Bitcoin Forum

Kaspersky Labs and INTERPOL have presented research in which they show how blockchain-based cryptocurrencies can potentially be abused with arbitrary data that can be disseminated through its public decentralized databases.

These two entities addressed the issue at the BlackHat Asia conference in Singapore. They successfully demonstrated how arbitrary data can be injected into a digital currency decentralized database simply by using an exploit code that opens a notepad enabling corrupted data to be inserted into the Blockchain.

Not long ago, Kaspersky Lab’s signed an agreement and a memorandum of understanding with INTERPOL and Europol in order to expand cooperation in a joint fight against cyber crime. In addition, the company has also organized a series of training sessions for INTERPOL staff to give them some knowledge about malware analysis, digital forensics, and financial threat research.

A Kaspersky researcher named Vitaly Kamluk explains:


“Blockchainware, short for blockchain-based software, stores some of its executable code in the decentralized databases of cryptocurrency transactions. It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as a code. Depending on the payload fetched from the network, it can be either benign or malicious.”


Vitaly also stresses that before digital currency can be widely accepted, we need to understand the full potential of the threats it faces. The Bitcoin community seems to agree with Vitaly, as security is a healthy industry seeing remarkable growth in the cryptocurrency ecosystem.

A report from Juniper projects that the number of active Bitcoin users worldwide will reach 4.7 million by the end of 2019, up from just over 1.3 million last year. The company expects usage to continue to be dominated by exchange trading, with retail adoption largely restricted to relatively niche demographics. This is surely good news for the virtual currency industry, and it means that the potential of the technology has already been recognized.

The importance of cryptocurrencies on e-commerce and other online financial activities has been growing at an astonishing rate, and concerns over security are growing. Security issues will likely always be present in the Bitcoin world, and users will have to rely on cybersecurity firms to constantly innovate and provide solutions.

thank god i own only Litecoin 
:P

they are trying to hard to kill bitcoin price with all those troll news, despite all the 230 mark is still holding strong

they should at least back up their claim, why they don't try to abuse the blockchain then?

I really pity you, why wont you just cut the losses and enter some other position?

they are trying to hard to kill bitcoin price with all those troll news, despite all the 230 mark is still holding strong

they should at least back up their claim, why they don't try to abuse the blockchain then?

So where is this "presented research"?

How about someone from our side takes a look at it. I trust Interpol as much as I trust the FBI.

The article isn't clear. Is it saying that people can put arbitrary data into the block chain, or is it saying that somebody can corrupt my copy of the block chain? I don't see how either of those makes Bitcoin vulnerable, since the first is a feature and the second affects only me.

That is what I'm trying to find out as well. If it does, it means there are vulnerabilities that can be exploited affecting the blockchain but I'm just wondering how is it possible that nobody has seen it yet until recently.

That is what I'm trying to find out as well. If it does, it means there are vulnerabilities that can be exploited affecting the blockchain but I'm just wondering how is it possible that nobody has seen it yet until recently.

I am calling FUD as sure you can embed arbitrary data in the blockchain but "so what"?

You can embed arbitrary data in .jpg's (steganography) - does that make it dangerous to view a .jpg (or more relevant to this topic even to store it on your computer)?

simply by using an exploit code that opens a notepad enabling corrupted data to be inserted into the Blockchain

It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as a code.

This.  Either that, or insiders know something that's why they are selling.

No one is more of an insider than Satoshi Nakamoto, and Satoshi has not sold a single dollar's worth of bitcoin! Everyone here needs to grow a pair and

http://www.monetaryhistorian.com/wp-content/uploads/2013/04/hold-bitcoin.png

Or get out of the way and remain irrelevant.

You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).

Exploiting a vulnerability before a malicious entity does actually is helpful because you can be prepared and patch it before shit happens. Whether or not what Kaspersky found is a vulnerability to begin with is another question (which I believe is not, like all of you).

LOL did you read that thread? Its already known long time ago how is it a vulnerability?

You cant be serious. (about listening to Kaspersky)

Kaspersky Labs and INTERPOL have presented research in which they show how blockchain-based cryptocurrencies can potentially be abused with arbitrary data that can be disseminated through its public decentralized databases.

I am not entirely cartain about the story, but i have read that there were even cases of shild porn pictures stored in blockchain, there is a copy here ;
https://bitcointalk.org/index.php?topic=191039.0 , and that is only a start of blockchain abuse.

So it is complete FUD - no normal Bitcoin client works like this at all.

You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).

...and Kaspersky just lost my general recommendation as antivirus software. Time to tell everyone to use virustotal with avira or avast again, I guess.

Why aren't you using Microsoft security essentials? I'm assuming you're on a Windows box.

If you're in the latest Windows (8.1), there's no Security Essentials anymore. You're looking for Windows Defender.

This,

where is the research? They cannot say "blockchain is vulnerable" without give a full report and various example of that attack.

I trust my cat more than FBI + Interpol http://nodownloadzoneforum.net/public/style_emoticons/default/Asd.gif.

Until Kaspersky can make a tool to prove there is a vulnerability, I am not believing anything.

Prove it.

Well this doesn't surprise me. I'm just disappointed that Kaspersky has joined them. I've had some faith in them.

Exactly. Let's say that Kaspersky wanted to be the good guy here. They should have gives us information so that it can be fixed.

For viruses I thought it's standard practice to keep quiet about a new vulnerability until the experts develop a fix for it. They tell each other about it but keep quiet about it publicly. Why has Kaspersky publicly blurted out a story about a vulnerability before the experts have had a chance to work on it?

http://insidebitcoins.com/news/kaspersky-and-interpol-say-blockchain-is-vulnerable/31578

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

This is a concern to kaspersky because normally the viruses would connect to a server, called a command and control server, to receive new instructions from the virus' author and send back stolen data etc. So all law enforcement would have to do is shut down the command and control server and they can cut the virus authors access to the infected computers. However, if the virus was using a blockchain, there would be no central point of failure and cutting the authors access would be non-trivial.

Other security researchers also had concerns about the website pastebin.com for similar reasons, that it could be used for botnet communication: http://blog.spywareguide.com/2009/06/pastebin-botnets.html

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

Yeah there isn't a huge difference between any other P2P communication system, there are already lots of botnets that have their own P2P network. I don't see how this even deserves it's own report, it's not a very practical method of communication since it requires 20+GB of diskspace on the infected computer to store the blockchain, or a way of searching the blockchain on a remote server, which would then be a central point of failure and the whole point of using a blockchain would be pointless. They could use their own blockchain, but then that is just a run-of-the-mill P2P botnet with some minimal improvements.

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

CIYAM, how possible would it be for a spy network (government or otherwise) to communicate using messages hidden in the blockchain? You could essentially be anywhere in the world and update the last 24 hours to see today's messages and no one would know it. All they would think is you use Bitcoin as money.

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

This is a concern to kaspersky because normally the viruses would connect to a server, called a command and control server, to receive new instructions from the virus' author and send back stolen data etc. So all law enforcement would have to do is shut down the command and control server and they can cut the virus authors access to the infected computers. However, if the virus was using a blockchain, there would be no central point of failure and cutting the authors access would be non-trivial.

Other security researchers also had concerns about the website pastebin.com for similar reasons, that it could be used for botnet communication: http://blog.spywareguide.com/2009/06/pastebin-botnets.html

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

Sure you could expensively embed messages in Bitcoin txs (I even developed a method of encoding the data into sigs) but it would be a ridiculously expensive way to send messages when you could just use stego and put them in images for no cost at all (with pretty much the same level of obscurity).

especially since it specifically mentions "fetching information from transaction records and running it as code" and in that light it's nothing but FUD, no Bitcoin client does that and there's no need for any Bitcoin client to ever do that.

And that's a legitimate concern with any method of communicating over the internet.. whether you're using the blockchain, a centralized server, some other P2P mechanism like BitTorrent or (as you mentioned) even something like PasteBin. Theoretically a virus, trojan or other malware could just as easily use a GMail account for the same purpose. Any of those methods would probably be a lot easier and less expensive for the malware author than repeatedly paying to put messages in the Bitcoin blockchain (either as fake outputs or OP_RETURNs), but I can see how putting the messages in the blockchain would be much more resilient than most of the other methods I can think of.


Perhaps it's the way the article is written, then? I took to mean the same thing, especially since it specifically mentions "fetching information from transaction records and running it as code" and in that light it's nothing but FUD, no Bitcoin client does that and there's no need for any Bitcoin client to ever do that. Of course some hacker using it to send messages to control infected computers is a much more legitimate concern. Even worse, I'd think, would be a hacker using it to send messages from infected computers back to himself. But we already have viruses and keyloggers that do a pretty good job of phoning home without ever having to touch the blockchain. :)

CIYAM:
> You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable...

That's actually an interesting idea. If you embedded some injection-like escape sequence, followed by assembly code tailored to a specific microprocessor set, then could it possibly be executed by any standard client when it is "naively" attempting to access the OP_RETURN data? Clients / nodes written in loosely-typed languages seem like they might be more vulnerable...

> How would you “accidentally execute” a sequence of bytes? Unless you're using something similar to eval, which then it's not accidental anymore.

Well, that's how injection attacks work. A client would naively try to read the data, and the data would contain an escape sequence followed by the equivalent of "eval" on the target operation system or hardware architecture. It doesn't seem impossible as a conceptual attack.

it could be abused to store malware control mechanisms or provide access to illicit content such as child abuse images that would be extremely difficult to take down.

I think you guys are very sentimental about the subject.

Interpol is right : http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain-pollution-a-criminal-opportunity/ (http://www.forbes.com/sites/thomasbrewster/2015/03/27/bitcoin-blockchain-pollution-a-criminal-opportunity/)


And when that happens (coz it will) kiss your Bitcoins goodbye.

Oh, and don't say how are they going to do it.
If they make any kind of purchase/exchange with BTC illegal and fine it with lifetime in jail,

no business or exchange will take your Bitcoins.

Then you will have to turn to a black market but we have all seen how they all fell like flies haven't we?

Once again, stop being so sentimental and pay attention to the details.
Interpol is trying to protect (your) children from abuse, and that is just one example of what the blockchain is capable of.

How would you “accidentally execute” a sequence of bytes? Unless you're using something similar to eval, which then it's not accidental anymore.

Again, any decentralized storage system is vulnerable in that regard.

Interpol does not make laws. They can not make anything illegal or legal. They are an organ to promote cooperation between police organisations in different countries. Who is this mysterious "they" you are referring to that can change all laws on a global scale?

Under the assumption that bitcoin have just been declare illegal, which business and/or exchange would be left? None, because all exchanges and business would now be bankrupt, unless they do not actually hold bitcoins.

Blatantly declaring Bitcoin's blockchain vulnerable is not protecting any (my) children. In order to store the picture of an abused child, the picture must have been taken previously, thus the abuse must have already happened. Attacking the symptoms is not a solution. I doubt there is much of the content they are warning about in the blockchain. The main reason for this believe is that there are other, cheaper and more discrete ways. The only advantage in using the blockchain I could see is that it would be very hard to erase the data. On the other hand criminals tend to have a reason to avoid this very property as it would also make it very hard to hide their tracks.

I could have sworn a similar article was posted last year and quickly debunked, I may have to do some digging.