ZombieCoin 2.0: managing next-generation botnets using Bitcoin

  • Syed Taha Ali
  • Patrick McCorry
  • Peter Hyun-Jeen Lee
  • Feng Hao
Regular Contribution

Abstract

Botnets are the preeminent source of online crime and arguably one of the greatest threats to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that leverages the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin is designed to resist the very same takedown campaigns and regulatory processes that are the most often-used methods to combat botnets today. Furthermore, we describe how the Bitcoin network enables novel C&C techniques, which dramatically expand the scope of this threat, including the possibilities of flexible rendezvous scheduling, efficient botnet partitioning, and fine-grained control over bots. We validate our claims by implementing ZombieCoin bots which we then deploy and successfully control over the Bitcoin network. Our findings lead us to believe that Bitcoin-based C&C mechanisms are a highly desirable option that botmasters will pursue in the near future. We hope our study provides a useful first step towards devising effective countermeasures for this threat.

Keywords

Botnets Bitcoin Cryptocurrencies C&C 

References

  1. 1.
    Weber, T.: Criminals ’may overwhelm the web’. BBC Home, Jan. 25, 2007. http://news.bbc.co.uk/1/hi/business/6298641.stm
  2. 2.
    Dittrich, D.: So you want to take over a botnet. In: Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats. USENIX Association, pp. 6–6 (2012)Google Scholar
  3. 3.
    Stevenson, A.: Botnets infecting 18 systems per second, warns FBI. V3.co.uk, July 16 2014. http://www.v3.co.uk/v3-uk/news/2355596/botnets-infecting-18-systems-per-second-warns-fbi
  4. 4.
    Android smartphones ‘used for botnet’, researchers say, July 5 2012. http://www.bbc.co.uk/news/technology-18720565
  5. 5.
    Vincent, J.: Could your fridge send you spam? Security researchers report ’internet of things’ botnet. The Independent, Jan. 20 2014. http://www.independent.co.uk/life-style/gadgets-and-tech/news/could-your-fridge-send-you-spam-security-researchers-report-internet-of-things-botnet-9072033.html
  6. 6.
    David, J.: Hackers Take Down the Most Wired Country in Europe. Wired Magazine, Aug. 21 2007. http://archive.wired.com/politics/security/magazine/15-09/ff_estonia?currentPage=all
  7. 7.
    Hattem, J.: Senate Dem wants to battle botnets. The Hill, July 15 2014. http://thehill.com/policy/technology/212338-senate-dem-wants-to-battle-botnets
  8. 8.
    CoinMarketCap. Crypto-Currency Market Capitalizations. BitcoinTalk, Jan. 21 2016. https://coinmarketcap.com/
  9. 9.
    Young, J.: VISA: Bitcoin is no Longer a Choice Anymore. NewsBTC, Dec. 29 2015. http://www.newsbtc.com/2015/12/29/visa-bitcoin-is-no-longer-a-choice-anymore/
  10. 10.
    Bustillos, M.: The Bitcoin Boom. The New Yorker, April 2013. http://www.newyorker.com/tech/elements/the-bitcoin-boom
  11. 11.
    Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, New York (2004)Google Scholar
  12. 12.
    ICT-FORWARD Consortium. FORWARD: Managing Emerging Threats in ICT Infrastructures, 2007–2008. http://www.ict-forward.eu/
  13. 13.
    Barford, P., Yegneswaran, V.: An inside look at botnets. In: Malware Detection. Springer, pp. 171–191 (2007)Google Scholar
  14. 14.
    Westervelt, R.: Botnet Masters Turn to Google, Social Networks to Avoid Detection. TechTarget, Nov. 10 2009. http://searchsecurity.techtarget.com/news/1373974/Botnet-masters-turn-to-Google-social-networks-to-avoid-detection
  15. 15.
    Bowden, M.: Worm: The First Digital World War. Atlantic Monthly Press (2011)Google Scholar
  16. 16.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on Computer and communications security (CCS). ACM, pp. 635–647 (2009)Google Scholar
  17. 17.
    Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127 (2010)CrossRefGoogle Scholar
  18. 18.
    Neville, A., Gibb, R.: Security Response: ZeroAccess Indepth. White paper, Symantec, Oct. 4 2013Google Scholar
  19. 19.
    Prince, B.: Flashback Botnet Updated to Include Twitter as C&C. SecurityWeek, April 30 2012. http://www.securityweek.com/flashback-botnet-updated-include-twitter-cc
  20. 20.
    Lelli, A.: Trojan.Whitewell: What’s your (bot) Facebook Status Today? Symantec Security Response Blog, Oct. 2009. http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-today [online]. Accessed 22 July 2014
  21. 21.
    Kovacs, E.: RAT Abuses Yahoo Mail for C&C Communications. SecurityWeek, Aug. 4 2014. http://www.securityweek.com/rat-abuses-yahoo-mail-cc-communications
  22. 22.
    Katsuki, T.: Malware Targeting Windows 8 Uses Google Docs. Symantec Official Blog, Nov. 16 2012. http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs
  23. 23.
    Gallagher, S.: Evernote: so useful, even malware loves it. Ars Technica, Mar. 27 2013. http://arstechnica.com/security/2013/03/evernote-so-useful-even-malware-loves-it/
  24. 24.
    Willet, J.R.: The Second Bitcoin Whitepaper, v. 0.5, Jan. 2012. https://sites.google.com/site/2ndbtcwpaper/2ndBitcoinWhitepaper.pdf [online]. Accessed 22 July 2014
  25. 25.
    Rosenfeld, M.: Overview of Colored Coins, Dec. 2012. https://bitcoil.co.il/BitcoinX.pdf [online]. Accessed 22 July 2014
  26. 26.
    Counterparty: Pioneering Peer-to-Peer Finance. https://www.counterparty.co/
  27. 27.
    Isgur, B.: A Little Altcoin Sanity: Namecoin. CoinReport, July 16 2014. https://coinreport.net/little-altcoin-sanity-namecoin/
  28. 28.
    Clark, J., Essex, A.: Commitcoin: carbon dating commitments with Bitcoin. In: Financial Cryptography and Data Security. Springer, pp. 390–398 (2012)Google Scholar
  29. 29.
    Cawrey, D.: How Monegraph Uses the Block Chain to Verify Digital Assets. CoinDesk, May 15 2014. http://www.coindesk.com/monegraph-uses-block-chain-verify-digital-assets/
  30. 30.
  31. 31.
    Protocol Specification. Bitcoin Wiki. https://en.bitcoin.it/wiki/Protocol_specification
  32. 32.
    Apodaca, R.L.: OP_RETURN and the Future of Bitcoin. Bitzuma, July 29 2014. http://bitzuma.com/posts/op-return-and-the-future-of-bitcoin/
  33. 33.
    Andresen, G.: Core Development Update #5. Bitcoin Foundation, Oct. 24 2013. https://bitcoinfoundation.org/2013/10/core-development-update-5/
  34. 34.
    Bradbury, D.: BlockSign Utilises Block Chain to Verify Signed Contracts. CoinDesk, Aug. 27 2014. http://www.coindesk.com/blocksign-utilises-block-chain-verify-signed-contracts/
  35. 35.
    Kirk, J.: Could the Bitcoin Network be Used as an Ultrasecure Notary Service? PCWorld, May 24 2013. http://www.pcworld.com/article/2039705/could-the-bitcoin-network-be-used-as-an-ultrasecure-notary-service.html
  36. 36.
    Mastercoin transaction on Bitcoin Block Explorer. https://goo.gl/dq1ra3
  37. 37.
    Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. IACR Cryptol. ePrint Arch. 2013, 734 (2013)Google Scholar
  38. 38.
    Johnson, D., Menezes, A., Vanstone, S.: The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Sec. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  39. 39.
    Simmons, G.J.: The prisoners problem and the subliminal channel. In: Advances in Cryptology. Springer, pp. 51–67 (1984)Google Scholar
  40. 40.
    Simmons, G.J.: The subliminal channel and digital signatures. In: Advances in Cryptology. Springer, pp. 364–378 (1985)Google Scholar
  41. 41.
    Burnett, S., Feamster, N., Vempala, S.: Chipping away at censorship firewalls with user-generated content. In: USENIX Security Symposium, Washington, DC, pp. 463–468 (2010)Google Scholar
  42. 42.
    Invernizzi, L., Kruegel, C., Vigna, G.: Message in a bottle: sailing past censorship. In: Proceedings of the 29th Annual Computer Security Applications Conference. ACM, pp. 39–48 (2013)Google Scholar
  43. 43.
    Elahi, T., Goldberg, I.: Cordon—A Taxonomy of Internet Censorship Resistance Strategies. University of Waterloo CACR, 33 (2012)Google Scholar
  44. 44.
  45. 45.
    Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of gameover zeus. In: 2013 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE). IEEE, pp. 116–123 (2013)Google Scholar
  46. 46.
    Naraine, R.: Storm Worm botnet partitions for sale, Oct. 15 2007. http://www.zdnet.com/blog/security/storm-worm-botnet-partitions-for-sale/592
  47. 47.
    Insight a ZeuS C&C server. http://www.abuse.ch/?p=1192, March 20 2009
  48. 48.
    Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)CrossRefMATHGoogle Scholar
  49. 49.
    BitcoinJ: A Java implementation of a Bitcoin client-only node. https://code.google.com/p/bitcoinj/
  50. 50.
    Nakamoto, S.: Bitcoin: A Peer-to-peer Electronic Cash System. http://www.bitcoin.org/bitcoin.pdf (2009). [online]. Accessed 22 July 2014
  51. 51.
    Azure: Microsoft’s Cloud Platform. https://azure.microsoft.com/en-gb/
  52. 52.
    Interview with khalahan—namecoins lead developer, June 2014. http://coinabul.tumblr.com/post/25890690158/khalahan-and-namecoin-interview
  53. 53.
    Ali, S.T., McCorry, P., Lee, P.H.-J., Hao, F.: ZombieCoin: powering next generation botnets with Bitcoin. In: Proceedings of the 2nd Workshop on Bitcoin Research, BITCOIN’15 (2015)Google Scholar
  54. 54.
    Fox-Brewster, T.: Bitcoin’s Blockchain Offers Safe Haven For Malware And Child Abuse, Warns Interpol. Forbes, March 27 2015. http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain-pollution-a-criminal-opportunity/#6ae1d8583297
  55. 55.
    Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Recent Advances in Intrusion Detection. Springer, pp. 161–180 (2011)Google Scholar
  56. 56.
    Hoffman, C.: 7 Reasons to Use a Third-Party DNS Service, Sept. 7 2013. http://www.howtogeek.com/167239/7-reasons-to-use-a-third-party-dns-service/
  57. 57.
    Ford, R., Gordon, S.: Cent, five cent, ten cent, dollar: hitting botnets where it really hurts. In: Proceedings of the 2006 workshop on New security paradigms. ACM, pp. 3–10 (2006)Google Scholar
  58. 58.
    Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: ACM Conference on Computer and Communications Security, pp. 375–388 (2007)Google Scholar
  59. 59.
    Li, Z., Liao, Q., Striegel, A.: Botnet economics: uncertainty matters. In: Managing Information Risk and the Economics of Security. Springer, pp. 245–267 (2009)Google Scholar
  60. 60.
    Porras, P., Saïdi, H., Yegneswaran, V.: A foray into confickers logic and rendezvous points. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2009)Google Scholar
  61. 61.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), pp. 1–9 (2008)Google Scholar
  62. 62.
    Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac-analysis of a peer-to-peer botnet. In: 2009 European Conference on Computer Network Defense (EC2ND). IEEE, pp. 13–20 (2009)Google Scholar
  63. 63.
    Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the USENIX SRUTI Workshop, vol. 39, p. 44 (2005)Google Scholar
  64. 64.
    Ramsbrock, D., Wang, X., Jiang, X.: A first step towards live botmaster traceback. In: Recent Advances in Intrusion Detection. Springer, pp. 59–77 (2008)Google Scholar
  65. 65.
    Gu, G. Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS (2008)Google Scholar
  66. 66.
    Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, pp. 139–154 (2008)Google Scholar
  67. 67.
    Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. USENIX Security 7, 1–16 (2007)Google Scholar
  68. 68.
    Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2010)Google Scholar
  69. 69.
    Khattak, S., Ramay, N., Khan, K., Syed, A., Khayam, S.: A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutor. 16(2), 898–924 (2014)CrossRefGoogle Scholar
  70. 70.
    Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)CrossRefGoogle Scholar
  71. 71.
    Lee, H.H., Chang, E.-C., Chan, M.C.: Pervasive random beacon in the internet for covert coordination. In: Information Hiding. Springer, pp. 53–61 (2005)Google Scholar
  72. 72.
    Szabo, J., Aycock, J., Acton, R., Denzinger, J.: The tale of the weather worm. In: Proceedings of the 2008 ACM Symposium on Applied Computing. ACM, pp. 2097–2102 (2008)Google Scholar
  73. 73.
    Starnberger, G., Kruegel, C., Kirda, E.: Overbot: a botnet protocol based on Kademlia. In: Proceedings of the 4th international Conference on Security and Privacy in Communication Networks (SecureComm). ACM, p. 13 (2008)Google Scholar
  74. 74.
    Nappa, A., Fattori, A., Balduzzi, M., DellAmico, M., Cavallaro, L.: Take a deep breath: a stealthy, resilient and cost-effective botnet using skype. In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, pp. 81–100 (2010)Google Scholar
  75. 75.
    Whittaker, Z.: Skype ditched peer-to-peer supernodes for scalability, not surveillance. http://www.zdnet.com/skype-ditched-peer-to-peer-supernodes-for-scalability-not-surveillance-7000017215/, June 24, 2013
  76. 76.
    Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Information Hiding. Springer, pp. 299–313 (2011)Google Scholar
  77. 77.
    Zeng, Y., Shin, K.G., Hu, X.: Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In: Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 137–148 (2012)Google Scholar
  78. 78.
    Desimone, J., Johnson, D., Yuan, B., Lutz, P.: Covert channel in the bittorrent tracker protocol. In: International Conference on Security and Management. Rochester Institute of Technology, 2012. http://scholarworks.rit.edu/other/300

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.School of Electrical Engineering and Computer ScienceNational University of Sciences and TechnologyIslamabadPakistan
  2. 2.School of Computing ScienceNewcastle UniversityNewcastle upon TyneUK
  3. 3.Paysafe GroupCambridgeUK

Personalised recommendations