[cryptography] Bitcoin-mining Botnets observed in the wild? (was: Re: Bitcoin in endgame

Zooko Wilcox-O'Hearn zooko at zooko.com
Wed Mar 28 17:32:30 EDT 2012

(N.B. I (still) disagree with Ian Grigg's thesis in several of its
other steps. However, the part about how botnets, which don't pay for
the marginal cost of their electricity, will provide an increasing
contribution to the global Bitcoin transaction-confirmation service
(a.k.a. "mining") -- that part I'm starting to agree with.)

"In addition to spamming and distributed denial-of-service attacks,
this latest botnet was capable of both stealing Bitcoin wallets from
infected computers, and BitCoin mining, which uses the resources of
victimized computers to make new Bitcoins." ¹

¹ http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars

So, Kaspersky and company took down this botnet, which they say had
about 116,000 bots, starting on March 21, nabbing three quarters of
them within 24 houres, and the botnet was mostly dead within a week.
Note that a lot of the bots would not be powered on or connected to
the Internet 24/7. That might be part of why it took a week to reach
most of them and sinkhole them, and it also means that the
*continuous* number of bots connected at any one time was a fraction
of 116,000 -- probably around 5% of the total, or around 5000,
extrapolating from ²  -- or if you look at Figure 3 on ³ and squint
real hard at the altitude of the red line.

² http://blog.damballa.com/?p=330
³ http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html

Can we see a blip in the Bitcoin charts starting on March 21?

Here's the chart of aggregate mining power: ⁴. I uploaded a snapshot
of the relevant time span here: ⁵.

⁴ http://bitcoin.sipa.behttp://zooko.com/pubscratch/speed-lin-2k.png

How to interpret this? There *is* a significant dip in aggregate
mining power beginning on the 22nd, not the 21st. Hm, yeah I guess
that roughly lines up with Fig 4 from ³.

Heh, I note that ³ doesn't mention Bitcoin mining, only wallet theft,
and the Ars Technica article's only other source -- the blog entry
from Kaspersky ⁶ -- mentions only "bitcoin-mining wallet theft", which
is a funny jumble of two different things.

⁶ http://www.securelist.com/en/blog/208193431/Botnet_Shutdown_Success_Story_again_Disabling_the_new_Hlux_Kelihos_Botnet

The security company people told the Ars Technica reporter that they
were surprised that the Botnet operators didn't try to recover control
of the bots. Look at the way the aggregate mining power rebounded in
the ensuing days. Could it be that the operators were too busy renting
and spinning up their new botnet to struggle for control of their old

Here's another graph -- number of nodes connected to a Bitcoin node: ⁷.

⁷ http://bitcoinstatus.rowit.co.uk/hosts.html

There's a substantial dip followed by a recovery within a couple of
days. Oh, but if ⁸ (snapshot ⁹) is accurate, that dip began on the
16th and was over by the 19th. So that probably has nothing to do with
it. I guess a Bitcoin-mining Botnet would not show up on this graph
anyway, as it would proxy all of its connections to the Bitcoin
network through a single Bitcoin node or a small number of Bitcoin

⁸ http://bitcoinstatus.rowit.co.uk/hostsMonth.pnghttp://zooko.com/pubscratch/hostsMonth.png

I'm beginning to doubt that the takedown of the botnet had anything to
do with the dip in mining power, because (a) the statements from
security companies are light on details and unclear on the concept,
and (b) 84% of the infected machines were running Windows XP (most of
them were located in Poland), which I suspect means they don't have a
modern enough GPU to contribute to the global transaction-confirmation

But what if? Suppose, just suppose, that of the 5000 continuous bots,
500 of them had a modern GPU and that the botnet operators had
actually gone ahead and installed a Bitcoin mining plugin on them.
Looking at the Bitcoin Mining Hardware Comparison ¹⁰ and looking at
the cheaper cards costing around $100, I guess that this might be
worth about 200 Mhash/sec for each of the 500 bots, or 100 Ghash/sec
for the whole botnet. The range from the peak to the trough of the
blue line (1 day window estimate) on ⁴ is about 3000 Ghash/sec. Hm, so
that's much more than the botnet could have been producing, by my
estimates. Even if we are a lot more generous with our assumptions
about how many of those bots had GPUs, and how fancy and expensive
those GPUs were, they probably couldn't account for even half of that
1-day window estimate delta of 3000 GHash/sec.

¹⁰ https://en.bitcoin.it/wiki/Mining_Hardware_Comparison


A 100,000-node botnet was taken down. The architects of the takedown
made statements that it was used for Bitcoin mining. At the same time,
there was a substantial dip in the global rate of transaction
confirmation (a.k.a. "mining"), which last about 48 hours. However,
back-of-the-envelope calculations by yours truly indicate that a
100,000-node botnet would not contribute even 10% of the hash rate
seen in the dip.



More information about the cryptography mailing list