Black Hat Conference Preview: Building BotNet for Free

The Black Hat Conference is an annual meet up held in Las Vegas where security minded individuals mesh and mingle. Andy Greenberg at Wired reports that Rob Ragan and Oscar Salazar plan on showing the world how they essentially built a botnet that was capable of launching brute force attacks, mine online currencies such Bitcoin or Litecoin or launch sophisticated attacks against other networks. The duo thought they could simply have a supercomputer at their fingertips.

Ragan and Salazar began posing somewhat trivial questions. Traditional botnets rely on users unknowingly installing malicious software that steals their computational power. Instead stealing the computational power with malware, why not create a script that signs you up for multiple free cloud computing trial accounts and use those resources as an attack?

Wired reports that at the Black Hat Conference, Ragan and Salazar will highlight that this technique was tested on nearly 150 cloud services. They mention that they won’t name the most vulnerable services but Ragan does mention that “We essentially built a supercomputer for free.” As a word of caution, Ragan goes on to say that “We’re definitely going to see more malicious activity coming out of these services.”

Ragan and Salazar will go into details about how the attack actually works. The duo used Mandrill to automate the email creation and confirmation hurdles. They built out an app on Google App Engine to help facilitate the account creation process. Using Python Fabric, they were able to manage all of their python scripts deployed out to their botnets from one central command center. Ragan and Salazar are ethical hackers and they noted at that their botnet’s full capacity, they could have mined nearly $2,000 a week in crypto currencies without ever paying a cent in IaaS bills. Being mindful of the datacenters electricity bill, the pair of security researchers promptly spun down these servers but they do note that they left a handful online to see if they were detected. Both researchers confirm that no cloud service actually found the botnet that they had created. Ragan and Salazar are scheduled to give more details on this exploit at the Black Hat Conference in Las Vegas which takes place on August 6th and 7th.