This malware makes a single https request to https endpoint for which users can affect contents, api.blockcypher.com. This does not seem too much different from many other places which can be changed by user - reddit, hn user profile, airtable, github, comment section at random website, mailing list archive, etc...
I’d think the solution is going to be the same, too: contact the server and ask them to block URL. In this case, blockcypher should detect the api calls with the right properties (address, query string, user agent) and return error code on them. If they feel creative, maybe return modified answer which will break malware’s shell parser, but will not affect regular json calls.
If the blockcypher refuses to cooperate, you deal with it like you do with bulletproof hosting: add hostname to malicious domain list and block at all protected customers’ sites.
Well, the problem with that strategy is that there are many such explorers and returning wrong data isn't in their best interest. Remember that the recipient address doesn't need to be owned by the attacker, it could be one of a big exchange which is of interest. Also the whole process of getting stuff blocked fine granular enough to be viable may slow down blocking enough to be very profitable.
Well, generally blocking bot c&c accounts isn’t in anyone’s “best interest”. The amount of traffic those bots generate is negligible, and there is a non-zero overhead to read an email from cybersecurity company, decide if this is legit, and enact the block in question. Still, most companies cooperate. (Thinking about it, I am not quite sure why.. is it a desire to be a good internet citizen? Or fear of being blocked by corporate firewall?)
Who owns the recipient address is completely immaterial. So is the existence of other exporters. No one says they have to mess with blockchain or the site’s database - all they need is one api endpoint. How many non-malware accesses are there that use v1 api, query that specific address, use curl user agent, and send ?limit=2 query? I bet none. That script is not flexible at all, it has a single hardcoded URL.
Finally, regarding the slow blocking : it is a valid concern, but it exists no matter if there is a blockchain or not. Remember that story about bots using invisible characters in the comments below someone’s Instagram account? I wonder how long it took researchers to explain that those innocuous looking comments from fresh accounts are actually malware related. Or imagine using some sort of foreign-language web forum as C&C: the admins there might not want to cooperate with US-based cyber security researchers at all.
Maybe that would stop this specific malware, but I'm guessing they could adapt and start incorporating a lightweight (SPV) node which can connect to the P2P bitcoin network and keep track of the transactions associated with a specific address without downloading the blockchain (except for the block headers and the transactions you are interested in, mostly).
With bitcoin noone will want to change existing history because that's a forked chain, loss of value for lots of people. With bittorrent you could possibly convince all the hosts to get rid of some malware information which isn't adding much value.
Interesting idea that is sure to gain more traction, perhaps better implemented on ETH where they have more control. This implementation seems fatally flawed:
“This means for $1 about 2,500 disruption transactions can be placed in the wallet. In the case of the current IP address, the Satoshi values that must be sent to the wallet by the operators to recover control total 43,262 Satoshis, or about $16.50. The quick math at current market prices for BTC suggests that for every $1 spent on disruption, the operators will need to spend over $41,000 ($16.50*2,500) to recover their operations and get the orphaned infected systems back to their (current) IP address.”
Couldn't they just query outgoing transactions from the wallet?
The estimates given also do not factor transaction fees (currently 0.00041 BTC ~= 25 USD) , the estimated costs are only in value given to the attacker.
For this specific botnet continuous denial of service also doesn't make sense. The attacker could easily setup an upgrade at an ip that chooses a different public address.
I don't think they owned the wallet, so they couldn't make outgoing transactions. I assume they didn't want to use a wallet they did control in case it could be used to identify them.
It just seems like a very thin layer of plausible deniability, in the current setup they control wallets that send the transactions that also can be linked back to them.
Agreed, I think they didn't really put much thought into it. Their next version will look at only outgoing transactions. They could also use another coin for lower transaction fees.
Perhaps my reading is incorrect but why did theg decide to use all transactions (something they can't control) versus outgoing transactions (something they have sole control over)?
It also relies solely on blockcypher's api. I wonder if they were contacted and what their stance was.
The article says that the wallet might not be in their control. They believe it might be a part of a coin tumbling/washing operation.
I think the main reason they don't use one they control is the potential to trace where the original funds come from. There might be things you can do to obfuscate things, like tumbling the coins. It's all a risk though.
I hate the idea that lawfully skeptical/paranoid citizens get mixed up with this stuff by paying for these currencies because it appears to them like an acceptable trade-off versus the risks of financial authoritarianism. Crypto would have zero value if only criminals felt the need to use it.
Does it have value if criminals can use it freely? There will need to be the same functional centralized systems of justice, accountable, and enforcement.
Lol, Bitcoin started as a (sort of) traceless currency for criminals, and back then it had an actual utility as a financial medium. You could get a fake ID, drugs or unmarked guns or whatever only with Bitcoin. Now it's just a fancy hoarding tool (and no, a highly volatile instrument is not a store for wealth).
It was capitalizing a supply chain that had a lot of criminal activity in it, but still the value had to come from exchange with dollars. I guess there is a question of how many people and how much of the economy you sweep up in the term 'criminal', because, as I understand, the vast majority of money that flows into criminal enterprise comes from illegal drug users with legal source income. At this point though, we made billionaires out of those criminals because ordinary 100% lawful citizens around the world fear the financial mismanagement, corruption, and/or authoritarianism of their own governments, depending on where they live. That's sad. Terrible outcome really.
This is something that we will see happen more and more in the future. We are moving slowly to a more decentralized infrastructure than the current one, it's only plausible that malware writers will adopt more decentralized techniques.
I would probably use another crypto. Dogecoin would probably allow for a bigger payload at a smaller price. Eliminating the api calls described could be possible by implementing such a thing on ethereum, including a full client and running it in light mode. However the described method is much more light-weight
> Infected machines will regularly check-in. These methods rely on domains and static IP addresses. Predictably these domains and IP addresses get identified, burned, and/or seized.
Instead of seizing and shutting down the command and control system, why not let it run for awhile and secretly monitor who connects to it? Are the malware operators always connecting to the command and control system via Tor or equivalent? They never slip up? I find it amazing that these huge malware operators are so rarely tracked down.
The correct way to do this would be using OP_RETURN imo. This special opcode is meant for committing to data like this. So for example one could commit to 4 bytes representing the IP address. To ensure that only authorized parties can update the IP the client should only accept transactions that were sent from a certain address, meaning they are automatically signed with the authorized-party's key.
Definitely an interesting use case for BTC to route around such censorship.
The method they used of encoding the transactions into the output value of the transaction could be done a LOT cheaper if they just mine transaction hashes with 16-bits of prefixed data. It's not that hard to create a transaction over and over until you get the first 16-bits of it's hash exactly as you want (in essence this is basically what Bitcoin mining is, just simply on blocks instead of txs)
Also they could just do it with 4 transactions at 8-bits each too.
This malware makes a single https request to https endpoint for which users can affect contents, api.blockcypher.com. This does not seem too much different from many other places which can be changed by user - reddit, hn user profile, airtable, github, comment section at random website, mailing list archive, etc...
I’d think the solution is going to be the same, too: contact the server and ask them to block URL. In this case, blockcypher should detect the api calls with the right properties (address, query string, user agent) and return error code on them. If they feel creative, maybe return modified answer which will break malware’s shell parser, but will not affect regular json calls.
If the blockcypher refuses to cooperate, you deal with it like you do with bulletproof hosting: add hostname to malicious domain list and block at all protected customers’ sites.