Cybersecurity firm TrendMicro has discovered a piece of malware that scans the Bitcoin blockchain for secret instructions that allow the infected computer to be controlled remotely.
Glupteba, first discovered in 2011 by WeLiveSecurity, is a piece of malware that can be used to hijack someone’s computer in order to steal information or be used to carry out denial of service attacks (where thousands of computers are used to put strain on a website or network causing it to crash). It’s also been used to mine Monero, according to TrendMicro.
The bug hides inside adverts or links that unsuspecting users click on—a practice known as malvertising—and then downloads itself on to the user’s machine. Once there, it then connects to the hacker’s chosen server giving them access to the infected computer. But every now and again, that connection gets disrupted, typically because it gets caught by anti-virus software, which blocks it from connecting it to the server. But more recently Glupteba has mutated, and now uses the Bitcoin blockchain to reconnect to the hackers’ server without anti-virus software noticing.
According to TrendMicro, the hacker makes a Bitcoin transaction with a piece of encoded data hidden within one of its functions. Inside the encoded message contains the address for its server—giving the virus a new server location. All the virus has to do is scan the Bitcoin blockchain, identify the transaction and decode the hidden message. Then it can continue doing its evil deeds.
While this isn’t the fault of the Bitcoin blockchain, it’s not the first time it has been used as a way of sharing secret, and frequently illegal information.