Bitcoin Forum
November 15, 2024, 02:24:36 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Kaspersky and INTERPOL Say Blockchain is Vulnerable  (Read 3177 times)
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
April 11, 2015, 12:14:18 PM
 #1

"They successfully demonstrated how arbitrary data can be injected into a digital currency decentralized database simply by using an exploit code that opens a notepad enabling corrupted data to be inserted into the Blockchain."

http://bitcoinist.net/kaspersky-labs-interpol-blockchain-vulnerable/

There are just so many things wrong with this claim that I don't know where to start. Exploit code is not needed to save arbitrary data in the block chain. Anyone can save such data and it's perfectly normal and safe. I assume those Kaspersky idiots just wrote a vulnerable application that operates on block chain and then they wrote an exploit for their own vulnerable application. The bottom line is, BLOCK CHAIN IS NOT VULNERABLE. The article is misleading and its authors should be banned from writing any more articles for their high degree of incompetency.

However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
April 11, 2015, 12:30:08 PM
 #2

However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
They didn't, and it didn't say they did.

All this is saying is that they can put data inside OP_RETURNS which other malicious software can act on.  This is one of the problems with having non-trivial side-channels for non-bitcoin data. The complaint is mostly hype.

Perhaps the real news should be "Kaspersky says they believe they know a vulnerability in Bitcoin, but they failed to responsibly disclose it to the developers and instead wrote press articles on it".
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
April 11, 2015, 12:51:05 PM
 #3

Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco

Im not really here, its just your imagination.
Hyena (OP)
Legendary
*
Offline Offline

Activity: 2114
Merit: 1015



View Profile WWW
April 11, 2015, 01:14:17 PM
 #4

However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
They didn't, and it didn't say they did.

All this is saying is that they can put data inside OP_RETURNS which other malicious software can act on.  This is one of the problems with having non-trivial side-channels for non-bitcoin data. The complaint is mostly hype.

Perhaps the real news should be "Kaspersky says they believe they know a vulnerability in Bitcoin, but they failed to responsibly disclose it to the developers and instead wrote press articles on it".

This article is just outright lies because it leaves an impression that block chain itself is the root of all evil when actually the botnet could be operated from anywhere on the internet and block chain is just one way to do it.

using an exploit code that opens a notepad --- this wording is a typical shellcode execution wording because often time the PoC exploits open calc.exe or notepad. this is what confused me the most about this post. If it was really possible to make a bitcoin tx that would spawn notepad in all the computers of the bitcoin's network then it would be a humongous vulnerability Cheesy

★★★ CryptoGraffiti.info ★★★ Hidden Messages Found from the Block Chain (Thread)
altcoinex
Sr. Member
****
Offline Offline

Activity: 293
Merit: 251


Director - www.cubeform.io


View Profile WWW
April 11, 2015, 02:03:24 PM
 #5

This is so stupid it's frustrating... The only kind of accurate title for the article would be 'bitcoin may provide new source for command and control of malware' or something... But to suggest the blockchain is 'vulnerable' is such nonsense... By that logic, All versions of Apache and every other web server is 'vulnerable' because it could serve a payload to anyone!


                                     ╓╢╬╣╣╖
                                   ┌║██████║∩
                                   ]█████████
                                    ╜██████╝`
                                      ╙╜╜╜`
                                   ╓╥@@@@@@╥╓
         ╓╖@@╖,                 ,@║██████████╢@,                 ,╓@@╖╓
       ╓╢██████╢.              ╓╢███████████████╖               ║╢█████║╓
       ║█████████    ,,╓╓,,   ┌║█████████████████┐   ,,╓╓,,    ]█████████
       └╢██████║` ╓╢║██████╢║∩``╙╙╙╙╙╙╙╙╙╙╙╙╙╙╙╙╙`»╢╢██████╢║╖  ║███████╜
         "╜╜╜╜` ╖╢█████████╣╜                      └╢██████████@ `╜╜╜╜╜
               ║██████████╜                          ╙╢██████████
              ┌█████████╜                              ╙╢█████████
              └███████╨`                                 ╜████████
               ║████╨╜                                    `╢█████
                ╙╢╣╜                                        └╢█╜
                ,,                                            ,,
             ╓@║██┐                                          ┌██║@╓
            ╢██████                                          ]█████H
           ╢███████∩                                        ┌████████
  ╓@@@@╓   █████████                                        ║████████`  ╓@@@@╖
╓╢██████║. █████████∩                                      ┌█████████ ,║███████╖
██████████ └█████████                                      ██████████ ]█████████
`║██████╜`  └╢████████                                    ┌███████╣╜   ╙██████╨`
  `╙╜╜╙`      `╙╨╢████                                    █████╝╜`       `╙╜╜`
                      ]@╓                              ╓╖H
                      ███╢║@╓,                    ,╓@╢╢███`
                      ████████╢@╖╓.           ╓╖@║████████`
                      ]███████████╢║@╓,  ,╓@╢╢████████████
                       ╙╢█████████████╨` ╜██████████████╜
                         ╙╝╢███████║╜`    `╜║████████╝╜`
                     ,╓@@@╓  `²╙``             `╙²`  ╓@@@╖,
                    ║╢█████╢H                      ╓╢██████H
                    █████████                      █████████`
                    ╙╢██████╜                      ╙╢██████╜
                      └╨╩╝┘                          └╨╩╝╜
WINFLOW.
██
██
██
██
██
██
██
██
██
██
██
██
██
..
██
██
██
██
██
██
██
██
██
██
██
██
██
.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
April 11, 2015, 02:48:20 PM
 #6

I suggest taking their claims at face value and asking them why they're behaving unethically; make them clarify that what they're doing isn't actually an attack. Smiley
criptix
Legendary
*
Offline Offline

Activity: 2464
Merit: 1145


View Profile
April 11, 2015, 11:51:53 PM
Last edit: April 12, 2015, 12:55:38 AM by criptix
 #7

However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
They didn't, and it didn't say they did.

All this is saying is that they can put data inside OP_RETURNS which other malicious software can act on.  This is one of the problems with having non-trivial side-channels for non-bitcoin data. The complaint is mostly hype.

Perhaps the real news should be "Kaspersky says they believe they know a vulnerability in Bitcoin, but they failed to responsibly disclose it to the developers and instead wrote press articles on it".

probaly the main point for them.
you can store malicious code on the blockchain and only need some small code on victim pc to get the main code executed/downloaded.

but i would agree that this is no blockchain vuneralbility...

                     █████
                    ██████
                   ██████
                  ██████
                 ██████
                ██████
               ██████
              ██████
             ██████
            ██████
           ██████
          ██████
         ██████
        ██████    ██████████████████▄
       ██████     ███████████████████
      ██████                   █████
     ██████                   █████
    ██████                   █████
   ██████                   █████
  ██████
 ███████████████████████████████████
██████████████████████████████████████
 ████████████████████████████████████

                      █████
                     ██████
                    ██████
                   ██████
                  ██████
                 ████████████████████
                 ▀██████████████████▀
.LATTICE - A New Paradigm of Decentralized Finance.

 

                   ▄▄████
              ▄▄████████▌
         ▄▄█████████▀███
    ▄▄██████████▀▀ ▄███▌
▄████████████▀▀  ▄█████
▀▀▀███████▀   ▄███████▌
      ██    ▄█████████
       █  ▄██████████▌
       █  ███████████
       █ ██▀ ▀██████▌
       ██▀     ▀████
                 ▀█▌
 

             ▄████▄▄   ▄
█▄          ██████████▀▄
███        ███████████▀
▐████▄     ██████████▌
▄▄██████▄▄▄▄█████████▌
▀████████████████████
  ▀█████████████████
  ▄▄███████████████
   ▀█████████████▀
    ▄▄█████████▀
▀▀██████████▀
    ▀▀▀▀▀
samson
Legendary
*
Offline Offline

Activity: 2097
Merit: 1070


View Profile
April 11, 2015, 11:59:51 PM
 #8

Using op_return data many things are possible. Command and control for a botnet, sure - sounds possible to me.

This will never change, if they didn't use op_return they could use one of various other methods of embedding spurious information into the blockchain.

I have to wonder if there's altcoins out there which we're not aware of which were designed for this specific type of insert only structure.

I'm sure public key servers could be used in a similar way but unlike Bitcoin those records could be tampered with by the operators.

I reckon that this will be an issue at some point but I suspect there's nothing anyone can do about it.

I'll add that there's nothing new here at all, anything that can be done now could be done long ago. It's sabre rattling by Interpol and Kaspersky.
coinableS
Legendary
*
Offline Offline

Activity: 1442
Merit: 1186



View Profile WWW
April 12, 2015, 03:21:39 AM
 #9

Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco
So just don't parse the blockchain and start compiling malicious code that was injected?

freemind1
Legendary
*
Offline Offline

Activity: 1526
Merit: 1014


View Profile
April 12, 2015, 10:38:18 PM
 #10

They refer to Bitcoin has been extended to accept not only financial transactions but also 40 bytes arbitrary by OP_RETURN operation. They say that a virus could be updated by accessing the chain blocks and downloading the data specified in these OP_RETURN, although not explain how.
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
April 13, 2015, 07:44:39 AM
 #11

Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco
So just don't parse the blockchain and start compiling malicious code that was injected?

Thats what it looks like yes.

They refer to Bitcoin has been extended to accept not only financial transactions but also 40 bytes arbitrary by OP_RETURN operation. They say that a virus could be updated by accessing the chain blocks and downloading the data specified in these OP_RETURN, although not explain how.

There are many other ways to encode data in the blockchain, which are more efficient.

Im not really here, its just your imagination.
InceptionCoin
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 13, 2015, 09:51:26 AM
 #12

In this case my fence is vulnerable too:
malicious hacker could paint "sudo rm -rf /" on it and somebody could copy-paste into terminal.
Please tell me the INTERPOL phone, i need their help

Skilled C++ and Python programmer. Looking around to create solid longterm coin by myself. Do you have any ideas? Feel free to PM me.
ca333
Hero Member
*****
Offline Offline

Activity: 521
Merit: 522


Developer - EthicHacker - BTC enthusiast


View Profile
April 13, 2015, 07:55:57 PM
 #13

next time they able for testing any other cloud "storage". why not post vuln code in facebook, google docs, or also why not in pastebin. Then start attackscript/app which parse the "bad" data from pastebin or FB to execute on infected computer... And then they will say pastebin is vulnerable...Huh I think its only what they must do. Its order from above. Big banks and finance institution say to Interpol "you must say this and this about the btc". And then they work together with Kaspersky and tell them "we must say this and this about bitcoin". I think its a command from "higher place": "make bad news for bitcoin"...

this space is available (free) for humanitarian nonprofit organizations - please contact me
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
April 14, 2015, 01:18:32 AM
 #14

Okay, as I understand it ...

What they're saying is that someone can insert arbitrary data into the block chain (which is true), and that malware authors could therefore use the block chain as a channel to communicate commands to their botnets or retrieve information from them.  The botnet operator could make a transaction at any time with any txOut anywhere inserting arbitrary commands into the data after an OP_RETURN, and the botnet would act on those commands, possibly executing arbitrary command lines on the targeted machines depending on whether the bot has gotten that ability yet, or possibly even downloading and running new executable code encoded in block chain transactions.

Because the targeted machines are downloading the block chain anyway because the operators are running bitcoin nodes, this means no traceable additional communications channels are needed.  Because the block chain is from-everywhere-to-everywhere, it's very hard to trace the commands to their source, even if the channel is noticed.  

A botnetted computer could send a tx to the Bitcoin network moving 0BTC (yes, a valid transaction even though no BTC actually move) to a random address picked off the block chain, with data (such as an encrypted, stolen password or keys to a wallet) attached after an OP_RETURN, and the botnet operator, seeing the tx, would be able to retrieve the data from the block chain without being traceable, because thousands of people are downloading every block anyway.

So, yes, a somewhat clever hack and a way to use the block chain for evil.  But it is only applicable to machines that have already got malware installed on them by some other means and only applicable to machines that are downloading the block chain.  

To be honest, if you've got malware installed on the same machine you have a live bitcoin wallet on, you're in deeply troubled waters anyway.
tspacepilot
Legendary
*
Offline Offline

Activity: 1456
Merit: 1081


I may write code in exchange for bitcoins.


View Profile
April 14, 2015, 07:04:04 AM
 #15

In this case my fence is vulnerable too:
malicious hacker could paint "sudo rm -rf /" on it and somebody could copy-paste into terminal.
Please tell me the INTERPOL phone, i need their help


^^ This is too funny!  But in all seriousness, is there anything more to this complaint than this.  Surely there are as many ways to distribute malicious code as there are information channels.  If they're saying that bitcoin is malicious because it can be used to transmit code (which might be malicious) then HTTP is also broken (and so is InceptionCoin's fence).  Surely there's something more to this kaspersky article than this.

EDIT: I somehow missed this in my first reading

Quote from: Cryddit
Because the targeted machines are downloading the block chain anyway because the operators are running bitcoin nodes, this means no traceable additional communications channels are needed.  Because the block chain is from-everywhere-to-everywhere, it's very hard to trace the commands to their source, even if the channel is noticed. 

That does make it a little more reasonable (I hope there's not already a program on IC's computer which copy-pastes the OCR of whatever's painted on his fence already running Smiley).
itod
Legendary
*
Offline Offline

Activity: 1974
Merit: 1077


^ Will code for Bitcoins


View Profile
April 14, 2015, 01:56:35 PM
 #16

Somebody figured out how to use a blockchain as a poor-man's file-system (sort of). I'm surprised people in Kaspersky call this a vulnerability, they can not be serious.
AllTheBitz
Full Member
***
Offline Offline

Activity: 226
Merit: 100



View Profile
April 14, 2015, 03:38:22 PM
 #17

This have no sense how could Blockchain be Vulnerable , this is just some of those bitcoin haters , bitcoin price
today seem not to be good may be caused by this ?

- All The Blitz

▓▓▓▓   New Real-time Cryptocurrency Exchange            → CREATE  ACCOUNT ▓▓▓▓
▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅  BIT-X.com  ▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅▅
▓▓▓▓   Supported Currencies: BTC, LTC, USD, EUR, GBP → OFFICIAL THREAD ▓▓▓▓
fancy_pants
Hero Member
*****
Offline Offline

Activity: 663
Merit: 501


quarkchain.io


View Profile WWW
April 14, 2015, 05:35:01 PM
 #18

this is how private companies get taxpayer money

1. create a problem
2. inform taxpayers/voting constituents of the problem
2. offer a solution
3. profit

When you read the news, just replace the word "terrorist" with the word "bureaucrat" and it will all make sense.
acid_rain
Newbie
*
Offline Offline

Activity: 41
Merit: 0


View Profile
April 14, 2015, 06:58:22 PM
 #19

So basically they signed a deal with Kaspersky just to tell them what everybody already knew? only worded to suit their convenience and agenda? It goes to show how there exist no more white hats anymore, only different shades of gray. Nobody is bad all the time, or on the good side all the time. The line has become very blurred for both.

States & Authorities are the biggest sponsor of terrorism in any shape or form due to their agenda at the time. The abuse and tactics they employ is clear to everyone and yet they don't even attempt to hide it. Far from Machiavellian. We live in an age were corruption has taken over. It's fine as long as your agenda is being pushed forward.
Raize
Donator
Legendary
*
Offline Offline

Activity: 1419
Merit: 1015


View Profile
April 15, 2015, 01:55:20 AM
Last edit: April 16, 2015, 05:47:59 AM by Raize
 #20


If this is seriously all they have come up with, it's pretty weak. People were putting pornography and actual viruses into the blockchain two years ago. Sure, you could put a payload into the blockchain (even maybe an encrypted payload), but you still have to have a tool that extracts it and it would require someone is already infected.

At worst, someone could run a very stealthy command and control using the blockchain. But even here it presumes the person is already infected.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!