Rows of 1950s-style robots operate computer workstations.

When hackers switch infected computers to a botnet, they take special care to ensure that they do not lose control of the server sending commands and updates to vulnerable machines. These precautions are designed to frustrate security defenders who routinely dismantle bot networks by taking over the command and control server that manages them in a process known as sinkholing.

Recently, the botnet that researchers have been following for nearly two years began to use a new method to prevent removals from the C&C server: by disguising one of its IP addresses in the Bitcoin blockchain.

It is impossible to prevent, monitor or take it down

When things are running normally, infected devices will report to the wired control server to receive instructions and malware updates. However, in the event that the server were to be flooded, the bots would find the IP address of the backup server encrypted in the Bitcoin blockchain, which is a decentralized ledger that tracks all transactions made with the digital currency.

By having a server that a botnet can refer to, operators are preventing infected systems from becoming orphan. Storing the address in the blockchain ensures that it cannot be changed, deleted, or blocked, as is sometimes the case when hackers use traditional backup methods.

“The different thing here is that in these cases there are usually some central authorities sitting on top,” said Chad Seaman, a researcher at Akamai, the content delivery network that made the discovery. “In this case, they use a decentralized system. You can’t take it down. You can’t censor it. It’s over there.”

Convert Satoshi values

An IP address is a numerical designation that identifies the network location of devices connected to the Internet. The version 4 IP address is a 32-bit number that is stored in four octets. The current IP address for arstechnica.com, for example, is 18.190.81.75, with every octet separated by a period. (IPv6 addresses are outside the scope of this post.)

The bots Akamai noticed had stored the backup server’s IP in the most recent two transactions posted to 1Hf2CKoVDyPj7dNn3vgTeFMgDqVvbVNZQq, which is the Bitcoin wallet address specified by the operators. The second transaction provided the most recent octet of the third and fourth bits, while the second transaction provided the most recent octet of the first and second bits.

The eight bits in the transaction are encoded as “satoshi value”, which is one hundred million bitcoin (0.00000001 BTC) and is currently the smallest unit of bitcoin that can be recorded on the blockchain. To decrypt an IP address, botnet malware converts each Satoshi value into a hexadecimal representation. The representation is then split into two bytes, with each one converted into a corresponding integer.

The image below shows a portion of the bash script that malware uses in the conversion process. The aa displays the address of the bitcoin wallet chosen by the operators, the bb contains the endpoint looking for the two most recent transactions, and the cc shows the commands that convert Satoshi values ​​to the backup server’s IP.

Akamai

If the script is converted to Python code, it will look like this:

Akamai

Satoshi values ​​in the most recent wallet transactions are 6957 and 36305. Upon conversion, the IP is: 209.141.45.27

at Blog post After it was published on Tuesday, the Akamai researchers explained it this way:

Knowing that, let’s look at the values ​​of these parameters and convert them into eight IP addresses. The most recent transaction has a value of 6,957 Satoshis, converting this correct value into hexadecimal representation results in the value 0x1b2d. Taking the first byte (0x1b) and converting it to an integer yields the number 45 – this will be the third octet of our final IP address. Taking the second byte (0x2d) and converting it to an integer yields the number 27, which will become the fourth octet in our final IP address.

The same process is done with the second transaction to get the first and second octets of the C2 IP address. In this case, the value of the second transaction is 36305 Satoshis. This value converted to hexadecimal results in the hex value of 0x8dd1. Then the first byte (0x8d) and the second byte (0xd1) are converted to integers. This results in the decimal places 141 and 209 which are the second and first octets of the C2 IP address respectively. Putting the four generated octets together in their respective order results in the final C2 IP address of 209.141.45.27.

Here is a representation of the conversion process:

Akamai

Not completely new

While the Akamai researchers say they’ve never seen a robot in the wild with a decentralized blockchain to store server addresses, they have managed to find this search Which demonstrates a fully functional order server built on top of the Ethereum cryptocurrency blockchain.

“By leveraging the blockchain as a middleman, the infrastructure is virtually unstoppable, as it deals with most of the shortcomings of a systemic malicious infrastructure,” Omar Zuha, the researcher who created the proof-of-concept control server research wrote.

Criminals already had other secret means for the infected bots to locate command servers. For example, VPNFilter, the malware that Russian government-backed hackers used to use 500,000 home and small office routers affected In 2018, I relied on GPS values ​​stored in imagery stored on Photobucket.com to determine which servers are where post-phase payloads are available. In case the images are removed, use VPNFilter’s built-in server backup method at ToKnowAll.com.

Malware from Torla, another Russian government-backed hacking group, identified its control server using comments posted in Britney Spears’ official Instagram account.

The Akamai-analyzed robots are using computing resources and power supplies for infected devices to mine the Monero cryptocurrency. In 2019, researchers from Trend Micro published This detailed writing For its capabilities. Akamai estimates that, at current Monero prices, the robots mined as much as $ 4,300 in digital currency.

Cheap to disable, costly restore

In theory, obfuscation of blockchain-based control server addresses could make removals more difficult. In the case here, the disruptions are minor, since sending one Satoshi to the attacker’s wallet will change the IP address that the malicious botnet calculated.

With a Satoshi worth 4,000 cents (at search time, however), $ 1 would allow 2,500 broken transactions to be placed in the wallet. Meanwhile, attackers will have to deposit 43,262 Satoshis, or about $ 16.50, to regain control of their botnet.

Another way around is the blockchain-based resilience scale. The backup is only activated when the primary control server fails to establish a connection or returns an HTTP status code other than 200 or 405.

“If the sewer operators succeed in digging the basic infrastructure for these infections, they only need to respond with a status code of 200 to all incoming requests to prevent the current infection from
Akamai Evyatar Salas researcher explained in a post on Tuesday that the failure to use the backup IP address of BTC.

“There are improvements that could be made, which we excluded from this writing to avoid providing pointers and comments to robotics developers,” Salas added. “Adoption of this technology could be a big problem, and it is likely to gain popularity in the near future.”