Botnet protected by a Bitcoin blockchain

The operation of a botnet is based on remote control of the computers infected with the malware, but if the commands sent by the server are intercepted through a process known as sinkholing, the botnet stops working. Akamai has discovered that some cybercriminals use a Bitcoin blockchain to hide the server's IP address.

Blockchain-protected botnet

A botnet's Command and Control (C&C) servers send commands to infected computers and distribute malware updates. To avoid the interruption of the "service", the IP address of the server has been encoded in the Bitcoin blockchain, the register of transactions carried out with the digital currency. This way the IP address cannot be changed, deleted or blocked.

The ingenious system adopted by cybercriminals uses the address of the Bitcoin wallet as a DNS record to convert Satoshi values ​​(0.00000001 BTC) in the IP address of the server. The botnet examined by Akamai retains the server's IP address in the two most recent wallet transactions 1Hf2CKoVDyPj7dNn3vgTeFMgDqVvbVNZQq.

Each of the two transactions is used to represent two octets of the IP address. The value of 6.957 Satoshi converted to hexadecimal becomes 0x1b2d. The first byte (0x1b) converted into an integer becomes 45, which is the third octet of the IP address. The second byte (0x2d) corresponds to 27, the fourth octet of the IP address.

The hexadecimal equivalent of the second transaction of 36.305 Satoshi is 0x8dd1. Using the same procedure, the second and first octet are obtained, or 141 and 209. The IP address of the server is therefore 209.141.45.27. This server is used only if the main one returns an HTTP error other than 200 or 405.



To take control of the botnet it is therefore sufficient to reply with a code of 200. Alternatively, it is possible to send to the wallet a single Satoshi to change the calculated IP address. However, several improvements can be made to make the botnet unassailable via blockchain.

Source: Akamai