Security experts Rob Ragan and Oscar Salazar demonstrate that it’s possible to assemble a secret cryptocoin mining army using nothing more than a myriad of free computing resources available on the Internet; there’s no reason to use malware to enslave unsuspecting PCs. Next month, the pair plans to reveal in detail how they’ve built a botnet empire exclusively from freemium accounts on online application-hosting services stowed away in data centers belonging to Amazon, Rackspace, and the like.
In essence, the security experts used an automated process to generate thousands of unique e-mail addresses which were used to sign up for free accounts on sites providing cloud storage, such as Dropbox, Google, Heroku, Cloud Foundry, and Cloudbees. By storing miners across all these accounts, the team was able piggyback off the cloud’s larger processing power without having to snatch it from other people’s PC – a blatantly malicious action.
“We essentially built a supercomputer for free,” says Ragan, who along with Salazar works as a researcher for the security consultancy Bishop Fox. “We're definitely going to see more malicious activity coming out of these services.”
Out of the 150 different account creation services that Ragan and Salazar tested, only a third asked for credentials beyond an e-mail address. Out of the remaining two-thirds, the researchers selected 15 services that allowed signing up for a free trial without requiring any credit card information, phone number, or captcha. To prevent unlawfully aiding any malicious hackers, the pair will not disclose the names of these services.
“A lot of these companies are startups trying to get as many users as quickly as possible,” says Salazar. “They're not really thinking about defending against these kinds of attacks.”
The tools used
According to an interview with Wired, Ragan and Salazar set-up the autonomous signup and confirmation process using a combination of the e-mail service Mandrill and their own Google App Engine. Next, a service called FreeDNS.afraid.org permitted the creation of an unlimited number of e-mails across different domains. Finally, software called Python Fabric enabled them to simultaneously execute multiple Python scripts and control the entire miner-bot swarm using electricity and computing resources belonging to Amazon and Rackspace, the companies who lease their mega-data centers to the cloud computing services.
Ragan and Salazar want to be clear that their intentions were not malevolent in nature, so they shut down their mining operation within a matter of hours to avoid stealing resources away from Amazon’s daily operation. They did – however – leave a very small number of bots running in the background for two weeks to test how long they can go undetected. Suffice to say, Amazon never found them.
Legality
Ragan and Salazar argue that creating a botnet across cloud services is not illegal in and of itself (although it is a breach of the terms of agreement); it’s the type of attack ushered by the bots that’s illegal. After all, what you store in your cloud service is your own business so long as you’re not subpoenaed by law. “We wanted to raise awareness that's there's insufficient anti-automation being used to protect against this type of attack,” says Ragan. “Will we see a rise in this type of botnet? The answer is undoubtedly yes.”
Of particular alarm is the fact that cloud-based botnets can easily be helmed into more criminal pursuits – if the hacker so chose – by leveraging a bandwidth much more robust than available from a home computer. Meaning, they can easily perpetrate a denial of service attacks to flood target websites with artificial traffic, or steal passwords. Furthermore, the attacks are difficult to discern if all the incoming IP addresses originate from Google or Amazon.
The experiment yielded an equivalent of $1,750 in Litecoin, the second most prolific cryptocoin. This is a small price to pay for the valuable security insight produced by the researchers.
Via wired
Advertisement
Learn more about Electronic Products Magazine
