Scammers Try Hosting Their Malware on a Binance Network (krebsonsecurity.com) 21
Breached web sites distribute malware to visitors by claiming they need to update their browser. But one group of attackers "have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement," reports security researcher Brian Krebs.
"By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain." [W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and "smart contracts," or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.
"These contracts offer innovative ways to build applications and processes," Tal wrote along with his Guardio colleague Oleg Zaytsev. "Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown." Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. "So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces," Tal said.
In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. "This model is designed to proactively identify and mitigate potential threats before they can cause harm," BNB Smart Chain wrote. "The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible."
"By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain." [W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and "smart contracts," or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.
"These contracts offer innovative ways to build applications and processes," Tal wrote along with his Guardio colleague Oleg Zaytsev. "Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown." Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. "So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces," Tal said.
In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. "This model is designed to proactively identify and mitigate potential threats before they can cause harm," BNB Smart Chain wrote. "The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible."
Even when you think you've seen it all with crypto (Score:1)
it finds innovative ways to be even more terrible.
the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain
All those megawatt-hours wasted on that...
Re: (Score:2)
It's the gift that keeps on giving.
Like any good STD.
Re: (Score:2)
That is not really new or innovative. The idea has been around for a long time. Using a "smart" contract makes it a bit more sophisticated, but essentially the idea of using the blockchain to host some illegal content is as old as the idea of a public distributed blockchain. I remember discussing this with other security folks a long time ago and we all agreed it was only a matter of time.
Makes one wonder (Score:4, Interesting)
Seems like it's hard to delete stuff from the ledger once it's out there. So what if somebody encoded illegal stuff like kiddie porn or pirated movies/music into the blockchain inside of tiny but nevertheless legitimate transactions? How do you get all of the nodes to agree to scrub older transactions?
If it got big enough to be noticed (Score:4)
Re: (Score:3)
The people who are actually in charge of the blockchain would remove it. One of the dirty little secrets of blockchains and crypto is that they are not actually decentralized.
Have you looked at the source bitcoin code? I have (admittedly only scanning much of it) and I haven't seen a mechanism for actually removing past entries. Even if there was, it doesn't seem like it would work without seriously breaking things. If you send a transaction for some btc, and then subsequently move that btc again to yet another wallet, if you delete the first transaction then you end up with a situation where different nodes disagree about how much is in that second wallet, which breaks other th
Re: (Score:2)
So what if somebody encoded illegal stuff like kiddie porn or pirated movies/music into the blockchain inside of tiny but nevertheless legitimate transactions? How do you get all of the nodes to agree to scrub older transactions?
The people who are actually in charge of the blockchain would remove it.
Cp was encoded on the Bitcoin Satoshi Vision (BSV) ledger https://www.bbc.com/news/techn... [bbc.com] I can't find any information suggested it's been removed (they did remove an automatic browsing feature on their homepage so it wouldn't be displayed there).
Re: (Score:3)
I'm not 100% sure, but I think they only embedded URLs to CP. I don't think there was actual CP material in the blockchain itself (but again, I may be mistaken about this).
Re: (Score:2)
I'm not 100% sure, but I think they only embedded URLs to CP. I don't think there was actual CP material in the blockchain itself (but again, I may be mistaken about this).
That was another case concerning the bitcoin (BTC) ledger. This was Bitcoin Satoshi Vision (BSV) where people could upload avatars to the homepage and write a message both which was encoded on the blockchain and was displayed on the homepage, so someone uploaded a cp avatar.
Re: (Score:2)
I could foresee some possible mechanisms of using embedding much larger amounts of data on to the blockchain.
One way would be using a (reversed) linked-list style data structure. Essentially you chunk the file to be within the size constraints of the protocol, then post the first chunk, then post the next chunk starting with a pointer to the hash ID of the previous blockchain transaction, repeating until the entire file has been sent. Then you indicate the location of the file in the blockchain with nothing
Re: (Score:2)
Sounds workable to me. If i remember correctly BSV has a 100k message limit per transaction (BTC 100 char). I have no idea if there are protocols with an even higher limit.
Re: (Score:2)
You clearly have no idea how the blockchain works. You can't "remove" or "undo" a transaction without rolling back all transactions which happened since, and precisely no one would clobber a legit transaction to remove something illegal as that would instantly annihilate any value of the blockchain itself.
The risk of a 51% attack comes from the ability to certify your own transactions. You can certify a change, but you can't certify faking previous transactions. I.e. Someone can say your wallet with address
Browser makers need to make defences (Score:2)
Re: (Score:2)
There are scammers on Binance? (Score:2)
Damn (Score:2)
" the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload."
I'm frequently amazed at the ingenuity of scammers, and honestly, this is pretty fucking clever.
How are they going to tell? (Score:2)
I believe that this is part of the features of these types of tools, to deliver payloads to computers to process, for all kinds of contract reasons.
That's pretty cool.
But how do you tell a malicious payload from a normal contract payload? That falls into the area that Apple and Google currently struggle with.
Re: (Score:2)
But how do you tell a malicious payload from a normal contract payload?
Essentially impossible. Especially as you can do things like put encrypted content in one place and the key in another. The only real malware defense is to not run it. Everything else is half-measures that are more "hopeful engineering" than actual solutions.
Ingenious? I think kind of obvious... (Score:2)
At least to me. Attacks placing illegal content on public blockchains have been discussed for a long time, both for sabotaging the blockchain and for making that stuff available publicly. This is just a variant where the blockchain is used as a "bulletproof" hosting provider for malware.
Seems a bit overblown... (Score:2)
Think about it (Score:2)
You can look at this as a trial-run on securing QFS or whatever networked banking platform.
The ultimate threat scenario is an .exe hidden in the message stream. Crypto only gets security so far due to its limiting factor - secret bit size. SO whatever implications are derived on-chain directly apply in QFS world.
A hiccup for cashless even though quantum wants you to buy the narrative its too good, too fast and immune to a such an attack.