Last week, Google announced that it had partially disrupted the operations of a massive botnet—a gargantuan network of over one million malware-infected Windows computers. In the world of cybersecurity, that would be news on its own, but this particular network was using an alarming blockchain integration that makes it particularly menacing.
Botnets are basically armies of “zombie” devices—servers that have been infected with malware and tied into a malicious network, the likes of which can then be used to commit large-scale criminal activity. Most people whose device has been compromised and become part of a botnet have no idea that it’s happened, and their computer basically functions as an unwitting accomplice to cybercrime.
In this particular case, the criminal organization behind the botnet is believed to be a malware family known as “Glupteba.” Last week, Google’s Threat Analysis Group (TAG) published context on the Glupteba botnet, showing that the network was being used to mine cryptocurrency, otherwise known as “cryptojacking.” The hijacked CPU power of the droves and droves of infected devices was essentially acting as free rocket fuel for the criminals, who could use it to support their energy-intensive enterprise.
So, obviously, disruption of something like that is good. But, as is the undying problem with botnets, the real issue isn’t necessarily how to knock down parts of an infected network, but how to keep them down. At the same time that Google said it had disrupted Gluteba, it also had to admit that the infected network would soon reconstitute and return itself to full strength through an innovative resilience mechanism based in the Bitcoin blockchain.
This new, crypto-based mechanism, which has long been theorized about but hasn’t necessarily been seen in the wild before, could present unfortunate new terrain for cybercriminals—the likes of which may make them increasingly resistant to disruption by law enforcement.
The primary problem for any cybercriminal who wants to operate a botnet is how to maintain control over their zombified hordes.
Botnets are typically set up to be controlled by one centralized party, usually referred to as a “botmaster,” or a “botherder.” Herders use what is called a command-and-control (C2) server—one machine that sends directions to all of the infected machines, effectively acting as the main switchboard for the criminals to control their zombies. Via C2s, herders can direct large-scale malicious campaigns, such as data theft, malware attacks, or, in Glupteba’s case, cryptojacking.
But, to manage its herds, the botmaster needs a channel by which to stay connected to them and give commands—and this is where things can get tricky. Lots of botnet C2 infrastructures utilize basic web protocols like HTTP, which means that they have to be connected to a specific web domain to remain in contact with their herd. The domain acts as the C2's portal to the internet and, thus, the extended network of infected devices.
However, because it’s not that hard to take a website down, this means that C2s—and therefore botnets themselves—can be disrupted fairly easily. Law enforcement can bring them down by merely incapacitating the domains associated with the C2—either by getting its DNS provider, like Cloudflare, to shut off access, or by finding and seizing a domain itself.
To get around this, criminals have increasingly looked for innovative ways to stay connected to their bot herds. In particular, criminals have sought to use alternative platforms—such as social media or, in some cases, Tor—to act as C2 hubs. A 2019 study by the MIT Internet Policy Research Initiative points out that some of these methods have had middling success but generally don’t exhibit much longevity:
More recently, botnets have experimented with esoteric C&C mechanisms, including social media and cloud services. The Flashback Trojan retrieved instructions from a Twitter account. Whitewell Trojan used Facebook as a rendezvous point to redirect bots to the C&C server...The results have been mixed. Network administrators rarely block these services because they are ubiquitously used, and C&C traffic is therefore harder to distinguish. On the other hand, C&C channels are again centralized and companies like Twitter and Google are quick to crack down on them.
What frequently happens is a game of whack-a-mole between cops and criminals, in which police repeatedly take down domains or whatever other web infrastructure is being used, only to have the same criminals reconstitute and get the botnet back up and running again via a different medium.
However, Glupteba appears to have changed the game: According to both Google and other security analysts who have examined the gang’s activities, the criminal enterprise seems to have found the perfect way to make itself impervious to disruption. How? By leveraging the tamper-proof infrastructure of the Bitcoin blockchain.
For cybercriminals, the issue of how to stay connected to their bot herds can be solved via the creation of a backup mechanism. If the primary C2 server and its associated domain get taken down by cops, the malware within infected devices can be engineered to search the web for another, backup C2 domain, which then resurrects the entire infected network.
Typically, criminals will hard-code these backup web domains into the malware itself. (Hard-coding is the practice of embedding data directly into the source code of a particular program.) In this way, the botmaster can register droves of backups. But, eventually, there’s a limit to the effectiveness of this strategy. At some point, the botnet will run out of new addresses because only a finite amount can be coded into the malware.
In Glupteba’s case, however, the gang has sidestepped this issue entirely: instead of hard-coding web domains into the malware, they hard-coded three Bitcoin wallet addresses into it. With these addresses, Glupteba has managed to set up an infallible interface between its bot herds and its C2 infrastructure via a little-known function known as the “OP_Return.”
The OP_Return is a controversial feature of Bitcoin wallets that allows for the entry of arbitrary text into transactions. It basically functions as the crypto equivalent of Venmo’s “memo” field. Glupteba has taken advantage of this feature by using it as a communication channel. The malware within the infected devices is engineered so that, should one of the botnet’s C2 servers go offline, the devices will scan the public Bitcoin blockchain for transactions associated with Glupteba’s wallets. Within those wallets, via the OP_Return field, the cybercriminals can perpetually enter new domain addresses, which its botnet is engineered to recognize and redirect to.
Chainalysis, a blockchain analysis firm, played a key role in helping Google’s security team investigate all of this. In an interview with Gizmodo, the company’s senior director of investigations and special programs, Erin Plante, said that the criminals’ use of the blockchain presents unique, potentially insurmountable challenges to law enforcement.
“When the botnet loses communication to a C2 domain—typically because there is some sort of law enforcement action—the botnet knows to go and scan the entire public Bitcoin blockchain and it looks for transactions between those three Bitcoin addresses,” said Plante. In other words, every time a C2 domain gets taken down, Glupteba can automatically reconstitute via a new domain address sent through the gang’s crypto wallets.
The decentralized nature of the blockchain means that there isn’t really any way to block these messages from going through, or to incapacitate the associated crypto addresses, said Plante. Indeed, as crypto-enthusiasts have often pointed out, the blockchain is considered “uncensorable” and “tamper-proof,” because it doesn’t have any overarching authority or managerial entity. As such, no one can turn the lights off on Glupteba’s malicious activity.
So, uh, what to do? Currently, the options aren’t great, says Shane Huntley, Director of Google’s TAG team.
“This backup mechanism is very resilient,” said Huntley, in an email to Gizmodo. “As long as the attackers have the keys to the wallets they will be able to direct the botnet to look for new servers.”
Plante seems similarly pessimistic. “It’s certainly a model that, if it were replicated to ransomware or other cybercriminal activities, it’s a scary possibility,” she said. “At this point, besides taking down a single C2 domain only to have it spin up again a few days later, no one has been able to find out a way to stop this.”
Huntley said that there were likely other examples of criminals using the blockchain in this way but that the practice was definitely not considered “common” at this time.
“The mitigating factor though is that anytime they do this, it will be public and further action can be taken,” said Huntley, referencing the implicitly public nature of the blockchain. Because of its open format, Huntley said that Google’s threat team is able to continue tracing the criminals’ transactions. “We’ve already seen them direct the botnet to new servers and those servers have now also been taken down.”
In other words, the botnet will live on as long as the hackers care to keep updating it. And security professionals will have to keep tracking its updates until the hackers give up or are apprehended in real life.