Research

Blockchain technology abuse: time to think about fixes

Kaspersky Lab and INTERPOL recently presented research on how blockchain-based cryptocurrencies could be abused through the pollution of public decentralized databases with arbitrary data.  During our presentation at the BlackHat Asia conference in Singapore, we demonstrated the proof-of-concept using the Bitcoin network, but it’s important to understand that any cryptocurrency that relies on blockchain technology can be abused in this way.

Blockchain-based cryptocurrencies could be abused through the pollution of p2p databases with arbitrary data

Tweet

Some believe that security researchers, especially those from the anti-malware industry, generally only publish threat reports after the discovery of a threat in the wild.  However, this is not always true.  Our current research focuses on potential future threats that could be prevented before cryptocurrencies are fully adopted and standardized. While we generally support the idea of blockchain-based innovations, we think that, as part of the security community, it is our duty to help developers make such technologies fit-for-purpose and sustainable.

Blockchainware, short for blockchain-based software, stores some of its executable code in the decentralized databases of cryptocurrency transactions. It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as code. Depending on the payload fetched from the network, it can be either benign or malicious.

The proof-of-concept code we demonstrated was a benign piece of software

Tweet

To ensure the accurate interpretation of our research, we would like to point out that in the anti-malware industry, there is a clear definition of what constitutes malware, and there are extremely strict policies in place that forbid any attempts to create or distribute malware. The proof-of-concept code we demonstrated was a benign piece of software that opened the Notepad application after getting a confirmation from the user.

So, what exactly did we demonstrate at BlackHat Asia?   See for yourself at:  https://www.youtube.com/watch?v=FNsqXHbeMco

As we pointed out during our presentation, possible solutions can be introduced at different layers. From the perspective of a company developing endpoint security solutions, we don’t believe it’s too much trouble to denylist applications that load unpredictable external payload from a P2P network.

We believe that the value of solution development lies in its neutrality and decentralized decision-making

Tweet

However, from the perspective of the cryptocurrency network, it’s still an open question. We are not the experts in this field, and are therefore not best placed to propose effective solutions.  We also don’t want to promote any specific solution as we believe that the value of solution development (as in the case of Bitcoin) lies in its neutrality and decentralized decision-making.

That’s why we suggest this is a project for the cryptocurrency community.

We don’t promote any specific solution. We suggest this is a project for the cryptocurrency community

Tweet

As a starting point for opening a discussion in the community, we suggest looking for an opportunity to implement a network consensus/negotiation algorithm that will sustain the clean state of the blockchain.

I would like to credit my co-speaker, Christian Karam (@ck4r4m), Cyber Threat Researcher from Interpol for coming up with idea for this research and going all the way to the stage at Blackhat and beyond.

Blockchain technology abuse: time to think about fixes

Your email address will not be published. Required fields are marked *

 

  1. Vesselin Bontchev

    With all due respect, this is bullshit. There is no exploit, there is no vulnerability, there is only a demonstration of the obvious. The blockchain is a distributed database. So, you can store there stuff. Like executable code. So what? Do you know how much crap is ALREADY stored there? Satoshi’s original paper, ASCII cartoons, encrypted messages, URLs to porn sites, Bible verses….

    Yes, you can store malware there too. So what? It is not executable. No Bitcoin software would ever execute it. There is no vulnerability, no exploit. In order to execute it, you need ANOTHER piece of malware to extract it from there first – but that is pointless. If you could get your malware on the target computer, could get any other malware there too – no need to use the Blockchain. It’s much slower and less efficient to use the Blockchain. The only advantage is that the information stored there cannot be removed – but that’s not a big deal.

    Malware can also use the Blockchain to communicate with its C&C server – but that’s also slow, inefficient and unnecessary. It’s much better to just use a hidden Tor service.

    1. wonky tonky

      agree 100%

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox