How free cloud services become free, currency-mining, DDoS-attacking botnets

It’s no secret that the cloud has the potential to be a hacker’s paradise, chock-full of all the password-cracking computing power a trove of stolen credit cards can buy. Surely, though, this type of bad behavior can’t be carried out without any direct financial investment. After all, the free tiers on most cloud computing services are pretty minimal — a single core (probably fairly weak) and maybe a few gigabytes of storage. What can anyone do with that?

A whole lot, if they’re clever.

At the Black Hat security conference this week, a pair of professional penetration testers, Rob Ragan and Oscar Salazar of Bishop Fox, showed how they built a functional 1,000-node botnet by stringing together resources from a variety of services. They used it to mine some Litecoin and could have done a whole lot more if they weren’t trying to minimize harm to other cloud users (by being noisy neighbors) or cloud providers (by driving up power bills).

At its peak, the pair’s bot was generating $0.25 in Litecoin per day per node. Spread across only 1,000 machines, that’s $250 a day in free money. They could have performed click fraud, scanned networks for vulnerabilities or perpetrated DDoS attacks. Really, they could have done pretty much anything that didn’t require higher-performance computing, such as mining Bitcoin or cracking passwords.

For true hackers, Ragan noted, the best part is the process is very difficult to trace: “There’s no trace of any attack tools or scripts on any attackers computer anywhere.”

The key to free money is free email addresses. Lots of them.

The process Ragan and Salazar used was clever, but also rather simple. They scraped the local usernames (i.e., the part before the @ symbol) from a bunch of real email addresses on Pastebin, gathered some donated domain names from a site called, and then set up some subdomains and MX records. Stocked with an endless supply of seemingly legitimate email addresses (gotta fool those spam filters) tied to quasi-functional email servers, they began signing up for services.

Those verification emails so many websites use to verify that people signing up for services are who they say they are — or at least aren’t bots — were forwarded to a free Google(s goog) App Engine app. Ragan and Salazar set up that service’s inbound mail-handling feature to automatically open the links in verification messages.

Ragan's and Salazar's process (along with the back of this guy's head).

Ragan’s and Salazar’s process (along with the back of this guy’s head).

Accounts validated, the researchers set up a method for controlling them all using SSH tunneling. If a service caught on that something wasn’t right and restricted access, or if a trial expired, the pair would just “armadillo up,” as Ragan put it — rolling up their code and taking it to another service. They didn’t list all the services they used, but they certainly got compute power from Google and presumably elsewhere, and they used various MongoDB services to store all their phony account information.

They were able to get 16 gigabytes of free storage on Dropbox by referring a bunch of “friends,” and, again referring fake friends, pushed free storage on another unnamed service up to 1 terabyte before stopping. Ironically, Ragan noted, that service didn’t even offer a terabyte worth of storage in its paid offering and, what’s more, it’s not clear there was a limit to how much they could have added as they kept referring more “users.”

To stop abuse, put up barriers

The lesson learned from all this, Ragan went on to explain, is that cloud service providers need to get past the antiquated notion that one email address equals one user. If all they’re doing to prevent fraud is sending email verifications, they’re going to lose to hackers, spammers and other bad actors every time.

The pair popped up slides showing messages from numerous providers warning users they now require a credit card to sign up for free trials or canceling them altogether. One virtual private server provider flat-out said it was shutting down due to botnet mining.

[pullquote person=”Rob Ragan” attribution=”Senior Security Associate, Bishop Fox”]There’s no trace of any attack tools or scripts on any attacker’s computer anywhere.[/pullquote]

Because most people trying to abuse services write programs to automate account signups, Ragan said things like CAPTCHAs, logic puzzles or other methods of fooling a bot really are effective, even if they annoy some real users. Requiring a credit card might fend off some folks who don’t want to risk paying or don’t want to cross over to the dark side of credit card fraud. Limited-use accounts could deter potential users or thwart them once they’re in, as could rate-limiting.

He also suggested a process similar to Facebook’s Immune System, which compares current activity against what’s normal at any given step in the process. We covered a similar program developed by Twitter(s TWTR) and University of California, Berkeley, researchers to identify and kill bot accounts at signup based on things such as how fast they filled out forms.

If someone takes four seconds to fill out a signup page, or starts spinning up new servers and cranking out hundreds of refer-a-friend emails immediately, you might have a bot on your hands.