Glupteba — the malware inside the Bitcoin blockchain

Glupteba, like a lot of malware nowadays is what we call a zombie or a bot that can be controlled from basically anywhere by the people who wrote it. Not only that, but Glupteba also includes a range of components that let it perform other “functions” as well.

What is this exactly and what can it do?

SophosLabs has a technical paper on the subject matter that can be an excellent reading for people who wish to delve into the specific details of it. Glupteba uses pretty much every cybercrime trick you’ve ever heard of — and, probably more. Here are some of the most interesting “features”.

  • rootkit — Glupteba includes a variety of Windows kernel drivers that can hide the existence of specific files and processes. If loaded successfully, rootkits can help cybersecurity threats lie low by stopping them from showing up in security logs.

But wait, there’s more!

Glupteba uses the Bitcoin blockchain as a communication channel for receiving updated configuration information. to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, so the current command-and-control servers that are used, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates. Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are accessible from most networks. To decrypt it, you need a 256-bit AES decryption key that’s coded into the the Glupteba malware program — when you decrypt the data from the block code to reverse the AES-256-GCM encryption, and you’ll reveal the hidden message.This sort of “hiding in plain sight” method is often referred to as steganography — read more about it here.

How bad is it and what can you do about it?

There are some good news and bad news on the subject matter: the former is that its complexity makes the malware less reliable, and more prone to triggering security alarms at some point; the latter is that its many self-protection components mean that it has many tricks available to stop itself showing up in your security logs. Glupteba also relies on numerous exploits that were patched many months or years ago — including the attacks it uses against routers — so a patched system is much less likely to get infected in the first place. Additional weakness is that its main delivery mechanism seems to be via “software cracks” on well-known piracy sites.

As for countermeasures, there are three simple suggestions:

  • patch early, patch often — this goes for your operating system, your programs and apps and devices on your network

use decent antivirus and web filtering solutions — malware usually arrives as a series of downloads; so, even if you get hit by the first stage, you’ll have a better chance to weed out the malware from your system.