Back The long journey towards a blockchain botnet - the experience by Federico Franzoni

Entry by Federico Franzoni, PhD student working in the project Automatic topology analysis for distributed anomalies prevention systems in the IoT

My story as a MdM PhD student is different from the average. In fact, I didn’t choose to be a researcher: research chose me.

It happened when I was looking for some interesting projects to do for my Master thesis. Back then I was fascinated by three (macro) subjects: operating systems, virtualization, and security. I wanted to work in a company, so I did an interview for a position in a security project. I got rejected. However, the same guy who interviewed me, contacted me and proposed to follow another project combining all of the subjects I was interested in. Plus, I was offered to do a PhD in France, where I could have carried on my (future) results. Too good to be true, I couldn’t refuse the offer!

So I suddenly entered the world of IT security, a strange mix of rules, standards, protocols, guidelines, good and bad guys (a.k.a. white and black hats), and them, viruses: pieces of code written by someone to steal someone else’s information, money and...computing power. That’s right, some viruses are not interested in you or your money (even when they could): they just want to exploit your computer to aim at some bigger fish. These viruses are known as “botnet”, because they form a networks of infected devices, the “bots”, working together to attack a common target.

All of this sounded very cool, but, alas, my path to become a “white hat” was still very long. I had to learn about how Windows works, how virtualization works, how viruses work, and finally, how to apply forensics techniques to detect those bad programs hiding into your PC. That’s a lot of work to do, and I was alone (something that turned out to be useful in my future career).

After one year, I finally got my MSc and I started to prepare myself for the big journey, always have to expect the unexpected! The owner of the company where I was going to do my PhD changed, and decided to block all the ongoing recruitments, including mine of course.

And this is where my story at UPF begins. My mentor, who didn’t want to leave me wandering the streets, “offered” me to what is now my supervisor. Barcelona was definitely and attractive destination, but the job they wanted me for was completely different from what I was working on: they talked me about blockchain and Internet of Things (IoT), both of which I only had heard about at the time. For those who don’t know them, I’ll briefly describe them (it would require an entire post to do it properly): the IoT is essentially the network of all the smart devices connected to the Internet, from your smartphone, to the intelligent fridge that monitors your food and automatically make an order when you run out of mil. Blockchain, instead, is a distributed ledger, used by many devices in order to record all the activities and find an agreement on their validity; you would most probably know the main application based on blockchain: Bitcoin.

So, the only thing in common with my previous project was the security context, and, most of all, my archenemy: the botnet!

Once again, I accepted, even though I had no idea of what I was going to deal with. And this time, it turned out to be even more complicated. The project I was proposed to do was very ambtious. Furthermore, both IoT and blockchain are relatively new subjects in research and at the peak of their spreading. In short, what they asked me to do was to detect infected devices working as a botnet within blockchain-based IoT networks, by mean of a topological analysis of the same network [1].

Wait, what? If you feel lost, don’t worry. I was feeling exactly the same back then. (and to some extent I still do). And yet I had to produce some quick results for a first evaluation of the project.

The main goal was to simulate some botnet communication on top of a blockchain. At first, we opted for Bitcoin, because it was the most widespread blockchain around. As I didn’t have enough time to create my own communication system, I built some “eye-catching” graphs from the analysis of another protocol, called Colored Coins, that also worked by embedding extra information in Bitcoin transactions (the graphs and the code of the analysis tool are still unplublished).

The result was nice, but I needed to create my own simulation in order to do more complex experiments. So I created my own message exchange system on top of Bitcoin, called TxMEx [2].

The system permits to send arbitrary-length messages, splitted and embedded inside Bitcoin transactions. Also nice, but I was missing an important point: I was dealing with a real network, with real people involved, and this is a big issue if what you are doing is experiments with viruses.

The PhD proposal gave me the opportunity to better define my research plan, which turned out to be actually pretty long. Meanwhile, my MSc project, on which I keep working, got published at a conference [3], which gave some extra-motivation to continue the PhD. the teaching duties (again, about IT security), gave me time to reflect on the strategy to adopt.

The solution to the dangerousness of doing experiments with a virus, was to reproduce the Bitcoin network in a local, safe, area. I started adapting the Bitcoin code to make it work in a closed environment [4]; a task that resulted much harder than I thought, also due to the lack of detailed documentation. The result was an entire environment, where I deployed a set of nodes, exchanging pseudo-random transactions, in order to simulate real-world Bitcoin activities [5].

Great! Now I just need a botnet to spread in my Bitcoin simulation. Too bad there are none yet targeting blockchain networks. So, what to do? Well, I can create my own. And so I’m doing: I chose the most powerful botnet know to date, Mirai, and I’m trying to modify it to make it work on blockchain. I’m sure this part is going to be fun. You can follow its evolution at [6].

Now, what I’ve shown so far is just the beginning of the story. My main enemy is now time, of which I only have a limited amount. I already spent 2 years out of 4 of my PhD and I’m not even half way.

There are still so many steps to take and so many odds to face before reaching my final goal. Time is short and the clock is ticking, but my perseverance knows no limits. Who is going to win the race?




[2] Transaction Message Exchange (TxMEx) -[3] Di Pietro R., Franzoni F., Lombardi F. (2017) HyBIS: Advanced Introspection for Effective Windows Guest Protection. In: De Capitani di Vimercati S., Martinelli F. (eds) ICT Systems Security and Privacy Protection. SEC 2017. IFIP Advances in Information and Communication Technology, vol 502. Springer, Cham -

[4] Bitcoin-Local -

[5] Bitcoin-Local Box -

[6] Mirai-BC -