Two security researchers will reveal how they created a “zombie online botnet” which instead of using malware to steal the computer resources of innocent people, instead garnered free processing power from online application-hosting services.
Rob Ragan and Oscar Salazar intend to demonstrate their remarkable Cloud-based botnet next month at the Black Hat security conference in Las Vegas.
Supercomputer For Free
As we all know, botnets traditionally use malware to appropriate small amounts of processing power from thousands or even millions of PCs belonging to innocent victims.
But Wired revealed a new take on this model, because Ragan and Salazar instead opted to build a botnet that only uses the free trials and freemium accounts on online application-hosting services (such as Google, CloudBees, Could Foundry etc), which are typically used by cash-strapped programmers to develop and test their applications.
The two ‘researchers’ apparently used an automated process to generate unique email addresses and sign up for those free accounts en masse. That way, they managed to assemble a cloud-based botnet of around a thousand computers.
“We essentially built a supercomputer for free,” Ragan was quoted as saying. He, along with Salazar works as a researcher for the security consultancy Bishop Fox. “We’re definitely going to see more malicious activity coming out of these services.”
According to the two researchers, this cloud-based botnet can used to launch co-ordinated cyberattacks, or to crack passwords or mine for cryptocurrency like Bitcoins.
In actual fact both men stated that their cloud-based botnet was more suited to mining Litecoin, the second most used cryptocoin which is better suited to the cloud computers’ CPUs than Bitcoin.
They discovered they could mine about 25 cents (?0.15) per account per day based on Litecoin’s exchange rates at the time. If they had left it running, they could have generated an impressive $1,750 (?1,030) a week. “And it’s all on someone else’s electricity bill,” Ragan reportedly said.
And because they used legitimate cloud accounts, rather than hijacked computers, both men believe their botnet may be legal, so long as it not used for any type of attacks or illegal mining. Of course, they probably ran afoul of the terms of service agreements belonging to the cloud companies.
Ragan and Salazar apparently tested the account creation process for more than 150 of those application-hosting services when they created their Cloud Botnet. They discovered only a third of them required any credentials beyond an email address.
Those security aware Cloud services needed additional information such as telephone number, credit card, or filling in a humble captcha. But two thirds did not require this information.
The researchers have not named and shamed those services that allowed them to create a free trial or account, but have said that because these companies are trying to get as many users as quickly as possible, they’re not really protecting themselves from such attacks.
Another alarming aspect of this cloud-based botnet is if it is used for denial-of-service attacks. It could very difficult for example for the targets to filter out an attack launched from reputable cloud services.
“Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” Ragan reportedly said. “That becomes a challenge. You can’t blacklist that whole IP range.”
“We wanted to raise awareness that’s there’s insufficient anti-automation being used to protect against this type of attack,” Ragan concluded. “Will we see a rise in this type of botnet? The answer is undoubtedly yes.”