very flexible," Huntley said in an email to Gizmodo. "As long as the attacker has the key to the wallet, they can guide the botnet to find a new server."

Plante seems equally pessimistic. "This is of course a model, and if it is copied into ransomware or other cybercriminal activities, it is a terrible possibility," she said. "At this point, no one has been able to find a way to stop it other than shutting down a C2 domain and then starting it again a few days later."

Huntley said that there may be other criminals using blockchain in this way, but this practice is definitely not considered "common" at this time.

"However, the mitigating factor is that whenever they do this, it is public and further action can be taken," Huntley said, referring to the implicit public nature of the blockchain. Huntley said that because of its open format, Google's threat team can continue to track criminal transactions. "We have seen them direct botnets to new servers, and these servers have now been shut down."

In other words, as long as hackers are willing to keep updating, the botnet will continue to exist. Security professionals will have to keep tracking their updates until the hacker gives up or is arrested in real life.

Featured Products

News & Blog