Abstract
While various covert botnets were proposed in the past, they still lack complete anonymization for their servers/botmasters or suffer from slow communication between the botmaster and the bots. In this paper, we propose a new generation hybrid botnet that covertly and efficiently communicates over Bitcoin Lightning Network (LN), called LNBot. LN is a payment channel network operating on top of Bitcoin network for faster Bitcoin transactions with negligible fees. Exploiting various anonymity features of LN, we designed a scalable two-layer botnet which completely anonymize the identity of the botmaster. In the first layer, the botmaster sends commands anonymously to the C&C servers through LN transactions. Specifically, LNBot allows botmaster’s commands to be sent in the form of surreptitious multihop LN payments, where the commands are encoded with ASCII or Huffman encoding to provide covert communications. In the second layer, C&C servers further relay those commands to the bots they control in their mini-botnets to launch any type of attacks to victim machines. We implemented a proof-of-concept on the actual LN and extensively analyzed the delay and cost performance of LNBot. Our analysis show that LNBot achieves better scalibility compared to the other similar blockchain botnets with negligible costs. Finally, we also provide and discuss a list of potential countermeasures to detect LNBot activities and minimize its impacts.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
A satoshi is defined to be 0.00000001 Bitcoin. In other words, 1 Bitcoin is 100 million satoshi.
- 2.
- 3.
Check LNB6’s channel (1735152493945290752) opening transaction for instance: fc46c99233389d24c4fd9517cd503f08265c517a6f0570d806e7cc98b7f7963b.
- 4.
In a similar way, check one of our mainnet node’s channel opening transaction: 1d81b6022ff1472939c4db730ca01b82d43b616e757d799aea17ee0db6427520.
References
1ml.com: Lightning network search and analysis engine (2019). https://1ml.com/
Ali, S.T., McCorry, P., Lee, P.H.-J., Hao, F.: ZombieCoin: powering next-generation botnets with bitcoin. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds.) FC 2015. LNCS, vol. 8976, pp. 34–48. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48051-9_3
Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: Zombiecoin 2.0: managing next-generation botnets using bitcoin. Int. J. Inf. Secur. 17(4), 411–422 (2018)
Baden, M., Torres, C.F., Pontiveros, B.B.F., State, R.: Whispering botnet command and control instructions. In: 2019 Crypto Valley Conference on Blockchain Technology (CVCBT), pp. 77–81. IEEE (2019)
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Cybersecurity Applications & Technology Conference For Homeland Security, CATCH 2009, pp. 299–304. IEEE (2009)
Béres, F., Seres, I.A., Benczúr, A.A.: A cryptoeconomic traffic analysis of bitcoins lightning network. arXiv preprint arXiv:1911.09432 (2019)
Calhoun Jr, T.E., Cao, X., Li, Y., Beyah, R.: An 802.11 MAC layer covert channel. Wirel. Commun. Mob. Comput. 12(5), 393–405 (2012)
Casenove, M., Miraglia, A.: Botnet over tor: the illusion of hiding. In: 2014 6th International Conference On Cyber Conflict (CyCon 2014), pp. 273–282. IEEE (2014)
Danezis, G., Goldberg, I.: Sphinx: a compact and provably secure mix format. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 269–282. IEEE (2009)
Franzoni, F., Abellan, I., Daza, V.: Leveraging bitcoin testnet for bidirectional botnet command and control systems. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 3–19. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_1
Frkat, D., Annessi, R., Zseby, T.: Chainchannels: private botnet communication over public blockchains. In: IEEE ITHINGS-GREENCOM-CPSCOM-SMARTDATA 2018, pp. 1244–1252. IEEE (2018)
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. In: HotBots 2007, p. 1 (2007)
Huffman, D.A.: A method for the construction of minimum-redundancy codes. Proc. IRE 40(9), 1098–1101 (1952)
Learning Labs: Bolt #4: onion routing protocol (2019). https://github.com/lightningnetwork/lightning-rfc/blob/master/04-onion-routing.md
Learning Labs: Lightning network daemon (2019). https://lightning.engineering
Learning Labs: LND gRPC API reference (2019). https://api.lightning.community/
Learning Labs: Sample lnd.conf (2019). https://github.com/lightningnetwork/lnd/blob/master/sample-lnd.conf
Malaika, M.: Botract (2017). https://sector.ca/wp-content/uploads/presentations17/Majid-Malaika-Botract_SecTor.pdf
Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 299–313. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24178-9_21
Natarajan, V., Sheen, S., Anitha, R.: Multilevel analysis to detect covert social botnet in multimedia social networks. Comput. J. 58(4), 679–687 (2015)
Ollmann, G.: Botnet communication topologies (2009). Accessed 30 Sept 2009
Osuntokun, O.: New draft sphinx send mode for spontaneous payments (2019). https://github.com/lightningnetwork/lnd/pull/2455
Pantic, N., Husain, M.I.: Covert botnet command and control using Twitter. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 171–180. ACM (2015)
Pass, R., et al.: Micropayments for decentralized currencies. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 207–218. ACM (2015)
Pirozzi, A., Paganini, P.: Experts presented botchain, the first fully functional botnet built upon the bitcoin protocol (2018). https://securityaffairs.co/wordpress/77395/malware/botchain-botnet-bitcoin-protocol.html
Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments (2015). https://lightning.network/lightning-network-paper.pdf
Roffel, D., Garrett, C.: A novel approach for computer worm control using decentralized data structures (2014)
Silva, S.S., Silva, R.M., Pinto, R.C., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)
Sweeny, J.: Botnet resiliency via private blockchains (2017). https://www.sans.org/reading-room/whitepapers/covert/botnet-resiliency-private-blockchains-38050
Tsiatsikas, Z., Anagnostopoulos, M., Kambourakis, G., Lambrou, S., Geneiatakis, D.: Hidden in plain sight. SDP-based covert channel for botnet communication. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 48–59. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_4
Wang, P., Wu, L., Aslam, B., Zou, C.C.: A systematic study on peer-to-peer botnets. In: 2009 Proceedings of 18th International Conference on Computer Communications and Networks, pp. 1–8. IEEE (2009)
Zohar, O.: Unblockable chains (2018). https://github.com/platdrag/UnblockableChains
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kurt, A., Erdin, E., Cebe, M., Akkaya, K., Uluagac, A.S. (2020). LNBot: A Covert Hybrid Botnet on Bitcoin Lightning Network for Fun and Profit. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12309. Springer, Cham. https://doi.org/10.1007/978-3-030-59013-0_36
Download citation
DOI: https://doi.org/10.1007/978-3-030-59013-0_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59012-3
Online ISBN: 978-3-030-59013-0
eBook Packages: Computer ScienceComputer Science (R0)