When hackers insert infected computers into a botnet, they take extra care not to lose control of the server that sends commands and updates to the infected devices. The precautions are intended to thwart security defenders who routinely dismantle botnets by taking over the command-and-control server that controls them in a process known as sinkholing.
Recently, a botnet that researchers have been tracking for about two years started using a new way to prevent the removal of command-and-control servers: by disguising one of its IP addresses in the bitcoin blockchain.
Impossible to block, censor or delete
If everything is working normally, infected machines report to the wired control server to receive instructions and malware updates. In the event that the server is sunk, the botnet finds the IP address for the backup server encoded in the bitcoin blockchain, a decentralized ledger that keeps track of all transactions made using the digital currency.
By having a server on which the botnet can fall back, the operators prevent the infected systems from being orphaned. By storing the address in the blockchain, it can never be changed, deleted or blocked, as is sometimes the case when hackers use more traditional backup methods.
“What’s different here is that in those cases, there’s usually a centralized authority at the top,” said Chad Seaman, a researcher at Akamai, the content delivery network that made the discovery. “In this case they are using a decentralized system. You can’t take it down. You can’t censor it. It’s there.”
Convert Satoshi Values
An Internet Protocol address is a numeric label that maps the network location of devices connected to the Internet. A version 4 IP address is a 32-bit number stored in four bytes. For example, the current IP address for arstechnica.com is 18.190.81.75, with each octet separated by a period. (IPv6 addresses are beyond the scope of this post.)
The botnet observed by Akamai has stored the backup server’s IP address in the two most recent transactions placed at 1Hf2CKoVDyPj7dNn3vgTeFMgDqVvbVNZQq, a bitcoin wallet address selected by the operators. The most recent transaction yielded the third and fourth octet, while the second-most recent transaction yielded the first and second octet.
The octets are encoded in the transaction as a “Satoshi value”, which is one hundred millionth of a bitcoin (0.0000001 BTC) and currently the smallest unit of bitcoin currency that can be registered on the blockchain. To decode the IP address, the botnet malware converts each Satoshi value into a hexadecimal representation. The representation is then split into two bytes, with each bytes converted to its corresponding integer.
The image below shows part of a bash script that uses the malware in the conversion process. aa shows the bitcoin wallet address chosen by the operators, bb contains the endpoint that looks up the two most recent transactions, and cc shows the commands that convert the Satoshi values to the IP address of the backup server.
Akamai
Once converted to Python code, the script will look like this:
Akamai
The Satoshi values in the two most recent wallet transactions are 6957 and 36305. After conversion, the IP address is: 209.141.45.27
In a blog post published Tuesday, Akamai researchers explain it this way:
Knowing this, let’s take a look at the values of these transactions and convert them into octets of IP addresses. The most recent transaction has a value of 6,957 Satoshis, converting this integer value into its hexadecimal representation results in the value 0x1b2d. If you take the first byte (0x1b) and convert it to an integer, you get the number 45 – this is the 3rd octet of our final IP address. Taking the second byte (0x2d) and converting it to an integer results in the number 27, which will become the 4th octet in our final IP address.
The same process is done with the second transaction to get the first and second octet of the C2 IP address. In this case, the value of the second trade is 36,305 Satoshis. Converting this value to its hexadecimal representation results in the hexadecimal value of 0x8dd1. The first byte (0x8d) and the second byte (0xd1) are then converted to integers. This results in the decimal numbers 141 and 209 which are the second and first octet of the C2 IP address, respectively. Merging the four generated octets in their respective order results in the final C2 IP address of 209.141.45.27.
Here is a representation of the conversion process:
Akamai
Not quite new
While Akamai researchers say they have never seen a botnet in the wild that uses a decentralized blockchain to store server addresses, they were able to find this research demonstrating a fully functional command server built on top of the blockchain for the Ethereum cryptocurrency. .
“Using the blockchain as an intermediate, the infrastructure is virtually unstoppable and solves most of the shortcomings of mainstream malicious infrastructures,” wrote Omer Zoha, the researcher who devised the proof-of-concept control server lookup.
Criminals already had other secret means for infected bots to locate command servers. VPNFilter, for example, the malware that Russian government-backed hackers used in 2018 to infect 500,000 home and small office routers relied on GPS readings stored in images stored on Photobucket.com to locate servers where later payloads were available. In the event that the images were deleted, VPNFilter used a backup method embedded in a server at ToKnowAll.com.
Malware from Turla, another hacking group backed by the Russian government, has found its control server using comments posted to Britney Spears’ official Instagram account.
The analyzed botnet Akamai uses the computer resources and power supply of infected machines to mine the Monero cryptocurrency. In 2019, Trend Micro researchers published this detailed article about its capabilities. Akamai estimates that at current Monero prices, the botnet has mined about $43,000 worth of the digital currency.
Cheap to disrupt, expensive to restore
In theory, blockchain-based obfuscation of control server addresses can make removal much more difficult. In this case, disruptions are easy, as sending a single Satoshi to the attacker’s wallet changes the IP address that the botnet malware calculates.
With a Satoshi worth .0004 cents (at the time of research anyway), $1 would allow 2,500 disruption trades to be placed in the wallet. Meanwhile, the attackers would have to deposit 43,262 Satoshis, or about $16.50, to regain control of their botnet.
There is another way to beat the blockchain-based resilience measure. The fallback measure is triggered only when the primary control server fails to establish a connection or returns an HTTP status code other than 200 or 405.
“If sinkhole operators successfully sink the primary infrastructure for these infections, all they need to do is respond with a 200 status code for all incoming requests to prevent the existing infection from using the backup IP address.” from BTC,” Akamai researcher Evyatar Saias explains in Tuesday’s Post.
“There are improvements that can be made, which we have excluded from this article to avoid providing clues and feedback to the botnet developers,” Saias added. “The application of this technique can be very problematic and is likely to gain popularity in the near future.”
Post updated to correct amount of Monero mined and correct Saias spelling.