ICT Security Basics – work 6

Homework 6

h6 Can of Worms

Task v: Read/watch and summarize

  • Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 2 (about 1,5 hours). Requires free registration. If you find it easy to follow, you can also optionally look at weeks 3 and four
Centralization vs. Decentralization
  • Centralization is the concentration of control over an activity or organization under a single authority
  • Decentralization is not all-or-nothing, because аlmost no system is purely centralized or purely decentralized
  • Aspects of decentralization in Bitcoin
    • P2P network anyone can run Bitcoin node,
    • Bitcoin mining is open to everyone, but it requires quite large capital expenditures, which limits the entry threshold and thereby centralizes Mining in the hands of those who can afford these expenditures.
    • System updates. Everyone can create software, which is an aspect of decentralization. But only trusted developers decide about changes in the system, and thus have great power, which is an aspect of centralization.
Distributed Consensus
  • The key technical challenge of decentralized electronic cash is distributed consensus.
  • For decades, research has been conducted in the field of computer science on consensus protocols. Traditionally, the motivation for this was to increase the reliability of distributed systems.
  • When changes occur on one node, they must occur on all other nodes or none of them, because otherwise the state of the distributed database will be inconsistent.
  • Distributed consensus:
    • The protocol terminates and all correct nodes decide on the same value.
    • This value must have been proposed by some correct node
  • Bitcoin is a peer-to-peer network. When a transaction occurs, it is sent to all network participants.
  • For optimization, transactions are placed in blocks.
    • All nodes have a sequence of blocks of transitions they have reached consensus on.
    • Each node has a set of outstanding transactions that it has heard about. These are the transactions for which consensus has not yet happened.
  • Consensus is a difficult, because nodes can fail, be malicious, and network connectivity can be poor.
  • No notion of global time. Not all nodes can agree on the general order of events
  • Bitcoin consensus works better in practice then in theory
  • Because Bitcoin is a currency, it introduces the idea of incentives into the distributed consensus protocol.
  • Bitcoin goes away with the nation of a specific starting point and ending point for consensus. Consensus happens over long time scales (about 1 hour)
Consensus without Identity: the Block Chain
  • Bitcoin nodes have no identity because it is difficult in a P2P network, and pseudonymity is the goal of bitcoin.
  • Consensus algorithm (simplified):
    • New transactions are broadcast to all nodes
    • Each node collects new transactions into a block
    • In each round a random node gets to broadcast its block
    • Other nodes accept  the block only if all transactions in it are valid (unspent, valid signatures)
    • Nodes express their acceptance of the block by including its hash in the block they create
  • Honest nodes will extend the largest valid branch
  • If a transaction has received 6 confirmations, then the probability that another transaction of the same coin will be confirmed by the majority of nodes will decrease exponentially.
Incentives and Proof of Work
  • The Bitcoin network rewards nodes that create blocks to encourage them to behave honestly.
  • There are two ways to get a reward. The first one  is to create a new block, which in the long run will be confirmed by the majority of nodes. The second is the transaction fee, which is purely voluntary, like a tip.
  • Initially, the amount of remuneration for the creation of the block was 50 BTC, every 4 years it is halved. At the time of writing this article, it is now 6.25 BC. The maximum number of bitcoins that can be created is 21 million.
  • The idea of mining is to find a nonce number, the hash of which, together with the hash of the previous block and the sum of all transactions, would be a very small number starting with a certain number of zeros, known as a target. Every two weeks, the complexity of the target is recalculated so that it takes about 10 minutes to create one block.
  • Nonce number should be published as part of the block so that other miners can verify that the necessary calculations have been performed.
Putting It All Together
  • Mining costs are the costs of equipment and electricity consumed during the mining process
  • Any user can create any number of identies.
  • Security comes from the blockchain and the consensus protocol
  • The more blocks were found after the block where the transaction was contained, the more confidence that the transaction became part of the consensus chain.
  • Miners with large computing power resources are more likely to create a new block

Source: Felten et al 2015: Bitcoin and Cryptocurrency Technologies


Task a: Can of worms.

Run some malware in https://any.run web interface. What malware was that? How did it work? Take some screenshots, and explain what we see. Do you recognize any techniques or tactics? What did you learn? Do not download any malware samples to your own computer.


Any.Run is an interactive online malware analysis tool. I registered on the service and after confirmation by email, signed into the website.

After a short tour and reading frequently asked questions, I realized that on this service you can check suspicious files and sites for malware. In the free plan, the check can only be performed on Windows 7 32 bit, which is a little sad, because support for Windows 7 ended on January 14, 2020.

To check files and sites on other versions of Windows, you need to buy a subscription, which costs about $89 for Searcher plan and $249 for Hunter plan.

Let’s run some malware sent by other users. By clicking on some country on the dashboard we can see the list of public submissions made by users from this country.

I choose the task: https://app.any.run/tasks/9322a875-a7c9-4f71-881c-fdc45d4a04f1 in which malicious activity was detected. I checked the text report on this task. It looks like the suspicious link redirects the session to some other website.

When I started the task, a window opened where a browser with a suspicious link opened on a Windows 7 computer. The link redirected the session from the Youtube site to the MediaFire file sharing site with a link to download the file. I downloaded the archived file, unzipped it and ran the executable file. Nothing happened, the program didn’t start, or so it seemed to me. In fact, the malicious code launched the modified program code of the original program.

On the Mitre Attack Matrix tab, you can see used tactics, techniques and events.

The malicious code used, among other things, the Browser extensions technique from the Persistence tactic. Malware changed Chrome browser extensions by adding two files verified_contents.json and  computed_hashes.json

I found out that there is an Any.Run resource where you can check suspicious files and links for malware. I also realized that if nothing happens on the screen when the executable file is launched, it does not mean that nothing happens in the background in the computer processes.

Source:  Any.Run

Task b: Reference implementation.

Ever cop^H^H^Hlearned from StackOverflow? Pick a StackExchange site related to the course, sort questions by score, and briefly explain one question and answer. https://stackexchange.com/sites

I tried to find the answer to the question on the StackExchange website what is the computed_hashes.json file and where it is used.

In the list of links there was a link to the StackOverflow website, which I opened.

“It is to ensure the integrity of the files, to make sure they were not modified. ”
Iván Nokonoko  Jan 31, 2018 at 12:49

The answer to this question was very convincing and concise. I believe that the installed extension in the previous task, installed the extension that was changed, and the file writed by the malware should hide it, indicating that the integrity was not violated.

I also tried to find a bitcoin site on my computer and filter it by the highest score.