Feb 24, 2021 13:10:00

Pointed out that the Bitcoin blockchain is a hiding place for botnets

Known crimes that abuse crypto assets include

malware mining and money laundering , which allow other people's PCs and smartphones to mine via malware. On February 23, 2021, Akamai , a major cloud security network operator, announced that it has identified a botnet that uses the Bitcoin network.

Bitcoins, blockchains, and botnets --Akamai Security Intelligence and Threat Research Blog
https://blogs.akamai.com/sitr/2021/02/bitcoins-blockchains-and-botnets.html

The bitcoin blockchain is helping keep a botnet from being taken down | Ars Technica
https://arstechnica.com/information-technology/2021/02/crooks-use-the-bitcoin-blockchain-to-protect-their-botnets-from-takedown/

According to the IT news site Ars Technica, a defense measure called a DNS sinkhole that isolates the command and control server (C2 server) by sending a fake IP address for malicious access against attacks by botnets. Is used.

Akamai's Security Intelligence Response Team ( SIRT ) , which studies threats on the Internet, said that the bitcoin mining botnet that was being monitored 'sneaks the IP address for the botnet into the blockchain.' I found that I was trying to get past the isolation by a DNS sinkhole in a way.

The smallest unit of Bitcoin, 1/100 million Bitcoin, is called '

Satoshi ' after Bitcoin advocate Satoshi Nakamoto , and this 'Satoshi value' is used for Bitcoin trading transactions. Is recorded as 8-bit unit data. The botnet discovered by SIRT converted this satoshi value into an IP address used for communication with the C2 server so that communication with the terminal isolated by the DNS sinkhole could be maintained.

The following is a simplified representation of the Satoshi value conversion process analyzed by Akamai. First, if the Satoshi value '6957' is expressed in hexadecimal, it will be '1b2d'. If you convert these '1b' and '2d' back to decimal numbers, you get '27' and '45'. Similarly, if you convert the Satoshi value '36305' to '141' and '209' and then combine the four numbers, you get the IP address '209.141.45.27'. Using this mechanism, the botnet operator used the IP address used in the botnet in the Bitcoin transaction.

Akamai described the technique as 'this time, we have identified a previously unseen means of cleverly hiding the information needed to communicate botnets on the Bitcoin blockchain. Decentralized, uncensorable. This technology, which retrieves data in real time from a variety of data sources, makes it difficult to control the spread of infections and makes it possible to exchange IP addresses for unauthorized communication easily and quickly. '

On top of that, Akamai said, 'I won't reveal it here to prevent botnet improvements, but it's not perfect because of its drawbacks, but it can be a big problem if it's used, so cybercriminals. It's likely to be a popular technique for people, 'he said.