DUSTBot: A duplex and stealthy P2P-based botnet in the Bitcoin network

Autoři: Yi Zhong aff001;  Anmin Zhou aff001;  Lei Zhang aff001;  Fan Jing aff001;  Zheng Zuo aff002
Působiště autorů: College of Cybersecurity, Sichuan University, Chengdu, Sichuan, China aff001;  College of Electronics and Information Engineering, Sichuan University, Chengdu, Sichuan, China aff002
Vyšlo v časopise: PLoS ONE 14(12)
Kategorie: Research Article
doi: https://doi.org/10.1371/journal.pone.0226594


As the root cause of illegal cyber activities, botnets are evolving continuously over the last two decades. Current researches on botnet command and control mechanism based on blockchain network suffer from high economic cost, single point of failure, and limited scalability. In this paper, we present DUSTBot, a novel P2P botnet model based on Bitcoin transactions to prepare for new cyber threats. Specifically, a covert, duplex, and low-cost command and control (C&C) channel in the Bitcoin network is presented in our work. DUSTBot uses the Bitcoin main network as the downstream channel while using the Bitcoin testnet as the upstream channel. Furthermore, the peer list exchange algorithm based on the Ethereum block hash proposed in this paper is effective against routing table poisoning attack and P2P botnet crawling. The robustness of DUSTBot against node removal is studied through constructing the botnet with a P2P simulator. We deploy the implementation of DUSTBot on cloud platforms to test its feasibility and performance. Moreover, the stealthiness of DUSTBot and the effectiveness of the proposed peer list exchange algorithm are evaluated. The results demonstrate the feasibility, performance, stealthiness, and robustness of DUSTBot. In the end, possible countermeasures are discussed to mitigate similar threats in the future.

Klíčová slova:

Algorithms – Computer networks – Crawling – Cryptography – Experimental economics – Machine learning algorithms – Peak values – Poisoning


1. Hung M (2017) Gartner Insights on How to Lead in a Connected World.:29.

2. Cooke E, Jahanian F, McPherson D. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop. Berkeley, CA, USA: USENIX Association; 2005. p. 6–6. (SRUTI’05).

3. Antonakakis M, April T, Bailey M, Bernhard M, Bursztein E, Cochran J, et al. Understanding the mirai botnet. In: USENIX Security Symposium. 2017. p. 1092–1110.

4. McAfee Labs (2015) Threat Advisory: CTB-Locker.

5. Werner T (2011) The Miner Botnet: Bitcoin Mining Goes Peer-To-Peer.

6. Gu G, Zhang J, Lee W. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. Proceedings of the 15th Annual Network and Distributed System Security Symposium. 2008 Feb 1

7. Strayer WT, Lapsely D, Walsh R, Livadas C. Botnet Detection Based on Network Behavior. Botnet Detection. 2008;1–24.

8. Abu Rajab M, Zarfoss J, Monrose F, Terzis A. A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. New York, NY, USA: ACM; 2006. p. 41–52. (IMC ‘06).

9. Nadji Y, Antonakakis M, Perdisci R, Dagon D, Lee W. Beheading Hydras: Performing Effective Botnet Takedowns. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. New York, NY, USA: ACM; 2013. p. 121–132. (CCS ‘13).

10. Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, et al. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM; 2009. p. 635–647. (CCS ‘09).

11. Dooley K (2001) Designing Large Scale Lans: Help for Network Designers. O’Reilly Media, Inc.

12. Sanatinia A, Noubir G. OnionBots: Subverting Privacy Infrastructure for Cyber Attacks. 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2015;69–80.

13. Nappa A, Fattori A, Balduzzi M, Dell’Amico M, Cavallaro L. Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype. In: Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Berlin, Heidelberg; 2010. p. 81–100. (Lecture Notes in Computer Science).

14. Pantic N, Husain MI. Covert Botnet Command and Control Using Twitter. In: Proceedings of the 31st Annual Computer Security Applications Conference. New York, NY, USA: ACM; 2015. p. 171–180. (ACSAC 2015).

15. Nagaraja S, Houmansadr A, Piyawongwisal P, Singh V, Agarwal P, Borisov N. Stegobot: a covert social network botnet. In: International Workshop on Information Hiding. Springer; 2011. p. 299–313.

16. Whittaker Z (2013) Skype ditched peer-to-peer supernodes for scalability, not surveillance.

17. Shin S, Gu G, Reddy ALN, Lee CP. A Large-Scale Empirical Study of Conficker. IEEE Transactions on Information Forensics and Security. 2012;7:676–90.

18. Stover S, Dittrich D, Hernandez J, Dietrich S. Analysis of the Storm and Nugache Trojans: P2P is here. USENIX; login. 2007;32(6):18–27.

19. Holz T, Steiner M, Dahl F, Biersack E, Freiling FC, others. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. First USENIX Workshop on Large-Scale Exploits and Emergent Threats. 2008;8(1):1–9.

20. Wang P, Wu L, Aslam B, Zou CC. A Systematic Study on Peer-to-Peer Botnets. In: 2009 Proceedings of 18th International Conference on Computer Communications and Networks. 2009. p. 1–8.

21. Zheng Z, Xie S, Dai H, Chen X, Wang H. An Overview of Blockchain Technology: Architecture, Consensus, and Future Trends. In: 2017 IEEE International Congress on Big Data (BigData Congress). 2017. p. 557–64.

22. Nakamoto S (2008) Bitcoin: A peer-to-peer electronic cash system.

23. Wood G. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper. 2014;151:1–32.

24. Ali ST, McCorry P, Lee PH-J, Hao F. ZombieCoin: powering next-generation botnets with bitcoin. In: International Conference on Financial Cryptography and Data Security. Springer; 2015. p. 34–48.

25. Ali ST, McCorry P, Lee PH-J, Hao F. ZombieCoin 2.0: managing next-generation botnets using Bitcoin. International Journal of Information Security. 2017;17:411–22.

26. Pirozzi A (2018) BOTCHAIN aka The Dark side of Blockchain.

27. Malaika M (2017) Botract—Abusing smart contracts and blockchain for botnet command and control.

28. BitInfoCharts (2019) Cryptocurrency statistics.

29. Ray J (2018) Light client protocol.

30. Zohar O (2018) Unblockable Chains: A POC on using blockchain as infrastructure for malware operations.

31. Bitcoin.org (2018) Bitcoin Developer Documentation.

32. Coinfaucet.eu (2015) Bitcoin testnet3 faucet. 2015.

33. testnet-faucet (2018) Yet Another Bitcoin Testnet Faucet! YABTF!.

34. bitcoinfaucet.uo1.net (2018) Bitcoin Testnet Faucet.

35. Tschorsch F, Scheuermann B. Bitcoin and beyond: A technical survey on decentralized digital currencies. IEEE Communications Surveys & Tutorials. 2016;18(3):2084–2123.

36. Starnberger G, Krügel C, Kirda E. Overbot: a botnet protocol based on Kademlia. In: SecureComm. 2008.

37. Lee S, Kim J. Fluxing botnet command and control channels with URL shortening services. Computer Communications. 2013;36:320–32.

38. Chen W, Luo X, Yin C, Xiao B, Au MH, Tang Y. CloudBot: Advanced mobile botnets using ubiquitous cloud technologies. Pervasive and Mobile Computing. 2017;41:270–85.

39. Wang Z, Qin M, Chen M, Jia C, Ma YT. A learning evasive email-based P2P-like botnet. China Communications. 2018;15:15–24.

40. Desimone J, Johnson D, Yuan B, Lutz P. Covert Channel in the BitTorrent Tracker Protocol. In 2016.

41. Wu D, Fang B, Yin J, Zhang F, Cui X. SLBot: A Serverless Botnet Based on Service Flux. 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). 2018;181–8.

42. Symantec Corporation (2011) Sality: Story of a peer-to-peer viral network.

43. Symantec Corporation (2013) ZeroAccess Indepth.

44. Karuppayah S. Advanced Monitoring in P2P Botnets—A Dual Perspective. Springer; 2018.

45. Andriesse D, Rossow C, Stone-Gross B, Plohmann D, Bos H. Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus. In: 2013 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE). 2013. p. 116–23.

46. Karuppayah S, Roos S, Rossow C, Mühlhäuser M, Fischer M. Zeus Milker: Circumventing the P2P Zeus Neighbor List Restriction Mechanism. In: 2015 IEEE 35th International Conference on Distributed Computing Systems. 2015. p. 619–29.

47. Bitcoin Wiki (2018) Majority attack

48. Crypto51 (2019) Cost of a 51% Attack for Different Cryptocurrencies

49. Montresor A, Jelasity M. PeerSim: A scalable P2P simulator. In: 2009 IEEE Ninth International Conference on Peer-to-Peer Computing. 2009. p. 99–100.

50. Wang P, Sparks S, Zou CC. An advanced hybrid peer-to-peer botnet. IEEE Transactions on Dependable and Secure Computing. 2010;7(2):113–127.

51. Liu C, Lu W, Zhang Z, Liao P, Cui X. A recoverable hybrid C&C botnet. In: Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on. IEEE; 2011. p. 110–118.

52. Zou CC, Gong W, Towsley DF. Code red worm propagation modeling and analysis. In: ACM Conference on Computer and Communications Security. 2002.

53. Bitcoinj (2018) A library for working with Bitcoin.

54. Karuppayah S, Fischer M, Rossow C, Mühlhäuser M. On advanced monitoring in resilient and unstructured P2P botnets. In: 2014 IEEE International Conference on Communications (ICC). 2014. p. 871–7.

55. Rossow C, Andriesse D, Werner T, Stone-Gross B, Plohmann D, Dietrich CJ, et al. SoK: P2PWNED—Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In: 2013 IEEE Symposium on Security and Privacy. 2013. p. 97–111.

56. Dittrich D, Dietrich S. Discovery techniques for P2P botnets. Stevens Institute of Technology CS Technical Report. 2008;4(26):2.

57. Coin Dance (2018) Bitcoin Nodes Summary.

58. Bustillos M (2013) The Bitcoin Boom. The New Yorker.

59. Haq O, Abaid Z, Bhatti N, Ahmed Z, Syed A. SDN-inspired, real-time botnet detection and flow-blocking at ISP and enterprise-level. In: 2015 IEEE International Conference on Communications (ICC). 2015. p. 5278–83.

60. Putman C, Nieuwenhuis LJ, others. Business Model of a Botnet. arXiv preprint arXiv:180410848. 2018;

61. Interpol (2015) Bitcoin’s Blockchain Offers Safe Haven For Malware And Child Abuse

Článek vyšel v časopise


2019 Číslo 12
Nejčtenější tento týden