[cryptography] Bitcoin-mining Botnets observed in the wild? (was: Re: Bitcoin in endgame

ianG iang at iang.org
Wed Mar 28 21:03:49 EDT 2012

On 29/03/12 08:32 AM, Zooko Wilcox-O'Hearn wrote:
> (N.B. I (still) disagree with Ian Grigg's thesis in several of its
> other steps.


> However, the part about how botnets, which don't pay for
> the marginal cost of their electricity, will provide an increasing
> contribution to the global Bitcoin transaction-confirmation service
> (a.k.a. "mining") -- that part I'm starting to agree with.)
> "In addition to spamming and distributed denial-of-service attacks,
> this latest botnet was capable of both stealing Bitcoin wallets from
> infected computers, and BitCoin mining, which uses the resources of
> victimized computers to make new Bitcoins." ¹
> ¹ http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars
> So, Kaspersky and company took down this botnet, which they say had
> about 116,000 bots, starting on March 21, nabbing three quarters of
> them within 24 houres, and the botnet was mostly dead within a week.

Does anyone know why they did this?  I had a read of the FAQ and it 
makes the most astounding claims:

The only permanent solution is advocating to politicians for more 
international legislation and laws to be passed for more involvement 
between cyber security professionals and federal law-enforcement 
agencies. Sinkholing is a temporary solution but finding the groups 
behind the botnets and allowing law enforcement to apprehend them is the 
only permanent solution to the problem. New regulations will give more 
jurisdiction to execute the following countermeasures:

     Carrying out mass remediation via a botnet
     Using the expertise and research of private companies, providing 
them with warrants for immunity against cybercrime laws in particular 
     Using the resources of any compromised system during an investigation
     Obtaining a warrant for remote system exploitation when no other 
alternative is available

After the taking down the old Hlux we asked your readers on 
securelist.com how Kaspersky should proceed with the botnet: The answer 
was quite clear: Only 4% voted for “Leave the botnet alone.”. 9% agreed 
with “Keep the sinkholing up and provide IP address logs to the 
appropriate contacts so they can take actions.” and 85% voted for “Push 
a cleanup tool that removes the infections.”. In this poll 8539 votes 
were counted.


ArsTechnica suggests more fascinating comments:

The researchers said that security companies are informing Internet 
service providers about the infections, but cannot legally take direct 
action to clean up the machines. ....

.... But "there is one other theoretical option to ultimately get rid of 
Hlux," Ortloff wrote. "We know how the bot's update process works. We 
could use this knowledge and issue our own update that removes the 
infections and terminates itself. However, this would be illegal in most 

> The security company people told the Ars Technica reporter that they
> were surprised that the Botnet operators didn't try to recover control
> of the bots.

(If I was them, I'd be worried about backtracking.  Once I knew I was 
under attack, I would prefer to cut & run rather than reveal.)

> A 100,000-node botnet was taken down. The architects of the takedown
> made statements that it was used for Bitcoin mining. At the same time,
> there was a substantial dip in the global rate of transaction
> confirmation (a.k.a. "mining"), which last about 48 hours. However,
> back-of-the-envelope calculations by yours truly indicate that a
> 100,000-node botnet would not contribute even 10% of the hash rate
> seen in the dip.

Good observations and calculations.  So, let's say you wanted a botnet 
to do mining.  What could you do to improve that?


More information about the cryptography mailing list