LAS VEGAS—At the RSA security conference in March, security researchers from Bishop Fox detailed how it's possible to build a botnet out of free cloud resources. In a session at the Black Hat USA conference here, Bishop Fox is revisiting that topic in more detail and with a specific goal in mind—to stop others from being able to build their own cloud botnet.
In an interview with eWEEK, Rob Ragan, senior security associate at Bishop Fox, explained that his team has now developed a defensive framework based on the techniques he used to build his own cloud botnet.
The cloud botnet idea is relatively straightforward. The primary purpose of the cloud is to be able to use scalable infrastructure on a metered basis. Many cloud providers offer free trial accounts and services in a bid to attract new users, and Ragan and his team were able to take advantage of such free trials across multiple vendors to build out a cloud that could be leveraged as a botnet.
Ragan didn't just create new accounts manually one-by-one, but rather built automation tools that helped to enable the rapid creation of new accounts. For many of the cloud providers, an email address was all that was needed to create an account.
Further reading
Some providers have anti-automation tools in place, things like the use of CAPTCHA to prevent automated account creation. However in some cases, Ragan found that it was possible to bypass the cloud vendors' anti-automation tools.
Two-thirds of the services Ragan looked at used only email verification as a form of identification to grant a trial account, he said. With his team's tools, Ragan was able to create an unlimited number of unique email addresses, showing that that form of verification won't stop the creation of a cloud botnet.
To help organizations identify their anti-automation shortcomings, Ragan and his team have developed what he's calling an "anti-anti-automation" framework. The framework will include a collection of tools to help organizations identify risks, he said.
"There are techniques that can be used to bypass email verification, and there also techniques to bypass CAPTCHAs," Ragan said. "There are also ways to automate and bypass phone and SMS verification."
Ragan added that there are mechanisms for subverting credit card verification, which is also used by some cloud vendors.
"We wanted to have a framework that is a single repository of tools and techniques to access the security of anti-automation technologies," Ragan said.
The code is set to be made publicly available on the Bishop Fox Github site, and the idea is to have it be open for enhancements and contributions.
Overall, Ragan wants organizations to be aware of the techniques that attackers can employ to bypass anti-automation. "Attackers will always find ways to automate a process, but it's up to businesses to make sure they are making it difficult for attackers—to reduce their motivation," he said. "The idea is to make it cost more than it's worth for an attacker to automate the process of leveraging lots of free accounts."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Research Assistant
