Subliminal channels in Blockchain applications for Hidden Botnet communication

Abstract

Botnets provide very powerful infrastructures for various malicious activities on the Internet. The aim of botnet operators is to produce an economically cheap, logistically feasible, hidden, fast, and robust Command and Control (C&C) network, which is rather difficult to obstruct in its functions and ideally impossible to take down. In the past, the race between botnet developers and their adversaries, such as competing botnet operators or authorities, led to highly innovative and sophisticated command and control (C&C) infrastructures [1]. The main weak point and leverage against botnets often turned out to be a vulnerability in the C&C concept, which could be used for the detection and take-down of the botnet [2, 3]. At the same time, many blockchain applications, such as cryptocurrencies, are widely adapted, partly because of its volatile financial value and growing ecosystem. With their decentralized, public, resilient and immutable characteristics, blockchain technology holds the potential to serve as the ideal medium for botnet C&C - especially when paired with suitable hiding techniques. The goal of this thesis is to introduce and analyze a novel approach by utilizing a popular and widely used broadcast medium, blockchain applications. The aim is to exploit the concept of subliminal channels, which is presented in Chapter 5. This new concept of multicasting over public blockchains is named ChainChannels and was partly published in [4]. The name of the concept refers to subliminal channels, the blockchain as the medium and also to the fact that the messages in this communication scheme are linked to the previous steps and thus chained together. For the purpose of distributing messages, we include subliminal information in the digital signatures used to secure blockchain transactions. Since digital signatures are essential for the operation of blockchains, they provide a distributed transmission method that can be exploited by botnet operators. We show how the keying material (needed to extract the subliminal information) can be distributed secretly to the bots such that storing the private key in advance in a bot can be avoided and take-over by an adversary that acquired information from a compromised bot is prevented. An adversary can follow the communication with a compromised bot but cannot take control over the botnet. As proof of concept we injected a subliminal message in the Bitcoin blockchain and explain how the subliminal information can be extracted. We also implemented our method to leak the private key in the experiment so that the applicability of our method can be verified. ChainChannels is not restricted to a specific blockchain and is robust against takeover, since it only depends on signatures which are used for the blockchain and the immutable and available block. Even with knowledge of the subliminal message and the key, botnet commands cannot be forged and the size of botnet remains unknown. Furthermore, we analyze the various transaction patterns which are generated by the novel communication scheme and compare them to real blockchain data to find the most viable mode of operation for the communication scheme.