Assessing the Threat of Blockchain-based Botnets

Time and time again the security community has faced novel threats that were previously never analyzed, sometimes with catastrophic results. To avoid this, proactive analysis of envisioned threats is of great importance. One such threat is blockchain-based botnets. Bitcoin, and blockchain-based decentralized cryptocurrencies in general, promise a fair and more transparent financial system. They do so by implementing an open and censorship-resistant atomic broadcast protocol that enables the maintenance of a global transaction ledger, known as a blockchain. In this paper, we consider how this broadcast protocol may be used for malicious behavior as a botnet command and control (C2) channel. Botmasters have been known to misuse broadcasting platforms, like social media, as C2 channels. However, these platforms lack the integral censorship-resistant property of decentralized cryptocurrencies. In this paper, we provide a comprehensive systematization of knowledge study on using blockchains as botnet C2 channels, generating a number of important insights. We set off by providing a critical analysis of the state of the art of blockchain-based botnets, along with an abstract model of such a system. We then examine the inherent limitations of the design, in an attempt to challenge the feasibility of such a botnet. With such limitations in mind, we move forward with an experimental analysis of the detectability of such botnets and discuss potential countermeasures. Contrary to previous work that proposed such botnets, we provide a broad overview of the associated risk and view the problem in relation to other existing botnet C2 channels. We conclude that despite its limitations, the blockchain, as a backup mechanism, practically renders attempts to suppress the control channel of a botnet futile. Thus, more focus should be put on detecting and disinfecting machines at the network edge (router) or even per-bot level.