# How (also) not to use a blockchain Using bitcoin as a hacking tool besides the payments --- ### `[silur@bday3.0 ~]$ whoami` - Hacker @ 0.0.0.0/0 - Cryptographer @ QANPlatform, CasperLabs, MTA Wigner and others - Blockchain architect&consultant @ Ethereum, Monero, Algorand and others - Bug bounty hunter - Malware analyst --- ## Agenda - Intro to modern computer viruses - Deploy and control malware with bitcoin - Blockchain love letters - Build a botnet with bitcoin --- ## Modern viruses - Categorized by L. Adelman into: Simple vs Self-reproducing - Obfuscated/Encrypted - Polymorphic - Anti-debug - Steganography etc --- ## AV techniques - Static analysis - byte patterns - Spectral analysis - code patterns (disassembled) - Dynamic analysis - IoC scores --- ### State of the art FUD: K-ary virus - Started from Cohen's Vector-Boolean Functions - Virus is made of `k` small executables each of which don't have IoC scores - But executed together they form malware - Class 1 and Class 2 k-ary viruses exist - **Detecting K-ary malware is an NP-complete problem!** - Generalation is formalized trough process algebras! ---  --- ## Problem: C2 servers - AV companies put a major focus on tracking back your C2 - Much more they put into actual reversing - A compromised c2 usually ends with you exposed to authorities (you pay your frontgun server with credit card.… yes you do) --- ### If we only had a whitelisted IP that's not censored.… - Blockchain explorers are no (longer) blacklisted by AVs, everyone checks their BTC balance! - You are free to write stuff with `OP_PUSHDATA` and `OP_RETURN` inside transactions - .… No matter how big is your tx! --- ### You can leave k-ary malware on the BTC script stack - The first payload only have to query blockchain.com for other txs with your magic header - AV's will take a long time to integrate blockchain-transaction-analytics (likely never) - Execute your Class-1 K-ary virus right from bitcoin! --- ### Not only deploy, but control too - You can send commands to your botnet with this method - Even if Kaspersky etc reverses the protocol, they can't block it… bitcoin is censorship resistant or what ;) - Demo (external): https://github.com/dummytree/blockchain-botnet-poc --- ## Thanks  silur@cryptall.co  @Huohuli