Last week, Google announced that it had partially disrupted the operation of a giant botnet, a gigantic network of more than a million Windows computers infected with malware. In the cybersecurity world, that would be news on its own, but this particular network uses a blockchain integration alarm that makes it hard to beat.
Botnets are essentially armies of “zombie” devices: servers infected with malware and connected to a malicious network, which can be used to commit large-scale criminal activity. Most people whose device has been compromised and is part of a botnet have no idea that this has happened, and their computer is essentially functioning as an unwitting accomplice in cybercrime.
In the present case, the criminal organization behind the botnet is likely a malware family called “Glupteba”. Last week, Google’s Threat Analysis Group (TAG) released a context on the Glupteba botnet showing that the network is being used to mine cryptocurrencies, also known as “cryptojacking”. CPU power hijacked by masses and crowds of infected devices essentially served as free rocket fuel for criminals to use in support of their energy-intensive business.
So obviously disruption is good to interfere with something like this, but as with the persistent botnet problem, the real problem isn’t necessarily how to crash parts of an infected network, but how to keep them down. Since Google said it had disrupted Gluteba, it also had to admit that the infected network would soon rebuild and regain its full strength through an innovative resistance mechanism based on the Bitcoin blockchain.
This new crypto-based mechanism, long theorized but not necessarily seen in the wild, could represent unfortunate new terrain for cybercriminals that can make them increasingly resilient to interference from parts of the law enforcement community.
An Evolving Problem
The main problem for any cybercriminal trying to run a botnet is keeping control of their zombie hordes.
Botnets are generally set up to be controlled by a central party commonly known as the “botmaster” or a “bothered”. The herders use what is known as a Command and Control (C2) server, a machine that sends addresses to all infected machines and effectively acts as the main control panel for criminals to control their zombies. C2 enables pastors to carry out large-scale malicious campaigns such as data theft, malware attacks or, in the case of Glupteba, cryptojacking.
However, in order to manage their flocks the botmaster needs a channel to stay connected with and issue commands and this is where it can get tricky. Many C2 botnet infrastructures use basic web protocols like HTTP which means they can need to be connected to a specific web domain in order to keep in touch with your herd. The domain acts as a portal from C2 to the Internet and thus as an extended network of infected devices.
However, since it’s not that difficult to deactivate a website, it means that C2s, and therefore botnets themselves, can be stopped quite easily. Law enforcement can remove them simply by disabling domains associated with C2, either asking its DNS provider, such as Cloudflare, to block access, or by finding and entering a domain itself.
To avoid this, criminals are increasingly looking for innovative ways to stay connected with their bot herds. Criminals in particular have tried to use alternative platforms such as social media or, in some cases, Tor as C2 hubs. MIT’s 2019 Internet Policy Research Initiative study finds that some of these methods have had moderate success, but are generally not very long-lasting:
More recently, botnets have been experimenting with esoteric CandC mechanisms, including social media and cloud services. The Flashback Trojan obtained the instructions from a Twitter account. The Whitewell Trojan used Facebook as a meeting point to redirect bots to the CandC server … The results were that network administrators rarely block these services because they are used everywhere, making C&C traffic more difficult to distinguish. On the other hand, the C&C channels are being centralized again and companies like Twitter and Google are taking them up quickly.
What often happens is a whack-a-mole game between police officers and criminals, in which the police repeatedly delete domains or any other web infrastructure used, only so that the criminals can reconstruct themselves and rebuild the botnet using a different medium.
But Glupteba seems to have changed the game: According to Google and other security analysts who have investigated the gang’s activities, the criminal company seems to have found the perfect way to make itself immune to interference. How? By leveraging the tamper-proof infrastructure of the Bitcoin blockchain.
Bulletproof via Blockchain
For cybercriminals, the problem of how to stay in touch with their bot groups can be solved by creating a back-up mechanism. If the primary C2 server and its associated domain are taken down by the police, malware inside infected devices can be designed to search the web for another backup C2 domain, which then resuscitates the entire infected network.
Typically, criminals hard-code these backup web domains into the malware itself. (Hard-coding is the practice of embedding data directly in the source code of a particular program.) This allows the botmaster to log many backups. But ultimately there are limits to the effectiveness of this strategy. The botnet is running out of new addresses because only a finite amount can be coded in the malware.
In the case of Glupteba, however, the gang avoided this problem completely: Instead of encrypting the web domains in the malware, they encrypted three Bitcoin wallet addresses into it. With these addresses, Glupteba has succeeded in creating a foolproof interface between its bot herds and its C2 infrastructure using a little-known function called “OP_Return”.
The OP_Return is a controversial feature of Bitcoin wallets that allows any text input during transactions. It basically works as the cryptographic equivalent of Venmo’s “memo” field. Glupteba has taken advantage of this feature by using it as a communication channel. The malware in infected devices is designed so that the devices scan the public Bitcoin blockchain for transactions related to Glupteba wallets when one of the botnet’s C2 servers goes offline. Within these wallets, cyber criminals can use the OP_Return field to constantly enter new domain addresses that their botnet should recognize and redirect.
Chainalysis, a blockchain analytics company, played a key role in helping Google’s security team investigate all of this. In an interview with Gizmodo, Erin Plante, the company’s Senior Director of Investigations and Special Programs, said that the use of blockchain by criminals poses unique and potentially insurmountable challenges for law enforcement.
“When the botnet loses communication with a C2 domain, usually due to police action, the botnet knows it needs to scan the entire public bitcoin blockchain and look for transactions between these three bitcoin addresses,” said Plante. In other words, if a C2 domain is deleted, Glupteba can automatically restore itself to a new domain address sent through the band’s crypto wallets.
The decentralized nature of the blockchain means that there is actually no way to block the passage of these messages or to deactivate the associated crypto addresses, said Plante. In fact, as crypto enthusiasts have often pointed out, the blockchain is considered “uncensored” and “tamper-proof” as it has no general authority or administrative unit so that no one can shut down Glupteba’s malicious activities.
Can Glupteba Be Stopped?
So what to do Right now, the options aren’t that great, says Shane Huntley, director of Google’s TAG team.
This backup mechanism is very strong, Huntley said in an email to Gizmodo. As long as the attackers have the wallet keys, they can instruct the botnet to search for new servers.
Plante seems equally pessimistic. It’s certainly a model that, when replicated in ransomware or other cybercriminal activity, presents a terrifying possibility, he said. At the time, no one could find a way to stop this other than removing a single C2 domain and bringing it back up and running a few days later.
Huntley said there were likely other examples of criminals exploiting the blockchain in this way, but that the practice was definitely not considered “common” at the time.
“The mitigating factor though is that anytime they do this, it will be public and further action can be taken,”Huntley said, referring to the implicit public nature of the blockchain. Because of the open format, the Google threat team is able to continue tracking the transactions of criminals, Huntley said. “We’ve already seen them direct the botnet to new servers and those servers have now also been taken down.”
In other words, the botnet will live as long as hackers are worried about updating it all the time, and security experts will have to track their updates until the hackers give up or are stopped in real life.
