The blockchain, the public ledger of all Bitcoin transactions, has all kinds of good uses outside of providing stability for the worlds most popular cryptocurrency, from decentralised data storage to super-flexible email. But it can also be put to malicious use. According to Interpols Christian Karam, speaking from the Black Hat Asia conference, it could be abused to store malware control mechanisms or provide access to illicit content such as child abuse imagesthat would be extremely difficult to take down. To prove the point, Kaspersky researcher Vitaly Kamluk, who is currently on secondment at Interpol, created a proof of concept software, which had the potential to become malware, that could take in information from a hacker-controlled Bitcoin address (the unique identifier of owners of cryptocurrency) and a transaction hash (an encrypted representation of a transaction) over a command line. The demo app, as Kamluk calls it, connects to the Bitcoin network, requesting certain blockchain data from a Bitcoin address containing the ostensibly legitimate, but potentially malicious, information on the network. The appthen locates the related transaction information from the data, extracting chunks of code stored as recipient Bitcoin wallet identifiers, he told FORBES. These are then pieced together and run.

A malicious hacker could use such techniques to craft payloads that would perform actions on targets PCs, such as stealing data or scooping up passwords with keyloggers. In the proof of concept, the software was primed totake commands from hacker tool Metasploit, but the researchers were keen to point out they did nothing evil with their power. Such attacks would also work with any other blockchain-based cryptocurrency, Kamluk and Karam said.

Researchers uploaded data to the blockchain that could have been put to malicious use

The issue lies in the ability to pollute the blockchain with information that isnt related to transactions. There are a variety of known methods for adding arbitrary data to the blockchain. This bloat has long been seen as a problem with the ledger, though its also there by design. Itswhat allows services like PayStamper to add data to the blockchain, in that companys case information related to customer transactions. Once the information is there, whether for good or bad, its there forever under the current rules of Bitcoin, notes Kamluk.

There have been some prior indications such techniques could be put to criminal use. Last year, a virus signature from the infamous Stoned virus was uploaded to the blockchain, though there was no obvious danger to users.

University of Newcastle researchers earlier this year presented ZombieCoin, a botnet command and control (C&C) mechanism for sending commands to malware running on the Bitcoin network. Their method was similar to Kamluk and Karams. To send messages to their bots, they used the OP RETURN function, which allows Bitcoin users to insert up to 40 bytes of data in transactions. That bandwidth is more than sufficient to embed most botnet commands which are typically instruction sets in the format, their paper read. They also used some subliminal channels in the signatures sent out across the network.

Using these techniques, they were able to have their bots carry out commands, including the collection and encrypted transmission of a screenshot back to their botnet master system. They claimedany regulation or attempt to delete bad blockchain data would have a negative impact on the cryptocurrency, as it isnt designed to be tampered with.

We believe this is a desirable avenue botmasters may explore in the near future Bitcoin is an ideal C&C dissemination mechanism for botnets, the paper read.

Most importantly, C&C communications over the Bitcoin network cannot be shut down simply by confiscating a few servers or poisoning routing tables. Furthermore, disrupting C&C communication would be very hard to do without seriously impacting legitimate Bitcoin users and may break Bitcoin.

Any form of regulation would be a fragrant violation of the libertarian ideology Bitcoin is built upon. It would also entail significant protocol modification on the majority of Bitcoin clients scattered all over the world.

Read the rest here:

Bitcoin's Blockchain Offers Safe Haven For Malware And Child Abuse, Warns Interpol