A Money-Mining Botnet hidden in the Clouds of Amazon

It has been a long standing habit for hackers to apply malware to dominate PC’s, however Oscar Salazar and Rob Ragan had a different mindset. They set out to explore the available computing resources rather than the traditional approach of stealing computing resources.

Salazar and Ragan will be revealing next month in Las Vegas how they put together a botnet with freemium accounts and free trials within online application-hosting services. These are mainly used by coders in testing and development to avoid purchasing storage or their individual servers. The duo generated distinctive email addresses and signups for the free accounts in bulk by automating the process and subsequently bring together a cloud-based botnet of approximately a thousand computers.

That Salazar and Ragan believe their creation may have been even legal given that it was adept at initiating synchronized cyberattacks, excavating hundreds of dollars of cryptocurrency and even cracking passwords is just a tip off the iceberg.

Ragan who works with alongside Salazar as a researcher for the security consultancy Bishop Fox said, “We essentially built a supercomputer for free, we’re definitely going to see more malicious activity coming out of these services.”

Many players such as CloudBees, Heroku, Google, and Cloud Foundry are enabling developers to host remotely on servers in datacenters located elsewhere, and reselling resources from other companies like Amazon and Rackspace. The duo tested account creation form around 150 of these services. Two thirds did not require additional credentials beyond email addresses. They did not ask for credit card information, fill out of captcha or phone number. The choice was easy within the two thirds remaining. They opted to go for approximately 15 services that allowed them register for free trial or free account. They have withheld the names of the susceptible services to avoid aiding malicious hackers to prey on them. Salazar said, “A lot of these companies are startups trying to get as many users as quickly as possible, they’re not really thinking about defending against these kinds of attacks.”

The Feat

Upon creating their automated process for rapid-fire registration and confirmation using Mandrill email service and their program operational on google App Engine, they applied the service by the name FreeDNS.afraid.org to generate unlimited email addresses on various domains. Their emails appeared realistic by using variations of actual email addresses dumped online from past data breaches. They controlled the hundreds of computers in their possession by use of python fabric, which is a tool that facilitates for developers to manage several python scripts.

They started off with mining the cryptocurrency Litecoin, Using their cloud-based botnet. Unlike bitcoin (most easily mined with GPU chips), cryptocoin is well-matched to the cloud computer’s CPU. They established that it was possible to mine 25 cents per account daily based upon the exchange rates for Litecoin then. BY focusing the entire botnet towards that effort would have yielded $1,750 weekly. “And it’s all on someone else’s electricity bill,” says Ragan.

They were however wary of conducting any real damage in hogging the services; electricity or processing hence they shut down the mining process in a couple of hours. They however maintained a small sum of mining programs operating for two weeks none of which was ever discovered or shut down in the time.

Aside from mining Litecoin, the duo says they could have employed their cloudbots towards malicious ends, e.g. click fraud, password-cracking distribution, the more common denial of service attacks that flood websites with junk traffic.

According to Salazar and Ragan, none of their test targets stayed online long enough to give them an accurate reading. As a result they were not able to measure the size of their attack. “We’re still looking for volunteers,” Ragan jokes. They do however say that their botnet could have funneled approximately 20,000 PCs worth of attack traffic towards a given target. This is since cloud services offer more networking bandwidth that any average home computer may possess.

What is more disturbing is that targets would have found it especially difficult filtering out an attack launched from reputable cloud services. “Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” says Ragan. “That becomes a challenge. You can’t blacklist that whole IP range.”

Legality

It would be illegal to apply a cloud based botnet for an attack of that kind. Crafting the botnet, might not be.

According to the two researchers, regardless of legal protections, companies should and need to implement their own anti-automation techniques to prevent this kinds of bot-based signups. While they admitted that they did indeed violate a lot of companies’ terms of service, it is still a legal debate whether the actions found a crime. Most terms of service abuses go without punishment: which is good as minority of internet users actually read them.

They indicated that at their BlackHat talk, they would release both the software that was used to create cloudbots and control them in addition to defense software that they say can shield against their schemes.

“We wanted to raise awareness that’s there’s insufficient anti-automation being used to protect against this type of attack,” says Ragan. “Will we see a rise in this type of botnet? The answer is undoubtedly yes.”

In the time that Salazar and Ragan were conducting their experiments, they have seen companies like Engine Yard and AppFog turn off their free option resulting from malicious hackers’ exploitation of their services.