Building botnets with the blockchain

Whenever a new technology comes along, it isn’t long before someone works out how to use it for nefarious purposes. The latest is the blockchain underpinning Ethereum, which is a next-generation network for running decentralized applications. At SecTor this week, security researcher Majid Malaika reveals how to use one of Ethereum’s most innovative features to create seemingly unassailable botnets.

Announced in 2013, Ethereum is a blockchain technology that does far more than its predecessor, bitcoin. Bitcoin’s blockchain is effectively a giant shared ledger that records who sent money to whom. Ethereum went beyond cash by allowing people to run programs in the blockchain. Its developers call those programs ‘smart contracts’, and they run on every participating computer in the Ethereum blockchain.

Why would you want to do that? Blockchain-based programs carry two benefits. Firstly, it means that no one can tinker with a program to change what it does, because all copies of a smart contract running on the network must agree on its results. Secondly, it makes the program more resilient, because if one computer on the blockchain goes offline, it’s still running in lots of other places.

In his talk, ‘Botract’, Malaika uses these qualities to create a stronger botnet, Malaika explains.

“We wanted to take this idea and combine it with the idea that it’s distributed once it’s on blockchain,” he says. “There’s no way to kill it. You can’t remove it.”

An unassailable botnet

Traditionally, botnets use thousands of machines, controlled by a central ‘botherder’, to do their bidding. One of the biggest uses for such botnets are DDoS attacks, but they’re also used for sending spam or hosting criminal web sites.

Early botnets such as Agobot and Spybot used IRC channels to communicate with each other. These were relatively easy to take down because they were centralized channels for communication. Later, botnets moved to HTTP-based C&C, using web servers to issue instructions and receive uploaded ‘loot’ from infected machines.

Botnet developers then innovated with domain generation algorithms to create new domains, effectively leaving law enforcement playing whack-a-mole as the botnets shifted their command and control domains on the fly. Botherders have also innovated with other C&C networks, including Twitter, and Instagram.

These are all still centralized services, though, with a single point of failure for the botherders. Domain registrars, hosting companies and social networks can kill the accounts used to control the botnets.

Ethereum’s blockchain is inherently more resilient as a command and control mechanism, says Malaika.

“When you have command and control you have a hard-coded IP address or something communicating with an account like Twitter that you can remove or blacklist or cut off,” he says. There’s often a central point of control that enables you to cut it off at the neck.

An Ethereum-based blockchain running on many different computers at once uses the decentralized Ethereum network itself to issue commands to infected machines. There is no central point of command to target.

Botherders have created peer-to-peer C&C networks in the past, in which bots maintain their own routing tables. Researchers have sometimes been able to deal with peer-to-peer botnets by interfering with communications between infected machines,. They can set up a machine with their own modified botnet code and using it to broadcast a modified signal. That kind of subversion doesn’t work in an Ethereum-based command and control network either, Malaika says, thanks to the magic of cryptographic signing.

“These chains are distributed and have hashing and signing so you can’t manipulate the transactions,” he explains.

Ethereum uses a digital resource called ‘gas’ to fuel a smart contract. Contacts ‘spend’ gas to change state, and you have to buy more gas with Ether, which is the cryptocurrency underpinning the Ethereum network. But because smart contracts can receive messages without using gas, they can be used to listen to messages from botherders without spending gas, explains Malaika. These messages might instruct an infected machine to launch a DDoS attack on a particular target, say.

This isn’t the first time that researchers have suggested using cryptocurrency to manipulate transactions. Zombiecoin 2.0 was a proposed botnet based on the bitcoin network that used bitcoin transactions to embed the command and control information.

This is the first botnet C&C we’ve heard of using smart contracts, though. Find out more about how it works in Malaika’s talk at SecTor, on Wednesday November 15th.