Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there’s so much free processing power out there for the taking?

At the Black Hat conference in Las Vegas next month Ragan and Salazar plan to reveal how they built a botnet using only free trials and freemium accounts on online application-hosting services—the kind coders use for development and testing to avoid having to buy their own servers and storage. The hacker duo used an automated process to generate unique email addresses and sign up for those free accounts en masse, assembling a cloud-based botnet of around a thousand computers.

That online zombie horde was capable of launching coordinated cyberattacks, cracking passwords, or mining hundreds of dollars a day worth of cryptocurrency. And by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even been legal.

“We essentially built a supercomputer for free,” says Ragan, who along with Salazar works as a researcher for the security consultancy Bishop Fox. “We’re definitely going to see more malicious activity coming out of these services.”

Companies like Google, Heroku, Cloud Foundry, CloudBees, and many more offer developers the ability to host their applications on servers in faraway data centers, often reselling computing resources owned by companies like Amazon and Rackspace. Ragan and Salazar tested the account creation process for more than 150 of those services. Only a third of them required any credentials beyond an email address—additional information like a credit card, phone number, or filling out a captcha. Choosing among the easy two-thirds, they targeted about 15 services that let them sign up for a free account or a free trial. The researchers won’t name those vulnerable services, to avoid helping malicious hackers follow in their footsteps. "A lot of these companies are startups trying to get as many users as quickly as possible," says Salazar. "They’re not really thinking about defending against these kinds of attacks."

The Caper

Ragan and Salazar created their automated rapid-fire signup and confirmation process with the email service Mandrill and their own program running on Google App Engine. A service called FreeDNS.afraid.org let them create unlimited email addresses on different domains; to create realistic-looking addresses they used variations on actual addresses that they found dumped online after past data breaches. Then they used Python Fabric, a tool that lets developers manage multiple Python scripts, to control the hundreds of computers over which they had taken possession.

One of their first experiments with their new cloud-based botnet was mining the cryptocurrency Litecoin. (That second-most-used cryptocoin is better suited to the cloud computers’ CPUs than Bitcoin, which is most easily mined with GPU chips.) They found that they could produce about 25 cents per account per day based on Litecoin’s exchange rates at the time. Putting their entire botnet behind that effort would have generated $1,750 a week. “And it’s all on someone else’s electricity bill,” says Ragan.

Ragan and Salazar were wary of doing real damage by hogging the services’ electricity or processing, however, so they turned off their mining operation in a matter of hours. For testing, however, they left a small number of mining programs running for two weeks. None were ever detected or shut down.

Aside from Litecoin mining, the researchers say they could have used their cloudbots for more malicious ends—like distributed password-cracking, click fraud, or denial of service attacks that flood target websites with junk traffic. Because the cloud services offer far more networking bandwidth than the average home computer possesses, they say their botnet could have funneled about 20,000 PCs-worth of attack traffic at any given target. Ragan and Salazar weren’t able to actually measure the size of their attack, however, because none of their test targets were able to stay online long enough for an accurate reading. “We’re still looking for volunteers,” Ragan jokes.

More disturbing yet, Ragan and Salazar say targets would find it especially tough to filter out an attack launched from reputable cloud services. “Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon,” says Ragan. “That becomes a challenge. You can’t blacklist that whole IP range.”

Law-Abiding Citizens

Using a cloud-based botnet for that kind of attack, of course, would be illegal. But creating the botnet in the first place might not be, the two researchers argue. They admit they violated quite a few companies’ terms of service agreements, but it’s still a matter of legal debate whether such an action constitutes a crime. Breaking those fine print rules has contributed to some prosecutions under the Computer Fraud and Abuse Act, as in the case of the late Aaron Swartz. But at least one court has ruled that breaking terms of service alone doesn't constitute computer fraud. And the majority of terms of service violations go unpunished—a good thing given how few Internet users actually read them.

Ragan and Salazar argue that regardless of legal protections, companies need to implement their own anti-automation techniques to prevent the kind of bot-based signups they demonstrated. At the time of their Black Hat talk, they plan to release both the software they used to create and control their cloudbots, as well as defense software they say can protect against their schemes.

Other hackers, after all, haven’t been as polite as Ragan and Salazar in their cloud computing experiments. In the time the two researchers spent probing the loopholes in cloud computing services, they say they’ve already seen companies like AppFog and Engine Yard shut down or turn off their free option as a result of more malicious hackers exploiting their services. Another company specifically cited botnets mining cryptocurrency as its reason for turning off its free account feature.

“We wanted to raise awareness that’s there’s insufficient anti-automation being used to protect against this type of attack,” says Ragan. "Will we see a rise in this type of botnet? The answer is undoubtedly yes.”