Blockchain has been hailed by some in the technology industry as a potential method to help improve cyber security. However, security researcher Majid Malaika warns that Blockchain can potentially be abused to enable a new form of botnet that would be very difficult to take down.
Malaika detailed his Blockchain-powered botnet in a session at the SecTor security conference on Nov. 15. The overall attack method has been dubbed “Botract” by Malaika, as it abuses inherent functionality in the smart contracts that help to enable Blockchain.
“A smart contract is code running on a blockchain,” Malaika explained.
There are many different blockchain technologies in use today. Bitcoin first helped to popularize the idea of blockchain, which is essentially a distributed ledger system that maintains an accurate accounting of transactions.
When a smart contract is loaded into the blockchain, it becomes part of the blockchain and is fully distributed. As such, Malaika postulated that if a smart contract was written to enable command and control for a botnet, that botnet would then be as resilient as the blockchain itself.
“You could create an unstoppable botnet application that would be very difficult to bring down or block,” Malaika said.”If you post something in the blockchain it stays there forever.”
How Botract Works
Malaika explained that a bot commander would first need to write some command and control code and then publish that as a smart contract to the blockchain. The bot commander will then infect systems using spam, malicious websites and malware executables.
Once systems have been infected with malware, the bot commander will then send commands out via the blockchain. For example, an attack command could be to DDoS a particular target.
“Once the command has been inserted into the smart contract, the infected system bots will communicate with the blockchain to get the command and launch an attack,” Malaika said.
The reason why botract works is due to a fundamental flaw in the blockchain smart contract model. Malaika said that the problem is that there is implicit trust in the end user.
“As of today, anyone can write code and publish it on the blockchain,” Malaika said. “It’s a strength of Ethereum in that it’s easy to contribute, but we have to think about it from a hacker point of view as well.”
Malaika added that there is no code scrutiny when it comes to smart contracts loaded in the Ethereum blockchain. That said, he noted that with smart contract, there is a transaction fee that needs to be paid, which could potentially be a limiting factor for the Botract attack.
The purpose of the Botract research according to Malaika was to bring awareness to the potential security implications of smart contracts. In the future, he’d like to see the development of a governance model for the blockchain and smart contracts that meets future demands for security.
“The power of blockchain is that it is distributed and decentralized and anyone can run a smart contract, but is there a model that we can enforce to prevent something bad from happening?” Malaika asked. “If there is a smart contract running on blockchain and you want to remove it, you have to launch a hard fork and that’s not easy.”