Skip to main content
SpringerLink
Log in

ZombieCoin: Powering Next-Generation Botnets with Bitcoin

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8976))

Included in the following conference series:

Abstract

Botnets are the preeminent source of online crime and arguably the greatest threat to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that runs on the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin is designed to resist the very regulatory processes currently used to combat botnets. We believe this is a desirable avenue botmasters may explore in the near future and our work is intended as a first step towards devising effective countermeasures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Bitcoin technically provides pseudonymity, a weaker form of anonymity, in that Bitcoin addresses are not tied to identity and it is trivial to generate new addresses.

References

  1. Weber, T.: Criminals ‘may overwhelm the web’. BBC Home, 25 January 2007. Accessed on 22 July 2014

    Google Scholar 

  2. Dittrich, D.: So you want to take over a botnet. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, pp. 6–6. USENIX Association (2012)

    Google Scholar 

  3. Stevenson, A.: Botnets infecting 18 systems per second, warns FBI. V3.co.uk, 16 July 2014. Accessed on 22 July 2014

    Google Scholar 

  4. Android smartphones ‘used for botnet’, researchers say 5 July 2012. http://www.bbc.co.uk/news/technology-18720565

  5. Vincent, J.: Could your fridge send you spam? security researchers report ‘internet of things’ botnet. The Independent, 20 January 2014. Accessed on 22 July 2014

    Google Scholar 

  6. Bustillos, M.: The Bitcoin Boom. The New Yorker, April 2013. Accessed on 22 July 2014

    Google Scholar 

  7. Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. John Wiley & Sons, Chichester (2004)

    Google Scholar 

  8. ICT-FORWARD Consortium. FORWARD: Managing Emerging Threats in ICT Infrastructures, 2007–2008. Accessed on 22 July 2014

    Google Scholar 

  9. Barford, P., Yegneswaran, V.: An inside look at botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection. Advances in Information Security, vol. 27, pp. 171–191. Springer, New York (2007)

    Chapter  Google Scholar 

  10. Westervelt, R.: Botnet Masters Turn to Google, Social Networks to Avoid Detection. TechTarget, 10 November 2009. Accessed on 4 Aug 2014

    Google Scholar 

  11. Bowden, M.: Worm: The First Digital World War. Atlantic Monthly Press, New York (2011)

    Google Scholar 

  12. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), pp. 635–647. ACM (2009)

    Google Scholar 

  13. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Sec. Comput. 7(2), 113–127 (2010)

    Article  Google Scholar 

  14. Neville, A., Gibb, R.: Security response: zeroaccess indepth. White paper, Symantec, 4 October 2013

    Google Scholar 

  15. Prince, B.: Flashback botnet updated to include twitter as C&C. SecurityWeek, 30 April 2012. Accessed on 22 July 2014

    Google Scholar 

  16. Lelli, A.: Trojan.Whitewell: What’s your (bot) Facebook Status Today? Symantec Security Response Blog, October 2009. http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-today. Accessed on 22 July 2014

  17. Kovacs, E.: RAT Abuses Yahoo Mail for C&C Communications. SecurityWeek, 4 August 2014. Accessed on 4 August 2014

    Google Scholar 

  18. Katsuki, T.: Malware Targeting Windows 8 Uses Google Docs. Symantec Official Blog, 16 November 2012. Accessed on 4 August 2014

    Google Scholar 

  19. Gallagher, S.: Evernote: So useful, even malware loves it. Ars Technica, 27 March 2013. Accessed on 4 August 2014

    Google Scholar 

  20. Protocol Specification. Bitcoin Wiki. Accessed 22 July 2014

    Google Scholar 

  21. Apodaca, R.L.: OP\_RETURN and the Future of Bitcoin. Bitzuma, 29 July 2014. Accessed on 4 August 2014

    Google Scholar 

  22. Andresen, G.: Core Development Update #5. Bitcoin Foundation, 24 October 2013. Accessed on 4 Aug 2014

    Google Scholar 

  23. Bradbury, D.: BlockSign Utilises Block Chain to Verify Signed Contracts. CoinDesk, 27 August 2014. Accessed on 27 August 2014

    Google Scholar 

  24. Counterparty: Pioneering Peer-to-Peer Finance. Accessed on 22 July 2014

    Google Scholar 

  25. Willet, J.R.: The Second Bitcoin Whitepaper, v. 0.5, January 2012. https://sites.google.com/site/2ndbtcwpaper/2ndBitcoinWhitepaper.pdf. Accessed on 22 July 2014

  26. Kirk, J.: Could the Bitcoin Network be Used as an Ultrasecure Notary Service? PCWorld, 24 May 2013. Accessed on 27 August 2014

    Google Scholar 

  27. Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 156–174. Springer, Heidelberg (2014). IACR Cryptology ePrint Archive

    Google Scholar 

  28. Clark, J., Essex, A.: CommitCoin: carbon dating commitments with bitcoin. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 390–398. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  29. Simmons, G.J.: The prisoners problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, pp. 51–67. Springer, Cambridge (1984)

    Chapter  Google Scholar 

  30. Simmons, G.J.: The subliminal channel and digital signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–378. Springer, Heidelberg (1985)

    Chapter  Google Scholar 

  31. BitcoinJ: A Java implementation of a Bitcoin client-only node. https://code.google.com/p/bitcoinj/

  32. Nakamoto, S.: Bitcoin: A Peer-to-peer Electronic Cash System (2009). http://www.bitcoin.org/bitcoin.pdf. Accessed on 22 July 2014

  33. Azure: Microsoft’s Cloud Platform. https://azure.microsoft.com/en-gb/

  34. Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 161–180. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  35. Ford, R., Gordon, S.: Cent, five cent, ten cent, dollar: hitting botnets where it really hurts. In: Proceedings of the 2006 Workshop on New Security Paradigms, pp. 3–10. ACM (2006)

    Google Scholar 

  36. Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In ACM Conference on Computer and Communications Security, pp. 375–388 (2007)

    Google Scholar 

  37. Li, Z., Liao, Q., Striegel, A.: Botnet economics: uncertainty matters. In: Johnson, M.E. (ed.) Managing Information Risk and the Economics of Security, pp. 245–267. Springer, New York (2009)

    Chapter  Google Scholar 

  38. Porras, P., Saïdi, H., Yegneswaran, V.: A foray into confickers logic and rendezvous points. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2009)

    Google Scholar 

  39. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), pp. 1–9 (2008)

    Google Scholar 

  40. Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac-analysis of a peer-to-peer botnet. In: 2009 European Conference on Computer Network Defense (EC2ND), pp. 13–20. IEEE (2009)

    Google Scholar 

  41. Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos, H.: Highly resilient peer-to-peer botnets are here: an analysis of gameover zeus. In: 2013 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE), pp. 116–123. IEEE (2013)

    Google Scholar 

  42. Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. In: Proceedings of the USENIX SRUTI Workshop, vol. 39, p. 44 (2005)

    Google Scholar 

  43. Ramsbrock, D., Wang, X., Jiang, X.: A first step towards live botmaster traceback. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 59–77. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  44. Gu, G., Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS (2008)

    Google Scholar 

  45. Gu, G., Perdisci, R., Zhang, J., Lee, W. et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, pp. 139–154 (2008)

    Google Scholar 

  46. Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. USENIX Secur. 7, 1–16 (2007)

    Google Scholar 

  47. Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: a view of botnet management from infiltration. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2010)

    Google Scholar 

  48. Khattak, S., Ramay, N., Khan, K., Syed, A., Khayam, S.: A Taxonomy of Botnet Behavior, Detection, and Defense. IEEE Commun. Surv. Tutor. 16(2), 898–924 (2014)

    Article  Google Scholar 

  49. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)

    Article  Google Scholar 

  50. Starnberger, G., Kruegel, C., Kirda, E.: Overbot: a botnet protocol based on kademlia. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm), p. 13. ACM (2008)

    Google Scholar 

  51. Nappa, A., Fattori, A., Balduzzi, M., Dell’Amico, M., Cavallaro, L.: Take a deep breath: a stealthy, resilient and cost-effective botnet using skype. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 81–100. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  52. Whittaker, Z.: Skype ditched peer-to-peer supernodes for scalability, not surveillance 24 June 2013. http://www.zdnet.com/skype-ditched-peer-to-peer-supernodes-for-scalability-not-surveillance-7000017215/

  53. Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 299–313. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  54. Zeng, Y., Shin, K.G., Hu, X.: Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 137–148 (2012)

    Google Scholar 

  55. Desimone, J., Johnson, D., Yuan, B., Lutz, P.: Covert channel in the bittorrent tracker protocol. In: International Conference on Security and Management. Rochester Institute of Technology (2012). http://scholarworks.rit.edu/other/300

Download references

Acknowledgements

This work is supported by the European Research Council (ERC) Starting Grant (No. 106591). The authors thank Hassaan Bashir, Mike Hearn, Pawel Widera, and Siamak Shahandashti for invaluable assistance with experiments and helpful comments.

Author information

Authors and Affiliations

  1. Newcastle University, Newcastle upon Tyne, UK

    Syed Taha Ali, Patrick McCorry, Peter Hyun-Jeen Lee & Feng Hao

Authors
  1. Syed Taha Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick McCorry
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter Hyun-Jeen Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Feng Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Syed Taha Ali .

Editor information

Editors and Affiliations

  1. Leibniz Universität, Hannover, Germany

    Michael Brenner

  2. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Nicolas Christin

  3. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Benjamin Johnson

  4. New Jersey Institute of Technology, Newark, New Jersey, USA

    Kurt Rohloff

Rights and permissions

Reprints and permissions

Copyright information

© 2015 International Financial Cryptography Association

About this paper

Cite this paper

Ali, S.T., McCorry, P., Lee, P.HJ., Hao, F. (2015). ZombieCoin: Powering Next-Generation Botnets with Bitcoin. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-48051-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-48051-9_3

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-48050-2

  • Online ISBN: 978-3-662-48051-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation