Smart contracts have have come a very long way since 1994 when Nick Szabo originally coined and imagined what they could be used for until the present day where smart contracts running on various blockchains such as Ethereum are now transacting and processing billions of dollars a day.
One of the key benefits of smart contracts is that they are forever immutable. Once a smart contract is deployed on a public blockchain, it is almost immediately available to all participants on that blockchain to interact with, send value to and receive value from. It can not be deleted, it can not be changed, it can not be "taken down" and removed like ordinary content on the Internet can.
A smart contract is anonymous. Of the millions of smart contracts that have been deployed until now, its fairly impossible for anyone to know unless explicitly published and associated with a corporate entity or individual who that smart contract belongs to. You could deploy a smart contract right now and nobody would be able to attribute it to you.
Communicating with a smart contract is also anonymous. You could send commands to a smart contract and nobody would be able to tell who initiated those commands, their IP address and where in the world they are situated.
Do these qualities sound like the perfect ingredients to build a fully anonymous rootkit C2 infrastructure? That's because they are.
In this talk, we will create a smart contract with rootkit functionality. Any device that monitors the smart contract can be remotely controlled at will including mobile phones, IOT devices, servers and PCs. You could connect a whole botnet to a single smart contract and control a swarm of infected machines at scale and with minimal cost or you could control a single high value target anonymously and without fear of retribution or attribution.
I will demo a smart contract powered rootkit live.
Christian works as a Principal Consultant for a Financial Software House based in London. Previously he was a Senior Vice President for Citigroup Global Markets where he co-lead the Investment Banking application threat modelling programme.Christian was the co-creator and co-organiser of AthCon -the largest IT Security conference in Athens, Greece http://www.athcon.org. AthCon was organised for 4 successive years and attracted large corporate sponsors such as Microsoft and Symantec.
Christian’s research has been featured by many news organisations such as Forbes, Reuters, Slashdot, Tech Herald, Computerworld, ZDNet, CSO Magazine, Dark Reading, Threatpost, CNET and others.Christian has presented to public audiences at thought-leading conferences such as Black Hat and DEF CON including a keynote at OWASP AppSec Research 2012 and private audiences such as the Met Police and FBI.
Christian sits on the pioneering board of the trust Top-Level Domain (TLD) trust will provide Internet users with the confidence to go about their business in the safest online neighbourhood via three core principles: verify, secure and enforce.
For OWASP, Christian was a member of the Global Industry Advisory Board, a contributor to the OWASP Mobile Security project and a contributing author of the OWASP Top 10 Mobile Controls/European Network Information Security Agency (ENISA) Smartphone Secure Development Guidelines for App Developers.
Christian graduated from the Information Security Group at Royal Holloway with a MSc with Distinction in Information Security where he pioneered Linux kernel networking techniques to achieve multi GB/s layer 7 threat detection within Intrusion Protection Systems.
Linux, C, Python, embedded kernel module programming, Android, FirefoxOS, x86 assembly, Unix (AIX, Solaris) bash, ksh, tcp/ip, udp, xml, json, high throughput messaging, kernel bypass, big data, data mining, natural language processing.. jQuery, web sockets etc..