Building the Zombie Ant in Blockchain

Part 1: How hackers are going to use the blockchain.

Building the Zombie Ant in Blockchain

Part 1: How hackers are going to use the blockchain.

This is a multipart blog post series on blockchain technology and malware. Not sure how many there will be.

The first post will be an quick introduction to the blockchain, P2P networks, and then the main introduction for the blockchain zombie ant. To see what is possible and how you might go about it. This is just my personal research and interest in blockchain security. This comes with no warranties :)

All code will be published to my GitHub account.

What is a blockchain?

Blockchain technology came out to the mainstream about 10 years ago. Bitcoin was first seen in 2009. Bitcoin might be the first real-world implementation of the technology, at least to the public back then. Bitcoin allowed peer to peer money.

Some say it existed in older games like Rare’s popular N64 game: Golden eye. As seen here in this joke tweet. Even if it’s a joke, it is a technology that is evolving extremely fast in the last few years.

The Blockchain structure is a graph of lists that will grow continuously. The list is made of blocks. By design, it is immutable to change without spending a lot of compute power to re-create the previous blocks in the list. This allows for a public ledger that can be used in currency. Such as in Bitcoin. Everyone can verify what happen to their bittts or satoshis. :) Each person will have a copy of the blockchain somewhere, that’s the general idea. There are a few variations of this idea. As we will see later in these posts.


  • IPFS: IPFS is a system that allows websites and files to be viewed without having to connect to a single server. The website is there on the IPFS blockchain forever and prevents any attempts to take the site down. Useful for protests in countries that do not want people to know what’s happening in the country. As well as protection for reporters when crossing borders. These are just the main usecases you will probably see.

  • Chainlink: Chainlink appears to be a de-centralized way of using off-chain endpoints or datasources. A problem that exists when blockchains need to interface with the outside world. Why? Well, we will have applications running on the blockchains. Smart contracts, something we will explore soon.

Note: Having a blockchain is not enough by itself to be useful to anyone. Nobody can use the blockchain if the server[s] hosting our cool blockchain cannot be trusted. The blockchain has verifiable data for us to check independently, which is great and all, but how can people inform everyone else that their copy has changed?

The server[s] control the only master copy. The server can disappear anytime or act maliciously. The server can’t possibly check every copy. It wouldn’t know what changes to reject or accept on the master blockchain.

You see, Bitcoin is not just a blockchain. It is a P2P (peer to peer) network with a governance system that runs on Bitcoin nodes. People will have to run a node to join this special network. The governance system at heart is very simple.

It allows each node to talk and agree on the blockchain. Bitcoin’s governance system is based on a set of verification rules. The rules set the tone on what is allowed on a block in order to build a blockchain. Most nodes must agree on a block to be accepted on the main fork. Or it can be forked in new branches to be checked or become scaled.

I suggest reading on materials if you want more technical details on the governance system.

Peer to peer network.

With a promise of solving the main failure point of most computer systems and technology today: Broken network hubs. P2P networks allows for reliably in moving data from point A to point B using multiple routes to each point. This becomes an effective way of sharing and communicating.

The transport mode for moving data has always been sketchy.

Traditionally, computer networks rely on “nodes” to be connected together. This becomes a hub for everyone to connect to. This is how the internet is currently working. At any size, too. But when a hub goes down, so do the devices that were connected to the hub. This is a huge failure point and a huge concern for privacy and control from big actors, such as governments and companies.

In some sense, the internet IS a P2P network to a certain level, but it isn’t perfect. 5G internet might be the answer for solving the hub issue since devices are able to connect to other devices and surf the internet that way.

For the purpose of these blog posts. We are talking about P2P on an application level. Every computer that ran Limewire were in a P2P network. (Our old trusted filesharing application)

Now, we have torrent software that does the same thing better.

Web 3.0 malware and smart contracts

Including a blockchain with a P2P network gets us an interesting combo of security, the option to check integrity of any data, and have the ability to send to anyone. However, what if we also had applications running on a system like Bitcoin? A global like VM running code with the above benefits. That would be really neat.

Bitcoin has the first system to automate transfers but it didn’t allow for users to develop full-on applications. The idea is simple, upload some code and then to use the application, it would spend some kind of token or coin units for a particular blockchain. Decentralized applications that would run anywhere on blockchains and get the same benefits that decentralized money get. These applications are called smart contracts.

Later generations of blockchain systems included full programming language support. Ethereum with their Solidity language.

Ethereum is a global, open-source platform for decentralized applications. On Ethereum, you can write code that controls digital value, runs exactly as programmed, and is accessible anywhere in the world.

Bitcoin wasn’t able to run applications. So other blockchains filled that gap. And made new programming languages to extend the use of blockchain tech behind for financial use only.

Solidity is an object-oriented, high-level language for implementing smart contracts. Smart contracts are programs which govern the behaviour of accounts within the Ethereum state. With Solidity you can create contracts for uses such as voting, crowdfunding, blind auctions, and multi-signature wallets.

Even though Bitcoin wasn’t running code. That didn’t stop hackers or clever people from using it for other purposes. Such as storing data like porn images or updating c&c server urls to prevent shutdowns of the malware servers. As seen from the recent Trendmicro post about malware using parts of bitcoin.

Botnets are now starting to use the electrum inbrowser (btc wallet and tor bridge) to do their command and control operations instead of relying on regular old internet. These botnets are sending/receiving data via the bitcoin opreturn script commands.

Pretty soon we’d have malware taking full advantage of blockchains. Which is scary but logically awesome. What’s awesome about decentralized hacking tools (to me) is that they cannot be shutdown by governments/police. As a result, hackers can continue to control the computers at mass in a de-centralized way. This tech is gonna evolve super fast. Like it or not, it will evolve so it’s a great time to start researching blockchain and web 3.0 malware.

This stuff really gives me creative juices on how we can use blockchains to create the next generation of hacking tools for security professionals and hackers alike. I always wondered if we can automate botnets or malware with smart contracts. And I want to see if it’s possible to use NEO nOS or anything like that to make a port scanner that ran on a blockchain.

This is an area we need to start looking into. A friend of mine said “Any system that a person is running on a phone or computer that needs to interact with blockchain is immediately exposed to basically the WHOLE blockcahin - it’s all or nothing.”

With the raise of fileless malware and advanced exploits like the Bluekeep exploit, it’s natural to see more bleeding edge hacking like this. Infected without doing anything.

If I plan to use blockchain technology in my daily life, I want to be part of the hacking research on blockchain. To prevent myself and others from getting owned. In the next few blog posts, I’m going to see how one can create new hacking tools with blockchain.

I have the following questions:

  • Can we create malware that can self assemble with the help of the blockchain?
  • Can you migrate blockchains in such a way that you can block off malicious blocks?
  • Is the following thing possible?

Zombie Ant

1) Deploy innocent .exe installer via infected PDF (zombieAnt.exe)

2) ZombieAnt (ZA) is not detected as a virus because it literally has almost no common signatures…it doesn’t do anything but read BTC blockchain blocks

3) ZA monitors and finds a new patch-payload and self-assembles (repeat any number of times)

4) ZA maybe does keystroke logging and is facilitated by a facebook API to access personal data

5) ZA collects a photo, or a random message, or who knows what and prepares a block to be written on-chain

6) Remote action center decides to spend $XXXX on liberating data and randomly instructs ZA’s to make an autonomous decision whether to commit a block to chain or to self-destruct.

7) For those who chose to commit data, they all do so at one time and the first ones to spend the money in the contract account are successfully written permanently on-chain.

We will see!

Full disclosure: I don’t care if I’m helping people with malicious intent indirectly. I’d rather be the one that figures out new problems before they happen. Right now, blockchains are like wild west towns with endless possibilities to change the world.

I was the first person to really dig into firmware of R-Net enabled power-wheelchairs when others were not interested. And let me tell you, there’s no security on most medical devices, especially R-net enabled devices. Nobody is realizing that chairs are running really old code (10+ years) with little change over the years. I’m in a chair myself, knowing that my chair is not secured gives me some peace in mind but also leaves a bad taste in the mouth.

My research has been helping universities create new chair addons. It’s all opensourced as well. can2rnet

I’m able to create malware for my chairs to do serious damage on other devices, just limited in time and resources. It’s a scary thought when not everybody knows that it is possible and that’s a huge problem. Everyone thinks nobody will target chairs until it’s too late.

For this, I’m proud to say that I joined my first IEEESA Working Group. For the upcoming IEEE P2733, Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS - – Trust, Identity, Privacy, Protection, Safety, Security.

This basically means that in the near future (Few years, hopefully). All future medical devices will follow new security and privacy rules set by me and others in this group. Realistically, it probably will take a long time for the standards to take effect, but we will be ready when it does.

This includes wearable clinical IoT devices and interoperability with healthcare systems including Electronic Health Records (EHR), Electronic Medical Records (EMR), other clinical IoT devices, in hospital devices, and connected healthcare systems.

I will have a big impact on everyone’s life. Quite literally!

Stephen Chavez
Cyber Security Researcher

Cyber security researcher; Takes world adventures with friends. Focusing on malware development and analysis.