Kaspersky and INTERPOL Say Blockchain is Vulnerable

[NyeFe]

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

This is a concern to kaspersky because normally the viruses would connect to a server, called a command and control server, to receive new instructions from the virus' author and send back stolen data etc. So all law enforcement would have to do is shut down the command and control server and they can cut the virus authors access to the infected computers. However, if the virus was using a blockchain, there would be no central point of failure and cutting the authors access would be non-trivial.

Other security researchers also had concerns about the website pastebin.com for similar reasons, that it could be used for botnet communication: http://blog.spywareguide.com/2009/06/pastebin-botnets.html

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

"Other security researchers also had concerns about the website pastebin.com" I've used pastebin to communicate between personal computers, but I don't think it would be a good example because in most case the program would be depending on one link for instructions, if it's removed then the program is vitally dead.

My main question, was why didn't they exploit the bug (using the blockchain) when they found it, until you explained it.
From my understanding the only solution, since you cannot restrict the type or format of data included in the blockchain, would be to update their antivirus to monitor the behaviours of local programs which listen for data included on the blockchain, then proceed to quarantining these programs.

So the problem is not that there's a code which can harm the Bitcoin ecosystem, but virus owners could utilise the blockchain to communicate with their Trojan horses...

[CIYAM]

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

[dasource]

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

Exactly, considering one would also need a bitcoin client or a third party website to push/read the transaction on the network. If they are doing that then why not use a free secure/encrypted method.

[Blazr]

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

Yeah there isn't a huge difference between any other P2P communication system, there are already lots of botnets that have their own P2P network. I don't see how this even deserves it's own report, it's not a very practical method of communication since it requires 20+GB of diskspace on the infected computer to store the blockchain, or a way of searching the blockchain on a remote server, which would then be a central point of failure and the whole point of using a blockchain would be pointless. They could use their own blockchain, but then that is just a run-of-the-mill P2P botnet with some minimal improvements.

[NyeFe]

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

Yeah there isn't a huge difference between any other P2P communication system, there are already lots of botnets that have their own P2P network. I don't see how this even deserves it's own report, it's not a very practical method of communication since it requires 20+GB of diskspace on the infected computer to store the blockchain, or a way of searching the blockchain on a remote server, which would then be a central point of failure and the whole point of using a blockchain would be pointless. They could use their own blockchain, but then that is just a run-of-the-mill P2P botnet with some minimal improvements.

Well then, I guess we've done their research for them. It wouldn't be feasible or logical for a botnet controller to utilise the blockchain to exploit each individual user. Not only would it be an outer retardation for such a talented mind, but it would ultimately end-up as a failed-attempt, after failed attempts.

I still can't grasp the reasons, why these antivirus companies didn't mention the increasing size of the blockchain to their audience?

[goldkey0070]

why are there so many bitcoin haters in the world  .... i can't stand bad media trying to  hate on bitcoin

[QuestionAuthority]

So it is no more vulnerable that any other P2P network (as you can just spread your virus information via torrents if you want to hidden in images or other files using steganography).

IMO it would actually make much more sense (and cost nothing) to use torrents over Bitcoin so the fact that the article focuses on Bitcoin and not other (free to use) data storage P2P networks is rather odd.

CIYAM, how possible would it be for a spy network (government or otherwise) to communicate using messages hidden in the blockchain? You could essentially be anywhere in the world and update the last 24 hours to see today's messages and no one would know it. All they would think is you use Bitcoin as money.

[CIYAM]

CIYAM, how possible would it be for a spy network (government or otherwise) to communicate using messages hidden in the blockchain? You could essentially be anywhere in the world and update the last 24 hours to see today's messages and no one would know it. All they would think is you use Bitcoin as money.

Sure you could expensively embed messages in Bitcoin txs (I even developed a method of encoding the data into sigs) but it would be a ridiculously expensive way to send messages when you could just use stego and put them in images for no cost at all (with pretty much the same level of obscurity).

[BADecker]

How is anyone going to interject code into the blockchain universally? The blockchain will reject code that isn't in the majority of its databases around the world.

[BADecker]

Besides, INTERPOL is the worldwide "company" that claims to be fighting child trafficking for sexual purposes. Yet the thing that it is doing behind the scenes is promoting child trafficking. Its supposedly legitimate operation has allowed it to set up all the connections worldwide that it needs to do the exact thing that it is claiming to be fighting against.

If INTERPOL claims something is wrong with the Bitcoin blockchain, it's because they tried to use Bitcoin for their wicked activities, and some of their own agents were found to be untrustworthy, and skimmed bitcoins out of company pockets.

[thejaytiesto]

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

This is a concern to kaspersky because normally the viruses would connect to a server, called a command and control server, to receive new instructions from the virus' author and send back stolen data etc. So all law enforcement would have to do is shut down the command and control server and they can cut the virus authors access to the infected computers. However, if the virus was using a blockchain, there would be no central point of failure and cutting the authors access would be non-trivial.

Other security researchers also had concerns about the website pastebin.com for similar reasons, that it could be used for botnet communication: http://blog.spywareguide.com/2009/06/pastebin-botnets.html

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

Anyone that is into Bitcoin should have decent, solid knowledge of how to keep a computer clean. If you are infected you are already screwed up.
I still don't get how the blockchain is going to be able to execute "code". All the blockchain does is verify hashes, given you aren't using some weird non common wallet.

[noobtrader]

maybe they were talking about ethereum where it can be used to run program, however this is fud and i wonder how bitcoin community should deal with these ?

[stevenh512]

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

And that's a legitimate concern with any method of communicating over the internet.. whether you're using the blockchain, a centralized server, some other P2P mechanism like BitTorrent or (as you mentioned) even something like PasteBin. Theoretically a virus, trojan or other malware could just as easily use a GMail account for the same purpose. Any of those methods would probably be a lot easier and less expensive for the malware author than repeatedly paying to put messages in the Bitcoin blockchain (either as fake outputs or OP_RETURNs), but I can see how putting the messages in the blockchain would be much more resilient than most of the other methods I can think of.

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

Perhaps it's the way the article is written, then? I took to mean the same thing, especially since it specifically mentions "fetching information from transaction records and running it as code" and in that light it's nothing but FUD, no Bitcoin client does that and there's no need for any Bitcoin client to ever do that. Of course some hacker using it to send messages to control infected computers is a much more legitimate concern. Even worse, I'd think, would be a hacker using it to send messages from infected computers back to himself. But we already have viruses and keyloggers that do a pretty good job of phoning home without ever having to touch the blockchain.

[QuestionAuthority]

CIYAM, how possible would it be for a spy network (government or otherwise) to communicate using messages hidden in the blockchain? You could essentially be anywhere in the world and update the last 24 hours to see today's messages and no one would know it. All they would think is you use Bitcoin as money.

Sure you could expensively embed messages in Bitcoin txs (I even developed a method of encoding the data into sigs) but it would be a ridiculously expensive way to send messages when you could just use stego and put them in images for no cost at all (with pretty much the same level of obscurity).

Thanks, I was more thinking about the aspect of a permanent record of the conversation.

[Blazr]

especially since it specifically mentions "fetching information from transaction records and running it as code" and in that light it's nothing but FUD, no Bitcoin client does that and there's no need for any Bitcoin client to ever do that.

They mean that the virus on the infected computer fetches the code from the blockchain and runs it, not an actual Bitcoin client. This isn't a security issue in bitcoin or anything per say, it's just Kaspersky pointing out that the Bitcoin blockchain or another blockchain could be used for communicating with infected machines (ones that are already infected) which would be harder to shut down than a regular c&c server.

[cellard]

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

And that's a legitimate concern with any method of communicating over the internet.. whether you're using the blockchain, a centralized server, some other P2P mechanism like BitTorrent or (as you mentioned) even something like PasteBin. Theoretically a virus, trojan or other malware could just as easily use a GMail account for the same purpose. Any of those methods would probably be a lot easier and less expensive for the malware author than repeatedly paying to put messages in the Bitcoin blockchain (either as fake outputs or OP_RETURNs), but I can see how putting the messages in the blockchain would be much more resilient than most of the other methods I can think of.

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

Perhaps it's the way the article is written, then? I took to mean the same thing, especially since it specifically mentions "fetching information from transaction records and running it as code" and in that light it's nothing but FUD, no Bitcoin client does that and there's no need for any Bitcoin client to ever do that. Of course some hacker using it to send messages to control infected computers is a much more legitimate concern. Even worse, I'd think, would be a hacker using it to send messages from infected computers back to himself. But we already have viruses and keyloggers that do a pretty good job of phoning home without ever having to touch the blockchain.

They are just hyping their antivirus bloatware any way they can. Whats the next big thing in everyone's computer? Bitcoin. Then lets start selling how Bitcoin "can infect your computer thought the blockchain" and make some shekels.

[Todamont]

CIYAM:
> You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable...

That's actually an interesting idea. If you embedded some injection-like escape sequence, followed by assembly code tailored to a specific microprocessor set, then could it possibly be executed by any standard client when it is "naively" attempting to access the OP_RETURN data? Clients / nodes written in loosely-typed languages seem like they might be more vulnerable...

[R2D221]

CIYAM:
> You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable...

That's actually an interesting idea. If you embedded some injection-like escape sequence, followed by assembly code tailored to a specific microprocessor set, then could it possibly be executed by any standard client when it is "naively" attempting to access the OP_RETURN data? Clients / nodes written in loosely-typed languages seem like they might be more vulnerable...

How would you “accidentally execute” a sequence of bytes? Unless you're using something similar to eval, which then it's not accidental anymore.

[Kprawn]

Well for this to happen, the virus or code has to execute arbitrary block chain data. It has to install a method of accessing that data, decoding it and executing it.

There are many other easier ways of doing this... A simple trojan virus in the executable of these games and apps, people are downloading "for free" from torrent sites, will do the trick. 

Yes, we do not deny, that it's not possible to inject malicious code into the blockchain, but it's not a VERY affective way to spread virusses. {It requires a lot of other things to be in place, before it can be executed}

In my opinion it's just another way for AV companies to spread FUD, to increase fear, and to get people to buy more of their products to counter it. {Very low risk}

[tzortz]

Exactly this. They want to promote their products that way.
Where was Kaspersky the last 5-6 years since the blockchain release?

They just want to get involved in the Bitcoin game. They make money.