Attacks/Breaches
8/11/2014
04:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CloudBot: A Free, Malwareless Alternative To Traditional Botnets

Researchers take advantage of cloud service providers' free trials and lousy anti-automation controls to use cloud instances like bots.

LAS VEGAS -- Black Hat USA -- Thrifty attackers, are you tired of investing your dollars in a botnet that's constantly being disrupted by new anti-virus signatures and bot downtime? A "cloudbot" might be just what you seek. As shown at Black Hat last week by Rob Ragan and Oscar Salazar, senior security associates at Bishop Fox, cloudbots are entirely free and very resilient, and they offer all the uptime of a cloud service with no need for malware. Good news for bot masters working on the cheap.

Bad news for cloud service providers that use poor anti-automation measures. As Salazar and Ragan showed in their Black Hat session, "Cloudbots: Harvesting CryptoCoins Like a Botnet Farmer," confirming registrations with email alone is not enough to prove a registrant is a unique human. Without adding captchas, SMS verification, or other anti-automation measures, online services could find themselves powering activities like cryptocurrency mining and denial-of-service attacks.

The researchers specifically went after free cloud services -- or those with free trials -- that host infrastructure or development platforms.

"We were able to gather thousands of those [services'] accounts and control them just as a botnet herder would control a traditional botnet by spreading malware," Ragan says in an interview with DarkReading. "We were basically able to register a bunch of free trials and have control over these accounts... and build a system -- a framework, if you will -- for targeting online services."

How it's done
As Salazar explains, they begin by using Google App Engine's inbound mail handler, which transfers mail into a POST request that Google posts to a user's web server. Using that, they were able to receive email as though it were a POST request coming from anybody's browser and then "scrape the content" from the email.

"We look through the body of the email and look for URLs -- [cloud service] activation links, essentially," Salazar says. "And from the service itself, we request the activation link. Instead of having to go click on it ourselves, it gets automaticaly requested for us by our application."

Then they headed to FreeDNS.afraid.org and created a wide variety of subdomains, for free, using domains donated by generous souls. Using FreeDNS, they were able to register MX records, which are used to point servers to mail.

After that, they use yet another cloud service that converts email into an adjacent object and pastes it back to the server.

"So, using that full setup, you go to a website you want to sign up for [and] type in an email address containing a random local part" and a domain registered from FreeDNS, says Salazar. "As soon as we click 'activation' on the submit link, an email is sent. But we're not receiving the email; our application is receiving the email and is clicking the registration link for us. At that point, we don't need to do anything at all."

For the purpose of their proof-of-concept, Ragan and Salazar used this process to create 1,000 accounts at roughly 150 services -- small companies, startups, and some third-party resellers of bigger cloud providers -- and gathered more than a terabyte of free storage. They could have made it much bigger. According to the researchers, the script can be run as often as they like, so the size of the "cloud botnet" is limited merely by the amount of effort one wants to put into registering new instances.

"Gather enough of them," says Ragan, "and it's a supercomputer for free."

Benefits for the attacker
A cloud botnet is undoubtedly economical.

"All that we really required to build this was a low-end laptop, a browser, and an Internet connection," says Ragan. And, of course, the "bots" themselves were free.

Plus, they're simply higher quality than your average bot. They're powerful, energy-efficient, resilient, and nearly always available.

"All these [cloud] providers have low-latency, high-bandwidth, high-availability Internet connections," says Ragan. "Their whole business model is that [they're] online and available 99.999% of the time. And that's a lot different than a botnet that works off personal home computers that may go offline at the end of the night or might have a slow DSL connection."

"A lot [of cloud services] let you shut down the instance while you didn't need it," says Salazar. "So essentially it would be like a sleeper bot. It wouldn't be using system resources when you didn't need them, and [that would] make it a lot less likely to be identified."

They made other efforts to avoid detection, as well. They could create accounts on one cloud service provider and use it to launch attacks on another, avoiding the need even for Tor exit nodes or VPN endpoints.

"Also, we didn't have a central point of command and control," says Ragan. "We leveraged a Python framework called Fabric, which is designed for system administrators to manage a datacenter or internal service management, and all that's required is SSH access into like a Linux machine, for example -- which is what we were getting from these free cloud service providers. SSH access into a Linux [virtual machine].

"And at that point, we could manage that all with our private keys, and we could launch our scripts and commands from any one of those cloud service providers we had access to. We could move around and be coming from new locations every time we launched a new command."

Also, though they expect that they did stretch the limits of some terms of service, creating this sort of botnet is not entirely illegal, because no machines are being infected with malware.

Since the botnet does not require malware, it needn't go through the process of updating code every time an anti-virus provider writes a new signature. Some bots will, however, die when a free trial expires, but those changes are predictable, and the bots can be easily replaced by simply registering more accounts.

However, if attackers did want to use malware in the next stage of an attack, they could simply use their cloudbots' development environments to do all their coding in the browser, without ever storing it on their own hard drives.

What cloud providers should do
Salazar and Ragan think that bad guys may already have had the same ideas they did. Before they even had a chance to try out their registration script on some sites, they found that some services' free trials were "temporarily disabled" entirely, and that one of them specifically said that it had been disabled because of suspected abuse by criminal hackers.

"If you have a company and you have to shut down registration," says Ragan, "that's money lost."

Two-thirds of the services the researchers looked at used only email confirmation to fight automation.

"We realized that this was really an antiquated approach," says Ragan. "That 'one person equals one email address.' That's simply not the case anymore."

The solution could be introducing more anti-automation technologies like captchas or verification by mobile devices. However, online businesses also don't want to make it really onerous for legitimate users to complete their registration -- because that could lose money, too.

Therefore, Ragan and Salazar suggest that companies might turn on those extensive anti-automation measures only when there is an anomaly. If there are usually 100 registrations per day, and suddenly 1,000 registrations arrive in 10 minutes, then there is a good chance that there is malicious activity. However, instead of shutting down the registration service entirely and closing out legitimate new customers, companies can temporarily enable further account verification measures, thereby combating malicious entities and accepting any new legitimate registrants who have the patience to complete the process.

Another option for small service providers is to use a federated identity solution -- letting users register with their Facebook account, for example -- and leave all the complicated identity and access management to someone else.

In the meantime, any website -- not just cloud service providers -- needs to have a closer look at its anti-automation tools and procedures.

"One of the things we wanted to answer is 'Will we continue to see this as a rising trend?'" says Ragan, "and the answer is undoubtedly yes."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:10:35 AM
Arms Race
This is just one more tool in the bad guys tool box.  The sad thing is that most websites do not have ANY anti-automation tools in place.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.