red 
This week Google announced that it has shut down Glupteba, a powerful network of computers infected with malware that steals data and miners cryptocurrency. However, its creator soon tried to reactivate it – by making a Bitcoin transaction.
Botnets are networks of computers infected with malware, which are under the control of a single attacker. They can be used to perform distributed denial of service (DDoS) attacks, steal data, send spam, allow an attacker to access a device, or even mine cryptocurrency. The attacker remotely controls the botnets via command and control (“C2”) servers.
Law enforcement can disrupt botnets by identifying and shutting down the C2 servers that control them. One new technique that malware developers have adopted to counter this is to use the Bitcoin blockchain as a backup communication channel.
For example, malware can track all new transactions made by a bitcoin address controlled by the malware developer. If the C2 server is taken down by the police, a cybercriminal can send a small amount of bitcoins from the address and embed the IP address or domain name of the new C2 server into the transaction. Bitcoin is decentralized and censorship-resistant, providing a bulletproof infrastructure that a botnet can use to remain impervious to police intervention.
December 7, Google announced that they disrupted a botnet known as stupidity, which has been active since 2011 and has infected over a million computers. They also submitted a lawsuit against two individuals located in Russia for managing the botnet.
Among other malicious activities, Glupteba steals user credentials and cookies, mines cryptocurrency on infected hosts, and deploys and manages proxy components that target Windows systems and IoT (Internet of Things) devices.
This week Google, along with partners including Internet infrastructure and hosting providers, was able to identify and take down the C2 servers used to control and communicate with the Glupteba botnet.
But it is precisely in such circumstances that Glupteba is designed to fall back on the Bitcoin blockchain for guidance on how to proceed. Google researchers actually predicted this would happen.
Of course, on the day of the Google announcement, Glupteba’s operator sent a Bitcoin transaction containing a message that redirected the malware to a new C2 server: “younghil.com”. Another transaction on December 9 listed “mydomelem.com”.
The output of transactions sent from the botnet operator’s address on December 7, with the new C2 server domain embedded in it, in encrypted form. Source
By making these transactions, the messages are added to the bitcoin blockchain, which is itself stored on a distributed network of servers for all to see – including the Glupteba botnet. Law enforcement and other authorities are powerless to prevent this or delete the message – so the botnet can potentially continue to operate.
This presents a challenge for those seeking to disrupt malware attacks, and new techniques will need to be developed to combat this activity. For example, Glupteba verifies new bitcoin transactions by connecting to servers designated by companies such as Electrum or Blockchain.com (rather than fetching and examining the entire blockchain). So it may be possible to disrupt Stupid by ensuring that these servers simply refuse to provide information about the specific addresses used by the botnet.
Elliptic has identified and analyzed the crypto wallets used by Glupteba and many other malware operators. Learn more about how our blockchain analytics solutions help crypto businesses and financial institutions manage their cryptoasset risk.
