Pages:
Author

Topic: Kaspersky and INTERPOL Say Blockchain is Vulnerable (Read 3179 times)

hero member
Activity: 588
Merit: 500
This is like saying that HTTPS is insecure because I've written a program that just executes whatever response it receives to an HTTPS request.
legendary
Activity: 2114
Merit: 1015
It occurred to me the other day why this may be considered a big deal for Kaspersky.

A lot of AV software is signature-based and still relies on identifying hostile programs before they execute by analyzing the code. A program that contains code that relies on hidden data in the blockchain may be able to evade AV detection slightly easier, especially for users who already have the blockchain stored on their computer. By making it look like the blockchain is what is responsible for this ease-of-evading, they might be attempting to gain empathy from regulators in parts of Europe/Russia that are hostile to Bitcoin.

That said, nothing of what they have brought up is particularly new. And like I mentioned earlier, it presumes that the hostile agent is already capable of executing code on an end user's device.

they may also be worried because of the false positives their AV will give because someone has saved a virus signature in the block chain.
donator
Activity: 1419
Merit: 1015
It occurred to me the other day why this may be considered a big deal for Kaspersky.

A lot of AV software is signature-based and still relies on identifying hostile programs before they execute by analyzing the code. A program that contains code that relies on hidden data in the blockchain may be able to evade AV detection slightly easier, especially for users who already have the blockchain stored on their computer. By making it look like the blockchain is what is responsible for this ease-of-evading, they might be attempting to gain empathy from regulators in parts of Europe/Russia that are hostile to Bitcoin.

That said, nothing of what they have brought up is particularly new. And like I mentioned earlier, it presumes that the hostile agent is already capable of executing code on an end user's device.
hero member
Activity: 521
Merit: 522
Developer - EthicHacker - BTC enthusiast
OP_RETURN could be used to announce new C&C servers to victim computers.
Making the botnet pretty resistant vs. goverment downtakes.


Seams like a solid alternative vs. classic DGAs.

"nice" idea. haven't thinked about this option to use the blockchain.. but if such data is not encoded properly goverments could start to fetch bc-data too and look out for "bad" infos..
member
Activity: 66
Merit: 10
Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco

That's the usual approach from the so called security experts: execute a malicious application with admin right and then, no wonder, the application with the admin right can steal data or cause damage to the machine. As you said, to avoid such problems don't get the malicious application to your computer in the first place.
legendary
Activity: 1232
Merit: 1011
Monero Evangelist
OP_RETURN could be used to announce new C&C servers to victim computers.
Making the botnet pretty resistant vs. goverment downtakes.


Seams like a solid alternative vs. classic DGAs.
legendary
Activity: 2097
Merit: 1070
Well i must say that it's really nice and creative way to inject malicious, but still the "Victim" must have another malicious object on his machine to run this idea on,exactly like lots of other examples that relevant in other technological environments, not a big surprise.
The problem is that "everyone" need to "download" the blockchain in order to use Bitcoin,and then its like half way through for the "Hacker",the second half still has the same challenges that we know,how to interact with your "Victim" and give him the second peas of the cake..
Its not a big news at all,
Let the speculators play with the technology,i think its good for all of us...

There are a lot of ways to get specific information from the blockchain without having Bitcoin installed.

jr. member
Activity: 54
Merit: 4
Well i must say that it's really nice and creative way to inject malicious, but still the "Victim" must have another malicious object on his machine to run this idea on,exactly like lots of other examples that relevant in other technological environments, not a big surprise.
The problem is that "everyone" need to "download" the blockchain in order to use Bitcoin,and then its like half way through for the "Hacker",the second half still has the same challenges that we know,how to interact with your "Victim" and give him the second peas of the cake..
Its not a big news at all,
Let the speculators play with the technology,i think its good for all of us...
donator
Activity: 1419
Merit: 1015

If this is seriously all they have come up with, it's pretty weak. People were putting pornography and actual viruses into the blockchain two years ago. Sure, you could put a payload into the blockchain (even maybe an encrypted payload), but you still have to have a tool that extracts it and it would require someone is already infected.

At worst, someone could run a very stealthy command and control using the blockchain. But even here it presumes the person is already infected.
newbie
Activity: 41
Merit: 0
So basically they signed a deal with Kaspersky just to tell them what everybody already knew? only worded to suit their convenience and agenda? It goes to show how there exist no more white hats anymore, only different shades of gray. Nobody is bad all the time, or on the good side all the time. The line has become very blurred for both.

States & Authorities are the biggest sponsor of terrorism in any shape or form due to their agenda at the time. The abuse and tactics they employ is clear to everyone and yet they don't even attempt to hide it. Far from Machiavellian. We live in an age were corruption has taken over. It's fine as long as your agenda is being pushed forward.
hero member
Activity: 663
Merit: 501
quarkchain.io
this is how private companies get taxpayer money

1. create a problem
2. inform taxpayers/voting constituents of the problem
2. offer a solution
3. profit

When you read the news, just replace the word "terrorist" with the word "bureaucrat" and it will all make sense.
full member
Activity: 226
Merit: 100
This have no sense how could Blockchain be Vulnerable , this is just some of those bitcoin haters , bitcoin price
today seem not to be good may be caused by this ?

- All The Blitz
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
Somebody figured out how to use a blockchain as a poor-man's file-system (sort of). I'm surprised people in Kaspersky call this a vulnerability, they can not be serious.
legendary
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
In this case my fence is vulnerable too:
malicious hacker could paint "sudo rm -rf /" on it and somebody could copy-paste into terminal.
Please tell me the INTERPOL phone, i need their help


^^ This is too funny!  But in all seriousness, is there anything more to this complaint than this.  Surely there are as many ways to distribute malicious code as there are information channels.  If they're saying that bitcoin is malicious because it can be used to transmit code (which might be malicious) then HTTP is also broken (and so is InceptionCoin's fence).  Surely there's something more to this kaspersky article than this.

EDIT: I somehow missed this in my first reading

Quote from: Cryddit
Because the targeted machines are downloading the block chain anyway because the operators are running bitcoin nodes, this means no traceable additional communications channels are needed.  Because the block chain is from-everywhere-to-everywhere, it's very hard to trace the commands to their source, even if the channel is noticed. 

That does make it a little more reasonable (I hope there's not already a program on IC's computer which copy-pastes the OCR of whatever's painted on his fence already running Smiley).
legendary
Activity: 924
Merit: 1132
Okay, as I understand it ...

What they're saying is that someone can insert arbitrary data into the block chain (which is true), and that malware authors could therefore use the block chain as a channel to communicate commands to their botnets or retrieve information from them.  The botnet operator could make a transaction at any time with any txOut anywhere inserting arbitrary commands into the data after an OP_RETURN, and the botnet would act on those commands, possibly executing arbitrary command lines on the targeted machines depending on whether the bot has gotten that ability yet, or possibly even downloading and running new executable code encoded in block chain transactions.

Because the targeted machines are downloading the block chain anyway because the operators are running bitcoin nodes, this means no traceable additional communications channels are needed.  Because the block chain is from-everywhere-to-everywhere, it's very hard to trace the commands to their source, even if the channel is noticed.  

A botnetted computer could send a tx to the Bitcoin network moving 0BTC (yes, a valid transaction even though no BTC actually move) to a random address picked off the block chain, with data (such as an encrypted, stolen password or keys to a wallet) attached after an OP_RETURN, and the botnet operator, seeing the tx, would be able to retrieve the data from the block chain without being traceable, because thousands of people are downloading every block anyway.

So, yes, a somewhat clever hack and a way to use the block chain for evil.  But it is only applicable to machines that have already got malware installed on them by some other means and only applicable to machines that are downloading the block chain.  

To be honest, if you've got malware installed on the same machine you have a live bitcoin wallet on, you're in deeply troubled waters anyway.
hero member
Activity: 521
Merit: 522
Developer - EthicHacker - BTC enthusiast
next time they able for testing any other cloud "storage". why not post vuln code in facebook, google docs, or also why not in pastebin. Then start attackscript/app which parse the "bad" data from pastebin or FB to execute on infected computer... And then they will say pastebin is vulnerable...Huh I think its only what they must do. Its order from above. Big banks and finance institution say to Interpol "you must say this and this about the btc". And then they work together with Kaspersky and tell them "we must say this and this about bitcoin". I think its a command from "higher place": "make bad news for bitcoin"...
member
Activity: 108
Merit: 10
In this case my fence is vulnerable too:
malicious hacker could paint "sudo rm -rf /" on it and somebody could copy-paste into terminal.
Please tell me the INTERPOL phone, i need their help
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco
So just don't parse the blockchain and start compiling malicious code that was injected?

Thats what it looks like yes.

They refer to Bitcoin has been extended to accept not only financial transactions but also 40 bytes arbitrary by OP_RETURN operation. They say that a virus could be updated by accessing the chain blocks and downloading the data specified in these OP_RETURN, although not explain how.

There are many other ways to encode data in the blockchain, which are more efficient.
legendary
Activity: 1526
Merit: 1014
They refer to Bitcoin has been extended to accept not only financial transactions but also 40 bytes arbitrary by OP_RETURN operation. They say that a virus could be updated by accessing the chain blocks and downloading the data specified in these OP_RETURN, although not explain how.
legendary
Activity: 1442
Merit: 1186
Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco
So just don't parse the blockchain and start compiling malicious code that was injected?
Pages:
Jump to: