Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Zeerob Ragan and Oscar Salazar had a different thought: Why steal computing resources from guiltless victims when there’s so much free processing power out there for the taking?
At the Black Hat conference te Lasnaad Vegas next month Ragan and Salazar project to expose how they built a botnet using only free trials and freemium accounts on online application-hosting services—the zuigeling coders use for development and testing to avoid having to buy their own servers and storage. The hacker twee used an automated process to generate unique email addresses and sign up for those free accounts plus masse, assembling a cloud-based botnet of around a thousand computers.
That online zombie horde wasgoed capable of launching coordinated cyberattacks, cracking passwords, or mining hundreds of dollars a day worth of cryptocurrency. And by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even bot legal.
“We essentially built a supercomputer for free,” says Ragan, who along with Salazar works spil a researcher for the security consultancy Bishop Fox. “We’re undoubtedly going to see more malicious activity coming out of thesis services.”
Companies like Google, Heroku, Cloud Foundry, CloudBees, and many more suggest developers the capability to host their applications on servers te faraway gegevens centers, often reselling computing resources possessed by companies like Amazon and Rackspace. Ragan and Salazar tested the account creation process for more than 150 of those services. Only a third of them required any credentials beyond an email address—additional information like a credit card, phone number, or packing out a captcha. Choosing among the effortless two-thirds, they targeted about 15 services that let them sign up for a free account or a free trial. The researchers won’t name those vulnerable services, to avoid helping malicious hackers go after ter their footsteps. ",A lotsbestemming of thesis companies are startups attempting to get spil many users spil quickly spil possible,", says Salazar. ",They’re not truly thinking about defending against thesis kinds of attacks.",
Ragan and Salazar created their automated rapid-fire signup and confirmation process with the email service Mandrill and their own program running on Google App Engine. A service called FreeDNS.afraid.org let them create unlimited email addresses on different domains, to create realistic-looking addresses they used variations on actual addresses that they found dumped online after past gegevens breaches. Then they used Python Fabric, a instrument that lets developers manage numerous Python scripts, to control the hundreds of computers overheen which they had taken possession.
One of their very first experiments with their fresh cloud-based botnet wasgoed mining the cryptocurrency Litecoin. (That second-most-used cryptocoin is better suited to the cloud computers’ CPUs than Bitcoin, which is most lightly mined with GPU chips.) They found that they could produce about 25 cents vanaf account vanaf day based on Litecoin’s exchange rates at the time. Putting their entire botnet behind that effort would have generated $1,750 a week. “And it’s all on someone else’s electro-stimulation bill,” says Ragan.
Ragan and Salazar were wary of doing real harm by hogging the services’ electrical play or processing, however, so they turned off their mining operation te a matter of hours. For testing, however, they left a puny number of mining programs running for two weeks. None were everzwijn detected or shut down.
Aside from Litecoin mining, the researchers say they could have used their cloudbots for more malicious ends—like distributed password-cracking, click fraud, or denial of service attacks that flood target websites with junk traffic. Because the cloud services opoffering far more networking bandwidth than the average huis rekentuig possesses, they say their botnet could have funneled about 20,000 PCs-worth of attack traffic at any given target. Ragan and Salazar weren’t able to actually measure the size of their attack, however, because none of their test targets were able to stay online long enough for an accurate reading. “We’re still looking for volunteers,” Ragan jokes.
More disturbing yet, Ragan and Salazar say targets would find it especially rough to filterzakje out an attack launched from reputable cloud services. “Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” says Ragan. “That becomes a challenge. You can’t blacklist that entire IP range.”
Using a cloud-based botnet for that kleintje of attack, of course, would be illegal. But creating the botnet te the very first place might not be, the two researchers argue. They admit they violated fairly a few companies’ terms of service agreements, but it’s still a matter of legal debate whether such an act constitutes a crime. Cracking those fine print rules has contributed to some prosecutions under the Rekentuig Fraud and Manhandle Act, spil ter the case of the late Aaron Swartz. But at least one court has ruled that cracking terms of service alone doesn’t constitute rekentuig fraud. And the majority of terms of service violations go unpunished—a good thing given how few Internet users actually read them.
Ragan and Salazar argue that regardless of legal protections, companies need to implement their own anti-automation technologies to prevent the zuigeling of bot-based signups they demonstrated. At the time of their Black Hat talk, they project to release both the software they used to create and control their cloudbots, spil well spil defense software they say can protect against their schemes.
Other hackers, after all, haven’t bot spil polite spil Ragan and Salazar te their cloud computing experiments. Te the time the two researchers spent probing the loopholes ter cloud computing services, they say they’ve already seen companies like AppFog and Engine Yard shut down or turn off their free option spil a result of more malicious hackers exploiting their services. Another company specifically cited botnets mining cryptocurrency spil its reason for turning off its free account feature.
“We dreamed to raise awareness that’s there’s insufficient anti-automation being used to protect against this type of attack,” says Ragan. ",Will wij see a rise ter this type of botnet? The response is undoubtedly yes.”