Hackers are used to using malware to enslave army unsuspecting victim computers (slaves) and to manage them through someone botnet. At least that we have known so far. Security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there is so much free processing power out there?
At the congress Black Hat in Las Vegas next month, Ragan and Salazar plan to uncover how they created a botnet, using only free trial online service accounts. These accounts are typically used to test applications by developers. So developers have a free place to develop and test them without having to buy their own servers and storage.
Hackers used an automated process to create unique email addresses and sign up to get these free bills in bulk, creating a cloud-based botnet of about one thousand computers.
In this way, a horde of zombie (slaves) could initiate coordinated cyber attacks, password breaks, or extraction of hundreds of dollars a day. And by assembling a botnet through cloud accounts instead of computer hacking, Ragan and Salazar think their creation may not even be illegal.
"We actually created a supercomputer for free," said Ragan, who works with Salazar as a security consultant at Bishop Fox. "We are sure you will see more malicious activity coming from these services."
Companies like Google, Heroku, Cloud Foundry, CloudBees, and many others offer developers the ability to host their applications on their servers, in remote data centers, and often allow the resale of computing resources owned by companies like Amazon and Rackspace. Ragan and Salazar tested the account creation process on more than 150 of these services. Only a third of them required credentials (beyond an email address), additional information such as a credit card, a phone number. Two-thirds of them gave free registrations and gave an account for trial. The researchers did not name the vulnerable services, for obvious reasons. "A lot of these companies are in the early stages and they're trying to get as many users as they can as quickly as possible," Salazar says.
Ragan and Salazar have used the Mandrill service and their own script running on Google App Engine to make automated account registrations and confirmations. For e-mail service they used a service called FreeDNS.afraid.org. This service allowed them to create unlimited emails under different domains. They then used Python Fabric, a tool that allows developers to manage multiple Python scripts to control hundreds of computers they own.
One of their first experiments with their new cloud-based botnet was the extraction of the Litecoin digital currency. They found that they could generate about 25 cents per account per day based on Litecoin exchange rates. Their entire botnet could generate $ 1.750 a week. "And all this with someone else's electricity bill," says Ragan.
Ragan and Salazar did not want to get rich with the electricity and the processing power of some others, however, for testing, they let a small number of mining programs run for two weeks. No one has ever been discovered and of course none have been closed.
In addition to mining Litecoin, the researchers report that cloudbots could have been used for more nefarious purposes – such as Password-cracking, click fraud, ή επιθέσεις denial of service. Επειδή οι υπηρεσίες cloud computing προσφέρουν πολύ περισσότερο εύρος ζώνης από το μέσο όρο που διαθέτει ένα computer on home, report that their botnet could have the power of 20.000 computers to attack any specific target.
Το πιο ανησυχητικό ακόμα, όπως αναφέρουν οι Ragan και Salazar είναι το ότι θα υπάρχει μια ιδιαίτερη δυσκολία στο να φιλτραριστεί μια επίθεση που ξεκίνησε από αξιόπιστες υπηρεσίες cloud. “Φανταστείτε ένα μια επίθεση distributed denial-of-Service, όπου οι εισερχόμενες διευθύνσεις IP να είναι από αξιόπιστες υπηρεσίες όπως την Google και την Amazon,” λέει ο Ragan.
Legitimate citizens
Using a botnet cloud for this type of attack, of course, would be illegal. But the creation of the botnet may not be, say the two researchers. They admit that they have violated several terms of service companies, but they argue that it is a matter of legal debate as to whether such action is a crime. In the past, we know that violating these rules can lead to persecution, as in the case of the late Aaron Swartz. But at least one court has ruled that violating the terms of use of a service by itself is not computer fraud. And the majority of those accused of violating the Terms of Service remain unpunished.
Ragan and Salazar argue that regardless of legal protection, companies should immediately implement their own anti-automation techniques to prevent bot-based registrations. Speaking at the Black Hat congress, both the software they used to build and control cloudbot, as well as defense software that says they can protect companies, will be released.
