ZombieCoin – Using Bitcoin’s Network To Create Next Generation Botnets
A botnet represents a network of a large number of compromised machines, which are distinctively referred to as bots or zombies, and are remotely controlled by the “botmaster”. Botnets were originally coded to act as means for vandalism and to “show off” hacking skills, yet they have presently evolved into sophisticated tools that are continuously being leveraged for online financial extortion and cyberwarfare. Around eight years have already passed since Vint Cerf published a warning against a botnet “pandemic,” and since then, the threat has been steadily intensifying.
Today, there are enormous botnets that typically enslave millions of infected machines, which are deployed in a myriad of illicit activities including email spamming, phishing, keylogging, DDoS attacks and extortion. Recently, the FBI estimated that more than 500 million machines are infected each year, leading to annual losses of around $110 billion. Botnets are now even infecting smartphones and smart devices including refrigerators, smart TVs, surveillance cameras, and exploit them in spamming or cryptocurrency mining. Even more, botnets have undermined national security in some countries, as in 2007, a wave of cyberattacks hit Estonia. These cyberattacks used botnets to launch DDoS attacks forcing a large number of government websites, media portals, retail banks and telcos to go offline.
Using Bitcoin To Create More Advanced Botnets:
The weakest point of any botnet is its C&C server which can be thought of as the “brain” of the botnet. Outgoing communications include instructions and software modifications sent by the botmaster, while incoming communications from bots include phished private data, login credentials…etc. Security professionals can reverse engineer a bot to take it down via infiltrating its C&C server.
A group of researchers recently published a paper that proved that bitcoin can represent an ideal C&C dissemination server for botnets. Bitcoin can offer botmasters amazing advantages over the current C&C strategies including IRC chatrooms, P2P networks or HTTP rendez-vous points. The botmaster won’t have to pay for the costs for maintenance of a custom C&C server, by piggybacking outgoing and incoming communications onto bitcoin’s network. Moreover, bitcoin’s network provides considerable levels of anonymity which could even be furthered via the use of Tor or VPN. Bitcoin also has built-in mechanisms to formulate a balanced global state; thus, omitting the need for bot-to-bot communication. Accordingly, capturing one bot won’t expose other bots on the network, so an observer would never be able to estimate the actual size of the botnet.
The most important advantage is that C&C communication via bitcoin’s network can never be disrupted by simply taking down a few servers or poisoning a group of routing tables, because bitcoin’s network is designed to resist such forms of attacks. Moreover, shutting down C&C communication would be hard to accomplish without seriously affecting honest bitcoin users.
To prove their hypothesis, the researchers explored in detail the possibility of operating a botnet over bitcoin’s network. They did the following:
1. They presented ZombieCoin, a mechanism that enables botmasters to communicate with their bots via bitcoin’s network by embedding C&C communications onto bitcoin transactions.
2. They described how bitcoin’s infrastructure can open the door to new C&C possibilities such as dynamic upstream channels, efficient botnet partitioning and fine grained bot control.
3. They deployed ZombieCoin’s prototype over bitcoin’s network. Initial experiments showed that bot’s response time ranged between 5 and 12 seconds.
Here is a brief description of how ZombieCoin operates:
1. The botmaster will create a group of bitcoin credentials i.e. a pair of keys (sk, pk). The public key, pk, has to be hardcoded into the binary file of the bot, before deployment is started, so that bots can verify communication received from the botmaster.
2. The botnet will then be released into the wild. An infection mechanism should be used to distribute the botnet. One common example today is embedding malicious JS code in ads, so that when the victim clicks the ad, he/she will be redirected to a page hosting the malicious code that infects his/her machine without his/her knowledge.
3. Infected bots will then connect to bitcoin’s network, receive and propagate bitcoin transactions initiated by the botmaster. By adhering to bitcoin’s standard protocol, the bot’s network behavior will be indistinguishable from the behavior of honest bitcoin users.
4. The botmaster will every so often broadcast C&C instructions by concealing them and embedding them into bitcoin transactions.