Setting up a Bitcoin Miner
At the Black Hat 2014 conference in Las Vegas, Rob Ragan and Oscar Salazar, penetration testers from Bishop Fox, demonstrated a technique for cloud-based bitcoin mining that cost them exactly…nothing. At this moment, one bitcoin is worth $576.57. With a hefty exchange rate like that, bitcoin mining without the need to devote massive computing resources could be quite lucrative.
It's not precisely a legitimate activity, but then, the job of a penetration tester is to hack systems in order to patch them. Ragan noted that the experiment did "violate the hell out of some terms of service." To gain access to the necessary processing power, they had to generate a huge number of unique email addresses and sign up for tons of free trial accounts. Having done so, they managed to build a fully functional bitcoin-mining botnet. According to Ragan, "This botnet doesn't get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!"
Digging the Details
"We are penetration testers, " said Ragan. "We've been working on this project for the last year. We showed that we definitely can build a botnet from freely available cloud services. We asked the question, is insufficient anti-automation an overlooked risk? Should it be considered a top ten vulnerability?"
"These cloud based services do many different things, " said Salazar, "but the purpose is to let developers get something up and running immediately." "It cuts out all the legwork and lets you build an application as quickly as possible, " added Ragan. "Platform as a service is a commodity that's in high demand. But if it's making the life of a developer easier, wouldn't it also make things easier for a malicious attacker? That's exactly what we explored."
Unlimited Email Addresses
We've all had the experience of registering for a website or service and being told the registration would be finalized when we clicked on an email link. Our doughty researchers needed a way to completely automate this process.
The session explained in detail exactly how they managed to create unlimited email accounts with realistic usernames and a wide variety of different domains. The next step was to set up automatic response for those accounts, so that they could respond to any "Click this link to confirm" email. It worked! At this point, they had a system to create unlimited unique emails with no human interaction. And they stored all the details using a free trial of cloud-based MongoDB. Yes, attendees will be able to get all the code that was used in this experiment.
"At this point we can do things like DDoS, crypto-currency mining, data storage, and more, " said Ragan. "As penetration testers, having a distributed botnet under our control was the goal." Having a tame botnet to launch white-hat DDoS tests against willing clients was definitely valuable.
They experimented with just what's possible when you have email addresses for an unlimited number of "friends." Many online storage systems give you additional gigabytes for successfully referring friends. Some cap the total amount you can gain this way, others don't. "We got a terabyte for free on one service, " said Ragan, "which is more than you can even pay for."
At its peak, the experimental LiteCoin-mining botnet was generating about 25 cents per day per account. With 1, 000 active accounts, that's $250 per day. "We didn't want to be malicious, just to show how it's done, " said Ragan, "so we stopped. But we've heard of people making a lot of money in a short time. We did leave a couple accounts running for several weeks, just to see if they'd be detected. They weren't"
During the course of the experiment, a number of services revised their verification systems to defeat automatic creation of accounts. One even stated the reason was a proliferation of botnets.