Attacks/Breaches
8/11/2014
04:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CloudBot: A Free, Malwareless Alternative To Traditional Botnets

Researchers take advantage of cloud service providers' free trials and lousy anti-automation controls to use cloud instances like bots.

LAS VEGAS -- Black Hat USA -- Thrifty attackers, are you tired of investing your dollars in a botnet that's constantly being disrupted by new anti-virus signatures and bot downtime? A "cloudbot" might be just what you seek. As shown at Black Hat last week by Rob Ragan and Oscar Salazar, senior security associates at Bishop Fox, cloudbots are entirely free and very resilient, and they offer all the uptime of a cloud service with no need for malware. Good news for bot masters working on the cheap.

Bad news for cloud service providers that use poor anti-automation measures. As Salazar and Ragan showed in their Black Hat session, "Cloudbots: Harvesting CryptoCoins Like a Botnet Farmer," confirming registrations with email alone is not enough to prove a registrant is a unique human. Without adding captchas, SMS verification, or other anti-automation measures, online services could find themselves powering activities like cryptocurrency mining and denial-of-service attacks.

The researchers specifically went after free cloud services -- or those with free trials -- that host infrastructure or development platforms.

"We were able to gather thousands of those [services'] accounts and control them just as a botnet herder would control a traditional botnet by spreading malware," Ragan says in an interview with DarkReading. "We were basically able to register a bunch of free trials and have control over these accounts... and build a system -- a framework, if you will -- for targeting online services."

How it's done
As Salazar explains, they begin by using Google App Engine's inbound mail handler, which transfers mail into a POST request that Google posts to a user's web server. Using that, they were able to receive email as though it were a POST request coming from anybody's browser and then "scrape the content" from the email.

"We look through the body of the email and look for URLs -- [cloud service] activation links, essentially," Salazar says. "And from the service itself, we request the activation link. Instead of having to go click on it ourselves, it gets automaticaly requested for us by our application."

Then they headed to FreeDNS.afraid.org and created a wide variety of subdomains, for free, using domains donated by generous souls. Using FreeDNS, they were able to register MX records, which are used to point servers to mail.

After that, they use yet another cloud service that converts email into an adjacent object and pastes it back to the server.

"So, using that full setup, you go to a website you want to sign up for [and] type in an email address containing a random local part" and a domain registered from FreeDNS, says Salazar. "As soon as we click 'activation' on the submit link, an email is sent. But we're not receiving the email; our application is receiving the email and is clicking the registration link for us. At that point, we don't need to do anything at all."

For the purpose of their proof-of-concept, Ragan and Salazar used this process to create 1,000 accounts at roughly 150 services -- small companies, startups, and some third-party resellers of bigger cloud providers -- and gathered more than a terabyte of free storage. They could have made it much bigger. According to the researchers, the script can be run as often as they like, so the size of the "cloud botnet" is limited merely by the amount of effort one wants to put into registering new instances.

"Gather enough of them," says Ragan, "and it's a supercomputer for free."

Benefits for the attacker
A cloud botnet is undoubtedly economical.

"All that we really required to build this was a low-end laptop, a browser, and an Internet connection," says Ragan. And, of course, the "bots" themselves were free.

Plus, they're simply higher quality than your average bot. They're powerful, energy-efficient, resilient, and nearly always available.

"All these [cloud] providers have low-latency, high-bandwidth, high-availability Internet connections," says Ragan. "Their whole business model is that [they're] online and available 99.999% of the time. And that's a lot different than a botnet that works off personal home computers that may go offline at the end of the night or might have a slow DSL connection."

"A lot [of cloud services] let you shut down the instance while you didn't need it," says Salazar. "So essentially it would be like a sleeper bot. It wouldn't be using system resources when you didn't need them, and [that would] make it a lot less likely to be identified."

They made other efforts to avoid detection, as well. They could create accounts on one cloud service provider and use it to launch attacks on another, avoiding the need even for Tor exit nodes or VPN endpoints.

"Also, we didn't have a central point of command and control," says Ragan. "We leveraged a Python framework called Fabric, which is designed for system administrators to manage a datacenter or internal service management, and all that's required is SSH access into like a Linux machine, for example -- which is what we were getting from these free cloud service providers. SSH access into a Linux [virtual machine].

"And at that point, we could manage that all with our private keys, and we could launch our scripts and commands from any one of those cloud service providers we had access to. We could move around and be coming from new locations every time we launched a new command."

Also, though they expect that they did stretch the limits of some terms of service, creating this sort of botnet is not entirely illegal, because no machines are being infected with malware.

Since the botnet does not require malware, it needn't go through the process of updating code every time an anti-virus provider writes a new signature. Some bots will, however, die when a free trial expires, but those changes are predictable, and the bots can be easily replaced by simply registering more accounts.

However, if attackers did want to use malware in the next stage of an attack, they could simply use their cloudbots' development environments to do all their coding in the browser, without ever storing it on their own hard drives.

What cloud providers should do
Salazar and Ragan think that bad guys may already have had the same ideas they did. Before they even had a chance to try out their registration script on some sites, they found that some services' free trials were "temporarily disabled" entirely, and that one of them specifically said that it had been disabled because of suspected abuse by criminal hackers.

"If you have a company and you have to shut down registration," says Ragan, "that's money lost."

Two-thirds of the services the researchers looked at used only email confirmation to fight automation.

"We realized that this was really an antiquated approach," says Ragan. "That 'one person equals one email address.' That's simply not the case anymore."

The solution could be introducing more anti-automation technologies like captchas or verification by mobile devices. However, online businesses also don't want to make it really onerous for legitimate users to complete their registration -- because that could lose money, too.

Therefore, Ragan and Salazar suggest that companies might turn on those extensive anti-automation measures only when there is an anomaly. If there are usually 100 registrations per day, and suddenly 1,000 registrations arrive in 10 minutes, then there is a good chance that there is malicious activity. However, instead of shutting down the registration service entirely and closing out legitimate new customers, companies can temporarily enable further account verification measures, thereby combating malicious entities and accepting any new legitimate registrants who have the patience to complete the process.

Another option for small service providers is to use a federated identity solution -- letting users register with their Facebook account, for example -- and leave all the complicated identity and access management to someone else.

In the meantime, any website -- not just cloud service providers -- needs to have a closer look at its anti-automation tools and procedures.

"One of the things we wanted to answer is 'Will we continue to see this as a rising trend?'" says Ragan, "and the answer is undoubtedly yes."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:10:35 AM
Arms Race
This is just one more tool in the bad guys tool box.  The sad thing is that most websites do not have ANY anti-automation tools in place.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.