Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:25 PM
Connect Directly

CloudBot: A Free, Malwareless Alternative To Traditional Botnets

Researchers take advantage of cloud service providers' free trials and lousy anti-automation controls to use cloud instances like bots.

LAS VEGAS -- Black Hat USA -- Thrifty attackers, are you tired of investing your dollars in a botnet that's constantly being disrupted by new anti-virus signatures and bot downtime? A "cloudbot" might be just what you seek. As shown at Black Hat last week by Rob Ragan and Oscar Salazar, senior security associates at Bishop Fox, cloudbots are entirely free and very resilient, and they offer all the uptime of a cloud service with no need for malware. Good news for bot masters working on the cheap.

Bad news for cloud service providers that use poor anti-automation measures. As Salazar and Ragan showed in their Black Hat session, "Cloudbots: Harvesting CryptoCoins Like a Botnet Farmer," confirming registrations with email alone is not enough to prove a registrant is a unique human. Without adding captchas, SMS verification, or other anti-automation measures, online services could find themselves powering activities like cryptocurrency mining and denial-of-service attacks.

The researchers specifically went after free cloud services -- or those with free trials -- that host infrastructure or development platforms.

"We were able to gather thousands of those [services'] accounts and control them just as a botnet herder would control a traditional botnet by spreading malware," Ragan says in an interview with DarkReading. "We were basically able to register a bunch of free trials and have control over these accounts... and build a system -- a framework, if you will -- for targeting online services."

How it's done
As Salazar explains, they begin by using Google App Engine's inbound mail handler, which transfers mail into a POST request that Google posts to a user's web server. Using that, they were able to receive email as though it were a POST request coming from anybody's browser and then "scrape the content" from the email.

"We look through the body of the email and look for URLs -- [cloud service] activation links, essentially," Salazar says. "And from the service itself, we request the activation link. Instead of having to go click on it ourselves, it gets automaticaly requested for us by our application."

Then they headed to FreeDNS.afraid.org and created a wide variety of subdomains, for free, using domains donated by generous souls. Using FreeDNS, they were able to register MX records, which are used to point servers to mail.

After that, they use yet another cloud service that converts email into an adjacent object and pastes it back to the server.

"So, using that full setup, you go to a website you want to sign up for [and] type in an email address containing a random local part" and a domain registered from FreeDNS, says Salazar. "As soon as we click 'activation' on the submit link, an email is sent. But we're not receiving the email; our application is receiving the email and is clicking the registration link for us. At that point, we don't need to do anything at all."

For the purpose of their proof-of-concept, Ragan and Salazar used this process to create 1,000 accounts at roughly 150 services -- small companies, startups, and some third-party resellers of bigger cloud providers -- and gathered more than a terabyte of free storage. They could have made it much bigger. According to the researchers, the script can be run as often as they like, so the size of the "cloud botnet" is limited merely by the amount of effort one wants to put into registering new instances.

"Gather enough of them," says Ragan, "and it's a supercomputer for free."

Benefits for the attacker
A cloud botnet is undoubtedly economical.

"All that we really required to build this was a low-end laptop, a browser, and an Internet connection," says Ragan. And, of course, the "bots" themselves were free.

Plus, they're simply higher quality than your average bot. They're powerful, energy-efficient, resilient, and nearly always available.

"All these [cloud] providers have low-latency, high-bandwidth, high-availability Internet connections," says Ragan. "Their whole business model is that [they're] online and available 99.999% of the time. And that's a lot different than a botnet that works off personal home computers that may go offline at the end of the night or might have a slow DSL connection."

"A lot [of cloud services] let you shut down the instance while you didn't need it," says Salazar. "So essentially it would be like a sleeper bot. It wouldn't be using system resources when you didn't need them, and [that would] make it a lot less likely to be identified."

They made other efforts to avoid detection, as well. They could create accounts on one cloud service provider and use it to launch attacks on another, avoiding the need even for Tor exit nodes or VPN endpoints.

"Also, we didn't have a central point of command and control," says Ragan. "We leveraged a Python framework called Fabric, which is designed for system administrators to manage a datacenter or internal service management, and all that's required is SSH access into like a Linux machine, for example -- which is what we were getting from these free cloud service providers. SSH access into a Linux [virtual machine].

"And at that point, we could manage that all with our private keys, and we could launch our scripts and commands from any one of those cloud service providers we had access to. We could move around and be coming from new locations every time we launched a new command."

Also, though they expect that they did stretch the limits of some terms of service, creating this sort of botnet is not entirely illegal, because no machines are being infected with malware.

Since the botnet does not require malware, it needn't go through the process of updating code every time an anti-virus provider writes a new signature. Some bots will, however, die when a free trial expires, but those changes are predictable, and the bots can be easily replaced by simply registering more accounts.

However, if attackers did want to use malware in the next stage of an attack, they could simply use their cloudbots' development environments to do all their coding in the browser, without ever storing it on their own hard drives.

What cloud providers should do
Salazar and Ragan think that bad guys may already have had the same ideas they did. Before they even had a chance to try out their registration script on some sites, they found that some services' free trials were "temporarily disabled" entirely, and that one of them specifically said that it had been disabled because of suspected abuse by criminal hackers.

"If you have a company and you have to shut down registration," says Ragan, "that's money lost."

Two-thirds of the services the researchers looked at used only email confirmation to fight automation.

"We realized that this was really an antiquated approach," says Ragan. "That 'one person equals one email address.' That's simply not the case anymore."

The solution could be introducing more anti-automation technologies like captchas or verification by mobile devices. However, online businesses also don't want to make it really onerous for legitimate users to complete their registration -- because that could lose money, too.

Therefore, Ragan and Salazar suggest that companies might turn on those extensive anti-automation measures only when there is an anomaly. If there are usually 100 registrations per day, and suddenly 1,000 registrations arrive in 10 minutes, then there is a good chance that there is malicious activity. However, instead of shutting down the registration service entirely and closing out legitimate new customers, companies can temporarily enable further account verification measures, thereby combating malicious entities and accepting any new legitimate registrants who have the patience to complete the process.

Another option for small service providers is to use a federated identity solution -- letting users register with their Facebook account, for example -- and leave all the complicated identity and access management to someone else.

In the meantime, any website -- not just cloud service providers -- needs to have a closer look at its anti-automation tools and procedures.

"One of the things we wanted to answer is 'Will we continue to see this as a rising trend?'" says Ragan, "and the answer is undoubtedly yes."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
8/16/2014 | 10:10:35 AM
Arms Race
This is just one more tool in the bad guys tool box.  The sad thing is that most websites do not have ANY anti-automation tools in place.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.