Unblockable Chains

hi everyone and my name is Anwar and as I mentioned today I'm going to talk about a little bit of untraditional research that I've done which combines two of my best interesting things that I now encounter that is a Marvel research and especially Malraux infrastructure and blockchain technologies which i think is really cool and upcoming technology and so how did I come up about about on this project so a little bit about me sorry so I'm a security researcher for the past decade or something my main focus is is the infrastructure Cinci communication I've always been fascinated on the problem of how malwa communicate with the senders and how exactly and what is the challenges in

building a malicious infrastructure I'm also a big fan of blocking technologies have been in the blockchain I think 2013 and then after I quit my mother's job on top and as a head of research for top security I had some time with my hands and I thought this is a good time to do something that combined these two together and I decided to to check to see how they combine together so yeah so also had some a little bit more a new member joined my team so we helped a lot so it's not all our ideas here I'm exactly mine and one last thing I want to thank a music ye who helped me do this POC the

demo that you can see there is a lot of work on that so what is my office infrastructure so let's understand that something that we generally disregard when you think about Maori it had a lot of back-end behind it so malicious infrastructure supposed to help the the malicious attacker to general generate implants he has to allow him to help him to deliver that implants to two and unknown and very hostile environments then it will have to be able to let him contact back to the sender and making the first contact and then it has to provide facilities to receive execute and exfiltrate stuff whatever it it's a nefarious stuff that he needs to do it has to maintain control over time

or over long periods and maybe disconnections and and rough a mmm communication method and provided the dependent and the use case it has to allow mass control of multiple instances and we think about it there is no one will a method of doing that there was a lot of trials over the years and I compiled the list of what is for me what is the the features of the ultimate infrastructure so first of all we have to have secure communication so it has to be immune to data modification you face to up in many in the Middle's and stuff like that it has to have high availability so the node always have to be have to find the command control and

be able to communicate with it it has to be scalable kit so it can support any number of instances it has to have authentication so only a valid implants can can connect to the network and know some researchers or adversaries can mess up

okay so it has to provide the anonymity so no info can be gained about network operators if there's someone with research in the network so he can't reach today today to its operators it has to provide it has to have no data leakage so which are the peers that are connected which are the what type of data is flowing over the network what a command what a dot has been infiltrated it has to be take down and take over resistance so no one can again take over the network and take over the botnet and or maybe take it down and of course the lastly it has to have low operational cost so that we eventually especially

for mmm for criminal activities the cost is basically what what determines the way of the operation if they can make money out of it they probably won't gonna do it okay so almost all Maru infrastructure that I encountered so far fail in one or more of these of these features and I said okay let's see how blockchain as an infrastructure will we'll be able to deal with this Cup and I looked at all of these features where I developed my POC so let's see why I even bothered with doctrine in the first place so I compiled here a list of we have try to summarize what is blockchain in one sentence and it I think it's been

a nice one but there is one guy that explains it much better than I do blockchain technology allows a record or a ledger of every Bitcoin transaction ever made to be stored not in one place but across vast numbers of computers that is part of what people mean when they say bitcoin is decentralized and decentralization has a lot of theoretical advantages from speed to security okay so I can I can't add it add anything more that there's nothing no one explains that better than John Oliver so basically what give us that what gave me the the head start to start talking objection is that the immutability and and decentralization which is exactly what you need and what

you want when when you start this type of infrastructure I chose to implement my POC on top of ethereal and again I read from the atiim the main the main website from the etherium a web page if the rim is at the central platform the transmat contracts a application that run exactly his program without any possibility of done time censorship fraud or a third party into interference so right out of this sentence you can see that at least three of the features that I mentioned earlier holds here another cool features of aetherium is it allow it's very popular it's the largest blockchain out there yes even more than Bitcoin in the terms of a number of nodes it last time I

checked it has more than 27,000 and knows that can run my code the code is run on smart contracts which is a which is a code EVM the atrium virtual machine which were basically allowed me to run code on top of blockchain and every one of those nodes will run my code it providing tricky encrypted communication it has a dev peer-to-peer / LP LP Alex this is the protocol that they use the same protocol that the chameleon Network used to use if you know emu from back at the back in the day it's the same base basically the same same peer-to-peer network and it has the ether that which is the crypto coin to drive their

performance and basically give the incentive to to put this network together okay so let's connect the dot and see how this infrastructure would actually look like so we have the network operator he starts by running an etherium node this node is a foo node it's it runs and start to sync with the blockchain this is the heavy operation in text almost usually 24 hours it takes a lot of and the rest version it's very heavy on the on the computer it's very neat to have a really big system in order to run phone out nowadays I want it sinks the opera can generate its wallet that will control everything he unlocked this wallet and then once he has a history in

it he can deploy the smart contract a smart contract is basically the code that will run on top of the box chain and we do all the logic of our infrastructure after all it deploys the control panel the control panel basically allows him to allow or revoke instance issue commands to the boards and fetch result and whatever so every type of command if you can think of that a CNC is doing and then it goes once this in place the infrastructure is ready and you can start generating the implants so what is a what it takes to generate the implant it needs to create a wallet it has to authorize the access in there in the contract here to

transfer funds and health he has to pack it once once this is done so magic happens which we not be discussing here today and he delivers it into a remote machine in the remote machine the implement again it read its configuration it runs and any theorem note the feature name is once in in a light mode this light mode is basically it's not downloading the whole block change the journey down with the headers of the blockchain so it takes a lot less resources from the computer to around 300 megabytes of disk and some a little bit of RAM and what it's a finished thinking takes about 20 minutes he can adjourn you can load it it's a wallet

that it was pre implanted in the in the code and it connects to the smart contract it dude the registration he says to the contract hello I am this implant I was registered pre-registered the head and the smart contracts allows them to connect once it's done then we can start issue commands to the implants so this is the overall infrastructure now let's dive in into the smart code Rockets app and see how it's implemented hopefully you can see the code that I wrote here so this is basically my first attempt to run this contract so the smart codes are written in a link which code solidity it's a nice language but see it a strictly

typed language which is similar in a syntax it's it looks a bit like a hybrid between JavaScript and C so this is my first attempt it was very straightforward the same way I called everything else so do you have a little bit of structures and and hash map that we do all the accounting and you have a constructor down at the bottom that basically sets the sender the owner of the contract in in smart contact every contract has an owner and this owner can do privileged operations that only and it gets determined on the the constructor of the of the smart contract that runs only once so for example a nice feature of the language is a

modifier modifier is allows me to define some preconditions to a function that I can check before the actual code is being run so for example in the function allow instance I can say I'll only buy the owner that means I can only call this function if I am I I hold the owners account so this is very sexy very important security a measuring solidity and I can also say for example in a function called register in sense allow this around is registration to happen only if this instance was not already registered ok so this is basically the conduct is a few more function but this is basically it so it's very simple the problem is it

doesn't work and the reason it doesn't work is this return function over there anyone has an idea why this doesn't work no how many of you ever wrote in sorry t1 - all right all right so ok so this is the call to the function register interest from the client okay so it's so the result there is not after Cody's function in the regular problem where do you expect the session ID here would be in the result over there but when you program to a contract this is not valid because when you call register instance you actually issue a transaction on the blockchain a transaction but the blockchain a it takes time and B it

costs you ether and and the reason it takes time is because we when you change something on the blockchain and and in our case we change because we want to say this instance can be registered so we have to wait for some minor to include this transaction in a block this takes time and until that we cannot see our changes on the blockchain so what we get on this result is basically a transaction hash this transaction has can once it once it's confirmed we can see the details of this transaction so how can we put out data from the farmer smart contract every transaction has something called a lot a lot basically lets us to emit to have a stuff logs

from the transaction and then by that we we can as you can see here in the transaction transaction log we can see the data that emitted from the transaction so what we what we can do in solidity is another party encode event event basically I was to define predefined events that in this case we trigger the instance and the session ID and then instead of the return function we just a trigger this event and then we we look for it up then we look for it on the and we look for it afterwards in the transaction hash so now we have a contract that works and this time we need to ask the question how much does it cost us so every

operation on the blockchain cost ether and on when you write smart contract this time this is code gas every EVM assembly operation has its own price that is listed on the theorem you white yellow paper and they update it from time to time and the stuff that were interesting here is a function that is called as a store which is the function is the operation that stores data on the on the blockchain and this is one of the most expensive operation like you can do in blockchain which cost 20,000 gasps and then if you want to know how much it emoji it's costing ether well the calculation is the the transaction cost in ether is gas times the gas price gas

price is the transaction fee that you pay to the miners so you pay a folk way per per one unit of gas so you multiply them together so and and it also determines how fast the how much incentive you give to the to the - so if you pay little gas price Twitter incentive so they will that the confirmation time takes two and a half minutes if you want to double that or ten times that it we can take around 20 seconds this is roughly the times that these days so if we calculate the cost of writing one word 32 bytes it's roughly 2 cents and I took the measurement of $500 per meter that's the

price yesterday so if I want to write 1 megabyte according to this calculation it cost me $6,500 which is a lot of money to write to one of one only one megabyte so and if you think about it writing unbounding strings of data to the blockchain is not really good idea because it's very it cost a lot of money but in our case we don't really need we don't really even need to this this event these drinks to the blockchain we just need to move them from the CNC to the implants we don't really need to save them over on the on the on the blockchain so fortunately there is a cheaper way to do it and this

is the exactly the event the event rocks that I showed you earlier so apparently this this cost writing an event of cost only 68 gasps for non zero bytes so in the calculation writing one megabyte using a log event cost me only one point for Easter which is ten times less than what the previous method used so we let's fix our contract to do just that so instead of all the accounting that the head before I just write four types of events and then I changed my functions to just basically do nothing right now that and now the all they do is check the precondition and omit the event check the precondition and omit even this it makes the the smart content

very simple because all we are doing is take the data from one side and deliver it to the other side and it simplifies simplifies the contract a lot and it saves us a lot of money okay so now that we have a contract that is working let's talk about transparency as I mentioned earlier turns on the blockchain everything you do is public all the transactions are public all that order everybody can see everything that you do so how does this affect my my infrastructure so first of all the contract bytecode is available for once you deployed a contract to the blockchain everybody can see the bytecode of the contract it cannot be you can't get around it it has to be

there so everybody can read and write it so the Assembly of the EVM is can be reversed and they're also reversed and the project on online that can actually turn it back into a solidity code so take take into consideration that every smartphone that you write can be easily read but by everyone so and what about the storage and this is also can be it can be easily read so this is an API called it's from the web tree anybody can see so for example if I taste I just put the smart contract and then some index and we give me the the value that is currently in the first determined first defined a variable so

so in this case this data here is that they had the address of the owner of that of the contract so so this is the latest greatest value of the of the data what if I want to do to see a previous or a story data everything is written on the blockchain the auction is a blockchain you can all the history of all the transaction is written is written and available to for you always this is what it is the big promise of blockchain so all your if you want to see what it was the owner like maybe three months ago all you have to do is think I know any theorem node to this

point well this value was in in this was correct and you can see also all the historic data that used to be in every variable so everything everything will you write into the blockchain can be easily in well maybe it's not that easy but it can be with a little bit of work can be done function calls function calls is also transparent in the transaction data over here this is the transaction identifier which is the prefix of the SHA of the signature function and then you have the argument which is the instance address instance and command at I issued this command is that the at work command so that this is give some command to one of the implants

so everybody can read whatever commands you give to that and finally as I mentioned earlier the log events the data that you put out from the transaction can be also read from the from the transaction log okay so what is this what does it mean for me in my project so currently in the current implementation we are leaking all the other allowed implants what which implants can be allowed and which implants cannot all the activated ones and on the session IDs all the commands that I send auto-replies the skew all the data let's froze on the network and if you think about you can just you can take it a little bit further you can honeypot it

you can take that take the machine ID that I used and put put the implants in another machine and you can do a replay attacks and a man-in-the-middle basically whatever you want because everything is is open so this is not good so let's fix that and this is my final revision of the smart contact instead of writing everything in clear text we're gonna encrypt it so all the addresses that are marked in red or the address variables or not instead of writing them onto the blockchain Azis we hash them and write the hashes to the blockchain and all the unbounding strings we just use public key encryption in order to to encrypt all the strings for the recipients so we use

the address the public the address for the the instance that we want to send their data to we encrypt it and we know that only only with the the the private key you can later decrypt it and this basically solves all of the of the visibility prophets and finally I want to talk about take over and takedowns so as I mentioned earlier blockchain is immutable and this is the basic inherently reason why it's secure to write stuff into it he once you write it down to the blockchain it cannot be ever change and again I let this guy we'll share a really helpful really dumb metaphor for why it is safe the way I like to think of it is that a blockchain

as a highly processed thing sort of like a Chicken McNugget and if you wanted to hack it it'd be like turning a Chicken McNugget back into a chicken this is the perfect metaphor for why blockchain well the proof of walk that the miners are doing are solving when they validate blocks is exactly the reason why a blockchain is safe because you need infinite or at least more than 50% of the entire networks computing power in order to reverse a transaction and this is exactly why I throw the theorem because it's a very big network for example if you do if you go to a small network like we seen in a Bitcoin gold a few weeks ago it can be done but for

etherium probably in the near future it will be probably safe so if you write a smart contract our own smart coding to the blockchain we know that no one can take it down unless you do a hard fork and this was done a once when they if in code the DAO attack the etherium the network was very young and it was a very big high-profile attack and the etherium foundation thought it would be a good idea to do a hard fall can reverse all this transaction if they got a very big strong backlash from the community and it's unlikely it will ever happen again in the near future and less you your botnet we probably take down the whole

if your network so takedowns are probably non feasible unless unless you shoot yourself in the foot so solidity is a nice very nice language but it allows you like every programming language allows you shoot to shoot yourself in the foot in various various ways so and almost all the breaches that you saw in the news that stole multiple millions of dollars from materials contract is due to not bugs in the in the in the theorem network but on the smart contact that thou the poverty multisig and actually there was a recent study conducted in February that do do this static analysis of all starts mud contracts a lot of smart contracts in the deployed in material network and

they found that a lot of them are susceptible to either take down or take over or just stealing on the order called a theorem in them so I know it's all due to bugs and and and unsecured coding of the smart contract itself and I'll give you a real example from my own POC that I did for this project so and this is the true story so as I mentioned I want to implement some kind of filter on the on the blockchain to for the implants so for the for event that is called command pending basically the implant is waiting for commands from the CNC so he is his waiting on the a specific event hush okay so this this

event and it's waiting on its own existence to events to its own implant address so anyway just sits there and waits for a blockchain to him to emit the event so what can possibly go wrong with that let's say that we have an adversary he deploys a contract because Eve in C&C and it has the exact same event signature as my own event and then he do a function that is basically calling this event then he selects the func call this this add work function with my implant address and he picks a command in this case I took the liberty of choosing a command it has a very long output and it triggers that sends its to

abruption who can guess what will happen well I don't want keep you waiting well of course my my implant will happily execute this this in this transaction and not only that the implant will actually trigger a execute this function this is a function that will that has a long output and it will execute it and return the results not to the evil CNC because he doesn't know about it he returns it to the original smart contract address so not only we did because the implants to spend a lot of eater because the transaction size is very very big we also can shove a an arbitrary data to the scenes itself we can also use that with other commands to

reveal what is the IP address and what is the location of their boards and the possibilities are endless if you for example you find some bug in the CMC itself so this is a very big problem and it's because we are in a security conference I had I have it's not gonna be a security conference talk and yes I can name a van ability so I call it the side contract attack and the fix the fix is yeah no I didn't go that far because the fix is very very easy all you have to do is on the on the filter that you did they imply that the implant is listening to you have to specify what

is the contract address that you are listening on this is very simple but and very intuitive maybe but almost all the order code that I checked and all the example that I've seen in all different documents no one's talked about no one's talking about it so this is just an example of how a small mistake disregard from from the programmer can cause catastrophic catastrophic events okay let's move over to the final calculation of all the infrastructure so I did some calculation there not very interesting I think of the round-trip times of how much it cost to send this type of data and this type of data eventually the average cost is roughly per byte is roughly a crew quarters of a

cent I did some estimation if you on average you send 256 bytes on each direction three times a day the annual cost of all of one bot is on the end and in today's prices is around 100 146 dollars which accumulates to if you have multiple BOTS accumulates to a pretty hefty sum if you compare it to so for example just a regular CNC that sits on some kind of bulletproof servers of course this cost is outrageous and this is a very big problem we're going to talk about it later on so this basically covers all the all the stuff that I want to check and I think now it's time for a little demo the demo I did is is a movie

because otherwise we'll be sitting here waiting photo reduction - to confirm for a lot of time so let's go through in it so first we start by running the node and we generating an owner account and then we start we start running the node and initialize the blockchain sinking of the blockchain and then once it's it's done we unlocking the account and deploying and the smart contracts onto the blockchain afterwards once it's deployed we're gonna start we gonna load our CNC server so we're loading the data with the wallet and everything else and afterwards some magic happens and we have our CNC okay so now that the infrastructure is up we can start generating the implants so now

we generally thank the implants we generate in a wallet for the instance and we wrap it everything in one nice package so and you can see that we just registered the instance into the smart contract now we can move the contract to another machine and we're gonna run it we run a local get node and we waited for it to sync and we load in the the contract and the wallet from from the implant configuration you can see that we have an account balance of 1 this is the amount of ether that I gave this implant and you see that is ready and it's now waiting for work over here over on the left you can see that the CNC has

been informed that it's he has one instance one now we're gonna issue some command a netstat command you can see it start running on the side on the on the implant side and over on the CNC side we have the day that our reach or the CNC now we're going to do something fancier which I'm going to generate another client it generated and once it's inked you see that it's already pending and then it will in a bit it will be registered and now we're gonna do just to show you that it's a it can have multiple instances we can issue another command this time we're gonna just tell it to say what what is your user and run it and you can

see over the right that you between it's running on both ends and we got it and you can see that one says artist and another one says Bob okay okay so to sum is that to sum it up is blockchain the ultimate the ultimat is infrastructure for malicious activities so let's go one by one secure communication yeah we got it if we have a state-of-the-art p2p network with thousands of node fully encrypted web protocol so we it's it's right out of here it's a lot better than most senses in nowadays and high availability okay I just mentioned we had thousands of people on the globe so unless you block the whole interior network and the assumption here is that

aetherium gonna have some useful applications that a lot of a lot of organization won't be gonna use so they they cannot really block the whole if you network because otherwise this this application won't work either so as I mentioned we have thousands of peers so and once you connect to one peer all the other nodes all the other nodes are talking with each other and getting getting you all the other nodes all you have to have is one unblocked peer in order to connect so this is very good you you are very your you can be sure that you're gonna find some no to connect to also baktun is the mention Bachman is immutable so the contract can

be modified once it deployed so once you you deploy an implant with some contract other address written into it you can be sure that this contract will be there and it cannot be taken down so it will be there and you can contact the smart contract regarding scalability so this is a problems as I mentioned earlier a theorem today is the same as Bitcoin all the large Bitcoin networks have a very big scale bility issues as you saw a text are between 30 seconds into three and a half minutes for a transaction to to get mine so obviously this type of infrastructure is not suited for real time stuff if you go if you okay with

sending command and you get the results after a few minutes then it's fine so so another another problem is that the implants are uniquely generated so you have to have a wallet and Easter in each one of this in each one so if you want to deliver in thousands you have to be each one of the samples have to be unique and the employed footprint itself they even though we use a light mode of off ATM node it still takes 300 megabytes of memory it has a large footprint on the it used a little bit of CPU it has a relatively large footprint on the remote machine the there are still working on it and I mean this is

also a big problem for example in mobile with aetherium and I hope this is going to be solved in the next year or so okay so I give this half half a credit returning regarding authentication blockchain guarantees the implants accounting to be correct so whatever what to the blockchain is which we are sure to be correct and the registration process dies the impact to a specific machine so hopefully we cannot be moved moved around or and mess around with the control over the wallet generated an accession I did that we give each implant a prevents give us a protection from forgery and replay attacks and all sorts of this this problem so we have we can make sure that

only they write the inputs that we allowed can connect to the network regarding limited okay so there is no way to know the transaction a where the transaction was transmitted from so each and every transaction can be each and every transaction have to be there's no way to know which implant triggered which transaction so you cannot know from the location for example of an implant from of which term node it emitted from so our implants are really anonymized and regarding the owner of the of the smart contract so again because there is no way to know who is behind the ATM wallet unless he's doing all sorts of shenanigans with the changing cryptocurrencies and going to

some cryptocurrencies you remain pretty anonymous so we good on this front regarding data leakage so as I mentioned blocking spray is is public but the encryption that we implemented prevent anyone from basically knowing what's going on on the on the smart contract what I can say is that we we take for granted that one implants can be caught somewhere and they get reversed but the way we designed the POC is that we the only thing that will get if they reverse the some in some implant is the wallet address of this this specific instance but it will not get more information about the network about an implants about all the other stuff that are going

on in the network and this is exactly what we want we cannot do anything about reverse engineering but we at least we can prevent the data leakage with regarding takedowns okay as we said there is no governing authorities for cerium - is that officially so and it cannot be killed so we have takedown resistant thank you and unless we have a very ugly bug in the code we there is also a there is no problem with the with the with the takeover and regarding operational cost as I mentioned earlier if cerium is very expensive nowadays STI even though it almost been cut in half in the price it's still it's not very it's not very

cheap and it's not gonna be any better in the next upcoming days if you believe in it so we can consider a tentative change I don't think there are viable yet there is a Cardinal now eros and it even classic and a lot more that also runs much contact and you can do the same thing over an other blockchain the problem is they are not yet a popular and and there are the level of security in this network is not as good as in the etherium another thing you consider there is no flat cost every byte you deliver from in in the network cost you if there so it's it's not like you set up as level somewhere and then all the

traffic is free everybody you pay and of course you have to deliver some in some amount of ether in each and every one of the inputs that you generate so that if some implants get reversed or been cut or something like that you lost this ether so regarding and and I think this is the main problem with this type of fare in fact I think this is the main reason why we haven't seen this this gets very popular yet is the matter of the cost but I think that as we can have more and more platforms that gives you the ability to run smart contracts this this type of problem will probably be resolved so mitigation committee is even

possible well as I mention other you can just block the entire ATM and network as I mention it's not very viable solution the other thing that we can pick up is some kind of a blacklist of of smart Condor this is something that is not yet exist in either in any any other node it will have to be specifically written it can be a nice project for someone if you want to take it it could be a nice project or even a startup so if you have more ideas about mitigation you can come come talk to me later finally all the code for the POC is is being released today to the public that the report gets part 3 is today it's

been made available in this address the demo video is also there if you want to see it take a look at it and generally if you have any question you can find me on and Peter and I will shoot me an email that's it if you have any questions or something yeah the smart contract is here on test net but you can the POC supports private the test net or public whatever you want you can deploy yes but they took it but I'm not gonna release it here any other questions okay thank you very much [Applause]