The Evolving Threat Landscape - Swarmbots, Hivenets, Automation in Malware

1 2 Page 2
Page 2 of 2

However, there are also cost implications of using blockchain. For example, as of August 11, 2018, the maximum block limit is 6,700,000, which means a node can only write 10720 bytes in a transaction. And that transaction will cost $8.60, with an average completion time of 1733 seconds (or about 28 minutes)! This price also depends on how many blocks accept the current gas price, which is now only about 60% of them, so you might need to pay more. ("Gas" is a term used in Ethereum that refers to the computational resources an action requires to calculate an appropriate fee.) While writing temporary data as a transaction that can then be used by attackers as a communication channel may be initially many times cheaper, that number will multiply as the number of implants in a botnet increases. From an attacker perspective, there are also other issues to consider besides the cost of communication: Ehterum Virtual Machine Code (EVMC) will be publicly available on the blockchain (as well as any transaction data), which means others can easily decompile it. And attackers also need to include Ether tokens on the implants, which means that if someone compromises one of them, the attackers lose all of their money.


Because the economic cost of disrupting a centralized botnet is very low from the defender’s perspective, as opposed to the cost to an attacker of developing and deploying a new botnet, cybercriminals have two options. The first is to lower the cost of developing botnets so they will not be penalized by continuous takedowns (as long as those botnets make a profit between subsequent takedowns). The other is to invest more money upfront in developing a more robust botnet (with which will last longer and guarantee better profitability). Although the first option may seem easier, and therefore more likely, one needs to consider the amount of specialization that exists in the darknet market, which means it is highly likely that some group has already begun developing a de-centralized botnet as a service. In the long run, that approach makes more sense logistically and economically, which is why we expect to see criminals use even more automated and de-centralized technologies in massive botnet-based campaigns in the future.

Conversely, while the usage of blockchains for C2 and other services may hold many advantages for an attacker, due to its transparency and cost, we don't see criminals widely adopting it for commodity ransomware or generic malware. However, it remains a potential option for high-value targeted attacks performed by well-funded groups. For example, a criminal group that conducts ransomware campaigns (paid in bitcoins or similar cryptocurrency) or that distributes cryptomining malware might be willing to spend part of its crypto profits on their implants to run smart contracts.

What is certain is that we have to keep our minds open as to what is coming next. Attackers have always found creative ways to proliferate and will continue to do so in the future. But with careful tracking and analysis, and by understanding the underlying economic models cyber attackers rely on, we can continue to make educated predictions about the directions they are headed. And by doing so, we can proactively defend ourselves and our increasingly interconnected digital world from their criminal plans.

 our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.


Copyright © 2018 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2