Skip to main content

ZombieCoin 2.0: managing next-generation botnets using Bitcoin

International Journal of Information Security volume 17pages 411–422 (2018)Cite this article

Abstract

Botnets are the preeminent source of online crime and arguably one of the greatest threats to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that leverages the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin is designed to resist the very same takedown campaigns and regulatory processes that are the most often-used methods to combat botnets today. Furthermore, we describe how the Bitcoin network enables novel C&C techniques, which dramatically expand the scope of this threat, including the possibilities of flexible rendezvous scheduling, efficient botnet partitioning, and fine-grained control over bots. We validate our claims by implementing ZombieCoin bots which we then deploy and successfully control over the Bitcoin network. Our findings lead us to believe that Bitcoin-based C&C mechanisms are a highly desirable option that botmasters will pursue in the near future. We hope our study provides a useful first step towards devising effective countermeasures for this threat.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. Bitcoin prices are prone to fluctuation. All figures quoted in this paper date to September, 2014.

  2. Interested parties are requested to contact the authors via email.

  3. Bitcoin technically provides pseudonymity, a weaker form of anonymity, in that Bitcoin addresses are not tied to identity and it is trivial to generate new addresses.

  4. C&C servers belonging to the Zeus botnet were discovered to maintain a similar MySQL database with a web-based administrative GUI for botmasters [47].

  5. The C&C transactions pertaining to our experiment can be identified in the blockchain by transaction input 1LujiuygToEddPEmRGMQUGXbsMGmup1Wrs. The initial ‘ping’ command is recorded in Block 319998 (transaction ID: b26b3ea0d8065d3288a5142580a5f0e372445d27bb51b45a491d2e5f20238c5e). The final ‘screenshot’ command occurs in Block 320153 (transaction ID: 326e06b6c187c5d97ad783fc4d7bd67cf9c80894cd9837d5e83b04ce0f0f4068). Commands can be decoded by setting the offset for each ASCII character to −125.

  6. The Namecoin lead developer was interviewed in 2014 on the possibility of Namecoin being used to empower botnets. His response, “Is there a real benefit for the zombie computer to use this instead of connecting to an IRC channel or else? Updatable IP? It may be less complex to get IP from hacked computers all over the world or to build a P2P botnet. As each thing that provides power to its user, it can be used in a bad or good way (as knives, secure communication software, etc).” [52].

References

  1. Weber, T.: Criminals ’may overwhelm the web’. BBC Home, Jan. 25, 2007. http://news.bbc.co.uk/1/hi/business/6298641.stm

  2. Dittrich, D.: So you want to take over a botnet. In: Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats. USENIX Association, pp. 6–6 (2012)

  3. Stevenson, A.: Botnets infecting 18 systems per second, warns FBI. V3.co.uk, July 16 2014. http://www.v3.co.uk/v3-uk/news/2355596/botnets-infecting-18-systems-per-second-warns-fbi

  4. Android smartphones ‘used for botnet’, researchers say, July 5 2012. http://www.bbc.co.uk/news/technology-18720565

  5. Vincent, J.: Could your fridge send you spam? Security researchers report ’internet of things’ botnet. The Independent, Jan. 20 2014. http://www.independent.co.uk/life-style/gadgets-and-tech/news/could-your-fridge-send-you-spam-security-researchers-report-internet-of-things-botnet-9072033.html

  6. David, J.: Hackers Take Down the Most Wired Country in Europe. Wired Magazine, Aug. 21 2007. http://archive.wired.com/politics/security/magazine/15-09/ff_estonia?currentPage=all

  7. Hattem, J.: Senate Dem wants to battle botnets. The Hill, July 15 2014. http://thehill.com/policy/technology/212338-senate-dem-wants-to-battle-botnets

  8. CoinMarketCap. Crypto-Currency Market Capitalizations. BitcoinTalk, Jan. 21 2016. https://coinmarketcap.com/

  9. Young, J.: VISA: Bitcoin is no Longer a Choice Anymore. NewsBTC, Dec. 29 2015. http://www.newsbtc.com/2015/12/29/visa-bitcoin-is-no-longer-a-choice-anymore/

  10. Bustillos, M.: The Bitcoin Boom. The New Yorker, April 2013. http://www.newyorker.com/tech/elements/the-bitcoin-boom

  11. Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, New York (2004)

    Google Scholar 

  12. ICT-FORWARD Consortium. FORWARD: Managing Emerging Threats in ICT Infrastructures, 2007–2008. http://www.ict-forward.eu/

  13. Barford, P., Yegneswaran, V.: An inside look at botnets. In: Malware Detection. Springer, pp. 171–191 (2007)

  14. Westervelt, R.: Botnet Masters Turn to Google, Social Networks to Avoid Detection. TechTarget, Nov. 10 2009. http://searchsecurity.techtarget.com/news/1373974/Botnet-masters-turn-to-Google-social-networks-to-avoid-detection

  15. Bowden, M.: Worm: The First Digital World War. Atlantic Monthly Press (2011)

  16. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on Computer and communications security (CCS). ACM, pp. 635–647 (2009)

  17. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127 (2010)

    Article  Google Scholar 

  18. Neville, A., Gibb, R.: Security Response: ZeroAccess Indepth. White paper, Symantec, Oct. 4 2013

  19. Prince, B.: Flashback Botnet Updated to Include Twitter as C&C. SecurityWeek, April 30 2012. http://www.securityweek.com/flashback-botnet-updated-include-twitter-cc

  20. Lelli, A.: Trojan.Whitewell: What’s your (bot) Facebook Status Today? Symantec Security Response Blog, Oct. 2009. http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-today [online]. Accessed 22 July 2014

  21. Kovacs, E.: RAT Abuses Yahoo Mail for C&C Communications. SecurityWeek, Aug. 4 2014. http://www.securityweek.com/rat-abuses-yahoo-mail-cc-communications

  22. Katsuki, T.: Malware Targeting Windows 8 Uses Google Docs. Symantec Official Blog, Nov. 16 2012. http://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs

  23. Gallagher, S.: Evernote: so useful, even malware loves it. Ars Technica, Mar. 27 2013. http://arstechnica.com/security/2013/03/evernote-so-useful-even-malware-loves-it/

  24. Willet, J.R.: The Second Bitcoin Whitepaper, v. 0.5, Jan. 2012. https://sites.google.com/site/2ndbtcwpaper/2ndBitcoinWhitepaper.pdf [online]. Accessed 22 July 2014

  25. Rosenfeld, M.: Overview of Colored Coins, Dec. 2012. https://bitcoil.co.il/BitcoinX.pdf [online]. Accessed 22 July 2014

  26. Counterparty: Pioneering Peer-to-Peer Finance. https://www.counterparty.co/

  27. Isgur, B.: A Little Altcoin Sanity: Namecoin. CoinReport, July 16 2014. https://coinreport.net/little-altcoin-sanity-namecoin/

  28. Clark, J., Essex, A.: Commitcoin: carbon dating commitments with Bitcoin. In: Financial Cryptography and Data Security. Springer, pp. 390–398 (2012)

  29. Cawrey, D.: How Monegraph Uses the Block Chain to Verify Digital Assets. CoinDesk, May 15 2014. http://www.coindesk.com/monegraph-uses-block-chain-verify-digital-assets/

  30. OneName. https://onename.io/

  31. Protocol Specification. Bitcoin Wiki. https://en.bitcoin.it/wiki/Protocol_specification

  32. Apodaca, R.L.: OP_RETURN and the Future of Bitcoin. Bitzuma, July 29 2014. http://bitzuma.com/posts/op-return-and-the-future-of-bitcoin/

  33. Andresen, G.: Core Development Update #5. Bitcoin Foundation, Oct. 24 2013. https://bitcoinfoundation.org/2013/10/core-development-update-5/

  34. Bradbury, D.: BlockSign Utilises Block Chain to Verify Signed Contracts. CoinDesk, Aug. 27 2014. http://www.coindesk.com/blocksign-utilises-block-chain-verify-signed-contracts/

  35. Kirk, J.: Could the Bitcoin Network be Used as an Ultrasecure Notary Service? PCWorld, May 24 2013. http://www.pcworld.com/article/2039705/could-the-bitcoin-network-be-used-as-an-ultrasecure-notary-service.html

  36. Mastercoin transaction on Bitcoin Block Explorer. https://goo.gl/dq1ra3

  37. Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. IACR Cryptol. ePrint Arch. 2013, 734 (2013)

    Google Scholar 

  38. Johnson, D., Menezes, A., Vanstone, S.: The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Sec. 1(1), 36–63 (2001)

    Article  Google Scholar 

  39. Simmons, G.J.: The prisoners problem and the subliminal channel. In: Advances in Cryptology. Springer, pp. 51–67 (1984)

  40. Simmons, G.J.: The subliminal channel and digital signatures. In: Advances in Cryptology. Springer, pp. 364–378 (1985)

  41. Burnett, S., Feamster, N., Vempala, S.: Chipping away at censorship firewalls with user-generated content. In: USENIX Security Symposium, Washington, DC, pp. 463–468 (2010)

  42. Invernizzi, L., Kruegel, C., Vigna, G.: Message in a bottle: sailing past censorship. In: Proceedings of the 29th Annual Computer Security Applications Conference. ACM, pp. 39–48 (2013)

  43. Elahi, T., Goldberg, I.: Cordon—A Taxonomy of Internet Censorship Resistance Strategies. University of Waterloo CACR, 33 (2012)

  44. Goncharov, M.: Russian Underground 101 (2012). http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf

  45. Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of gameover zeus. In: 2013 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE). IEEE, pp. 116–123 (2013)

  46. Naraine, R.: Storm Worm botnet partitions for sale, Oct. 15 2007. http://www.zdnet.com/blog/security/storm-worm-botnet-partitions-for-sale/592

  47. Insight a ZeuS C&C server. http://www.abuse.ch/?p=1192, March 20 2009

  48. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)

    Article  MATH  Google Scholar 

  49. BitcoinJ: A Java implementation of a Bitcoin client-only node. https://code.google.com/p/bitcoinj/

  50. Nakamoto, S.: Bitcoin: A Peer-to-peer Electronic Cash System. http://www.bitcoin.org/bitcoin.pdf (2009). [online]. Accessed 22 July 2014

  51. Azure: Microsoft’s Cloud Platform. https://azure.microsoft.com/en-gb/

  52. Interview with khalahan—namecoins lead developer, June 2014. http://coinabul.tumblr.com/post/25890690158/khalahan-and-namecoin-interview

  53. Ali, S.T., McCorry, P., Lee, P.H.-J., Hao, F.: ZombieCoin: powering next generation botnets with Bitcoin. In: Proceedings of the 2nd Workshop on Bitcoin Research, BITCOIN’15 (2015)

  54. Fox-Brewster, T.: Bitcoin’s Blockchain Offers Safe Haven For Malware And Child Abuse, Warns Interpol. Forbes, March 27 2015. http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain-pollution-a-criminal-opportunity/#6ae1d8583297

  55. Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Recent Advances in Intrusion Detection. Springer, pp. 161–180 (2011)

  56. Hoffman, C.: 7 Reasons to Use a Third-Party DNS Service, Sept. 7 2013. http://www.howtogeek.com/167239/7-reasons-to-use-a-third-party-dns-service/

  57. Ford, R., Gordon, S.: Cent, five cent, ten cent, dollar: hitting botnets where it really hurts. In: Proceedings of the 2006 workshop on New security paradigms. ACM, pp. 3–10 (2006)

  58. Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: ACM Conference on Computer and Communications Security, pp. 375–388 (2007)

  59. Li, Z., Liao, Q., Striegel, A.: Botnet economics: uncertainty matters. In: Managing Information Risk and the Economics of Security. Springer, pp. 245–267 (2009)

  60. Porras, P., Saïdi, H., Yegneswaran, V.: A foray into confickers logic and rendezvous points. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2009)

  61. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), pp. 1–9 (2008)

  62. Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac-analysis of a peer-to-peer botnet. In: 2009 European Conference on Computer Network Defense (EC2ND). IEEE, pp. 13–20 (2009)

  63. Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the USENIX SRUTI Workshop, vol. 39, p. 44 (2005)

  64. Ramsbrock, D., Wang, X., Jiang, X.: A first step towards live botmaster traceback. In: Recent Advances in Intrusion Detection. Springer, pp. 59–77 (2008)

  65. Gu, G. Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS (2008)

  66. Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, pp. 139–154 (2008)

  67. Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. USENIX Security 7, 1–16 (2007)

    Google Scholar 

  68. Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2010)

  69. Khattak, S., Ramay, N., Khan, K., Syed, A., Khayam, S.: A taxonomy of botnet behavior, detection, and defense. IEEE Commun. Surv. Tutor. 16(2), 898–924 (2014)

    Article  Google Scholar 

  70. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)

    Article  Google Scholar 

  71. Lee, H.H., Chang, E.-C., Chan, M.C.: Pervasive random beacon in the internet for covert coordination. In: Information Hiding. Springer, pp. 53–61 (2005)

  72. Szabo, J., Aycock, J., Acton, R., Denzinger, J.: The tale of the weather worm. In: Proceedings of the 2008 ACM Symposium on Applied Computing. ACM, pp. 2097–2102 (2008)

  73. Starnberger, G., Kruegel, C., Kirda, E.: Overbot: a botnet protocol based on Kademlia. In: Proceedings of the 4th international Conference on Security and Privacy in Communication Networks (SecureComm). ACM, p. 13 (2008)

  74. Nappa, A., Fattori, A., Balduzzi, M., DellAmico, M., Cavallaro, L.: Take a deep breath: a stealthy, resilient and cost-effective botnet using skype. In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, pp. 81–100 (2010)

  75. Whittaker, Z.: Skype ditched peer-to-peer supernodes for scalability, not surveillance. http://www.zdnet.com/skype-ditched-peer-to-peer-supernodes-for-scalability-not-surveillance-7000017215/, June 24, 2013

  76. Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Information Hiding. Springer, pp. 299–313 (2011)

  77. Zeng, Y., Shin, K.G., Hu, X.: Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In: Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 137–148 (2012)

  78. Desimone, J., Johnson, D., Yuan, B., Lutz, P.: Covert channel in the bittorrent tracker protocol. In: International Conference on Security and Management. Rochester Institute of Technology, 2012. http://scholarworks.rit.edu/other/300

Download references

Acknowledgements

This paper is an extended version of work that was first presented in February, 2015 at the 2nd Workshop on Bitcoin Research (Bitcoin15) co-located with Financial Cryptography (FC) [53]. The authors thank Hassaan Bashir, Mike Hearn, Pawel Widera, and Siamak Shahandashti for invaluable assistance with experiments and helpful comments.

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science, National University of Sciences and Technology, Islamabad, Pakistan

    Syed Taha Ali

  2. School of Computing Science, Newcastle University, Newcastle upon Tyne, UK

    Patrick McCorry & Feng Hao

  3. Paysafe Group, Cambridge, UK

    Peter Hyun-Jeen Lee

Authors
  1. Syed Taha Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick McCorry
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter Hyun-Jeen Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Feng Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Syed Taha Ali.

Additional information

This work is supported by the European Research Council (ERC) Starting Grant (No. 306994).

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ali, S.T., McCorry, P., Lee, P.HJ. et al. ZombieCoin 2.0: managing next-generation botnets using Bitcoin. Int. J. Inf. Secur. 17, 411–422 (2018). https://doi.org/10.1007/s10207-017-0379-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-017-0379-8

Keywords

  • Botnets
  • Bitcoin
  • Cryptocurrencies
  • C&C