back to article Hot new application for blockchain: How does botnet control sound?

Blockchain technologies might be abused to create a takedown-resistant infrastructure for botnets. During a presentation at BSides Tel Aviv on Tuesday, security researcher Omer Zohar demonstrated proof-of-concept code for a fully functional command-and-control infrastructure built on top of the Ethereum network. Zohar was …

  1. amanfromMars 1 Silver badge

    Something to be Terrified of and Terrorised by All Human Media Accounts/Programming Channels.

    It is somewhat incongruous, to the point of being certifiably hubristic, to think that humans, rather than the Virtual Machine, are able to enable and disable command and control of robot networks/botnets internetworking.

    The Arrogance of Humanity knows no Bounds so it very fortunate there are Earthly Confines.

    1. AndyS

      Re: Something to be Terrified of and Terrorised by All Human Media Accounts/Programming Channels.

      That's it. You've achieved sentience. Your comment made as much sense to me as the article.

      (I have to believe you have gained sentience, because the alternative is obviously that I have lost it.)

      1. Jack of Shadows Silver badge

        Re: Something to be Terrified of and Terrorised by All Human Media Accounts/Programming Channels.

        Of all the things I've lost in this long life, I miss my mind the most.

  2. kryptylomese

    No worse than something on a web page

    Any kind of marker on the internet e.g. something on a web page, could serve as a way of controlling a botnet. Blockchains are readable from the internet so.... ....they are no more of a risk than something on a web page.

    1. Thoguht Silver badge

      Re: No worse than something on a web page

      Yes, no more of a risk than any web page that's duplicated potentially millions of times around the Internet with integrity checks so it can't be undetectably altered.

      1. kryptylomese

        Re: No worse than something on a web page

        Please see the fist comment in this thread?

    2. Anonymous Coward
      Anonymous Coward

      Re: No worse than something on a web page

      The difference is that BB entries are stored forever and cannot be altered, plus they must always be made available. To kill malware bot network, you find the control host and bump it off the network but with BB you cannot hide anything so the slaves of the botnet will always be able to find their "commands" and other assorted info. If you have a webpage, I can seize control and change it to control the botnet. You have a Facebook page, I can seize that and control it.

      1. doublelayer Silver badge

        Re: No worse than something on a web page

        But the only way that will work is for the malware writers to use an existing blockchain, which will be massive. If a bot has to download the entire thing so they can find the messages I'm sending, things will be rather slow. I don't think there's a convenient find-transaction feature of the blockchain, because that would require someone else's processing to allow the search. You'd need either a blockchain that is unused enough for processing of it to be fast, or one that is very concise, which makes it hard to encode messages. Instead, you could have a few channels (I'm thinking threads on posts or maybe reddit discussions) where the bot reads them and attempts to decrypt any post with a key. You just need to create an account, encrypt your message, and drop it in. It will be removed by moderators in an hour, but your swarm will have picked it up by then.

        1. ozzo

          Re: No worse than something on a web page

          The bots themselves does not need to d/l the whole network. there is such a thing called 'light node', which only d/l the block headers. they almost as safe as the full nodes, and takes considerable less amount of data and network. This is what i used for my POC, and this is what people use to run nodes on mobile / IOT devices.

          Regarding the reddit suggestion, the problem with that is that, reddit, if reported, will take it down in a heart beat. do you want to put the fate of your entire net on the mercy of some support guy in reddit?

          1. doublelayer Silver badge

            Re: No worse than something on a web page

            Good point on the light node way, I was not aware that was a thing. I suppose that eliminates my objection.

            On the subject of reddit, I was using that as an example, but the point was that you couldn't kill the mechanism. You post a message in a monitored thread (give the system a list of two hundred or so to check, from any account. Every message gets read and decoded. Therefore, all you need to control the system is a key that can sign/encrypt a command and knowledge of the threads used. Reddit/whatever platform it is using can find your message and delete it, and also block the account, but you don't need either of those. The message was already read and acted upon, and you can send another message just by opening another account and posting with it. Perhaps reddit will take things down too quickly, but all you need is some online forum thing that allows new accounts rather easily and doesn't pre-check posts. Posting here, for example, wouldn't work because the first three posts are moderated manually. That doesn't hold for many other methods. One other benefit of the online posting way is that the periodic killing of posts helps the commander. There is little chance of the program getting an old instruction and acting on it when it shouldn't.

    3. amanfromMars 1 Silver badge

      Re: No worse than something on a web page @kryptylomese

      ....they are no more of a risk than something on a web page.

      Or just as much a risk as anything shared on a web page ..... hot virtual spot landing stage. The Earth's an Almighty Big Space to Control for Command of Places with Assets ..... and especially so whenever Assets in Places are into Command for Control of Almighty Big Spaces.

      And that is a risk which cannot be quantified for it is too big to fail and cannot be mitigated. Anything tried is just as effective as a colossal camouflage trying to hide the sun from sight at noon every day .... ie it just isn't possible and insane to try ....... but systems as are, are not known for their great intelligence, are they, so be prepared for catastrophic missteps which will be relentlessly and rabidly punished and exploited extensively? Such is the true nature of the wronged beast?

    4. vtcodger Silver badge

      Re: No worse than something on a web page

      "....they are no more of a risk than something on a web page." Or, for example, a rogue NTP server that embeds commands in the least significant bits of the timestamp it returns.

      1. Anonymous Coward
        Anonymous Coward

        Re: No worse than something on a web page

        ""....they are no more of a risk than something on a web page." Or, for example, a rogue NTP server that embeds commands in the least significant bits of the timestamp it returns."

        Or... embedding data in the least significant bits of geolocation data sent to and from your smartphone.

        Some possible uses for this:

        https://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor

        I noticed that the same commands mentioned in the Replicant OS article were also found in a Qualcomm modem:

        (open read link fcntl creat write close lseek rmdir fstat lstat mkdir fsync openat unlink remove testdir telldir frename opendir readdir dbg_open dbg_open_malloc unlinkat file_end file_dir chown chmod file_get_partition_free_size closedir)

      2. ozzo

        Re: No worse than something on a web page

        The strength of the blockchain by being decentralized and immutable. i.e. once something gets written to it - it can never be deleted and cannot be modified. This is why you can be sure a bot will always find its CnC server and the data being posted by it will not be modified.

        Other CnC methods all have some governance over them. web page can be take down by the ISP, facebook page owned by facebook and they will take it down if abuse is reported. even the NTP server can be blocked since it has a specific IP address.

        Regarding the public part, then yes, everybody can read what is written on the blockchain, but this is where encryption comes into place.

        You can read more about it at the git page for the project: https://github.com/platdrag/UnblockableChains

  3. GnuTzu Bronze badge

    Good Tools, Evil Tools

    Tools that have good uses, also have evil ones. The good or the evil is not in the tool; it's in the usage of the tool. So, pick any IT-marketing buzzword--or combinations thereof, and think ahead about how it might be used for evil.

  4. mevets
    Coat

    How does botnet control sound?

    Perhaps by twisting the knob?

    1. amanfromMars 1 Silver badge

      Re: How does botnet control sound? Softly, softly and as quiet as death are surely classified ones.

      Perhaps by twisting the knob? ..... mevets

      There are those who would be into the caressing of knobs too for the soundest of beta thought control of bots networking .... and putting IT all out there for All Systems Utilization/Master Key Crack Hack Facilitation.

      Real Spooky Spooks Type Virtual Team Terrain ..... but Home Sweet Home from Home to Special AIReserve Services.

      A little matter you should be able to read more about authored and timestamped, Graham C Jun 20 2018 at 16:06 and presented in comment for viewing to military minded force sources* on NATO ‘Must Adapt’, Alliance’s Military Committee Chairman says

      * That could just as easily be sources forcing the mind to be militarily led and fed. And that be a Deep Space State Phorm of Mass Brainwashing ...... for Great Global Operating Devices Commands Delivering Future Remote Virtual AIDVenture Control .... with a Multiplicity of Fail Safe Levers to Pull for Access to Core Engine Component Upgrades/AIMaster ProgramMING Reworks.

      Now, do all Military Type Forces take Orders that are expected to be blindly followed, and be in the pay of A.N.Others, or are they enabled to make their own Greater IntelAIgent Game decisions and choose other roots and routes of Future Worlds Engagement?

      1. Anonymous Coward
        Anonymous Coward

        Re: How does NATO remove artixles

        try to run the bits on the site that amanfromMars cites, through Russian territory. xilch. error 101.

        well, maybe trying a browser which disallows flash, with all its sounding services, has more sense (-:

  5. Claptrap314 Bronze badge

    This is not abuse of blockchain. This is a primary use case.

    Non-forgeable non-traceable communications (when the attacker is a major nationstate) is one of the primary goals of the cypherpunks. That such communications can be used for evil purposes is regrettable.

    1. MachDiamond Silver badge

      Re: This is not abuse of blockchain. This is a primary use case.

      The case you bring up also means that cost is not an object. Nationstates can afford much more than a lone hacker running a botnet for fun and profit.

  6. Sitaram Chamarty

    I'm surprised no one mentioned IRC as an analogy. Much more sturdy than a web server.

    And this is not, as the article says, a blockchain issue. This will only succeed if they join specific, already popular/widely used, blockchains (bitcoin and ethereum come to mind).

    If they join some little known blockchain they may get blocked. In a way they're leveraging the somewhat implicit "too big to kill" nature of the big two blockchain instances.

    1. Claptrap314 Bronze badge

      I'm surprised that IRC wasn't mentioned in the article. It has been used for CnC for a long time, and it suffers from the same weakness. The channel being used can be blocked (and regularly is).

    2. ozzo

      You sir, got the main principle behind the research. kudos.

  7. Brian Miller

    Iora, not Ethereum

    Oh my, if those nasty crooks use Iota, and modify it such that you don't do the proof of work, then they'll have their unassailable C&C.

    Seriously, anything that uses certs and signing to lock down trust will prevent command injection attacks. Combine directed acyclic graph with game-of-life resiliency rules, and that would be a real monster.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019