Conference DEFCON 21. "As my Botnet earned millions of dollars in car sales and defeated Russian hackers"
Thank you for coming to listen to my presentation. I will tell you a few cool things about my career, my bots and botnet system, which brought me more satisfaction than anything else. For example, that the bot I wrote allowed me to earn millions of dollars in car sales and defeat Russian hackers. I will tell a story that includes hacking, cars (I love cars), Russian hackers, a story about how I hacked the system, and many more interesting things.
I love to tell my mom that I create competitive advantages for clients, making it easier for them to get loans. I started writing bots back in 1995 to remotely test the medical network, investigate breaches of confidentiality of information, network fraud, carried out private investigations, worked for foreign governments, and so on. I had a lot to do with customers involved in the car trade, which is a bit different from the rest of the hacker-bot writers. I speak about it so freely, because I have permission from clients to disclose information on these projects.
These stories are described in my latest book and in the Linux magazine, in the December 2012 issue, they relate to the technology of Internet attacks. 6 years have passed since then, and I finally got the opportunity to write about it. This is interesting because the botnet technology gives you the opportunity to gain a competitive advantage in business and make strategic penetration into the system. You do not want to tell anyone about this, because this is your trade secret. Therefore, if you want to look at it from a different point of view, read old copies of the Linux journal. I write there a little differently than I will tell you today.
')
So, the first thing you start with is learning how to create a good bot project. I will tell you about this on the example of a bot for a car sales network. Then you need to realize the commercial value of BOTNET and bots, just keep in mind that it was 6-7 years ago. The first thing you need to know if you want to create a really good bot is that you shouldn't be afraid to do something else, you should use a slightly different approach. If your company has an online strategy based on the leading role of browsers, this is not enough for success. Browsers have everything, everyone works with the Internet through a browser. You need to look at things more widely, to see from the side how browsers and websites work, and then you can create really cool things.
How many of those present here wrote "screen-scrapers" (programs that use data displayed on the screen by other programs)? Lot! And how many of you have written software spiders? Too much! So, know that if you can do it, it is not enough to make a copy of the entire Internet! People periodically approached me with ideas on how to make a copy of the Internet, so please note - if your project requires batch processing and real-time results at the same time, you will have a problem. Or if your project requires scaling of data arrays, you will also have problems. If your project has such requirements, it is doomed to failure. It's like trying to make a copy of Google. When customers ask me why Google cannot be repeated, I answer: “because Google spends a million dollars a day on electricity, that’s why”!
So, if a client offers you a server for work, do not think that this server belongs to you. Let me give an example: a few years ago I had a client who wanted to track the price change on Amazon by about 100,000 trading positions. I thought that this guy is just a solid seller on Amazon who wants to be aware of price changes for goods. But when I found out that he wants to do this every 5 seconds, I refused this project. Because it is impossible to update such an array of data at such short intervals. If you try to do this, know that you will need to build a special network structure where you have to copy the entire Amazon. So beware of dealing with customers who make such offers, because it’s also illegal.
Next, you should have a realistic profit model, rather than a regular business model. For example, for trading on e-Bay. This is very important, because you are paid by a client who needs a specific result, and not general methods.
And now about the car trade. This is an important example for understanding how to write a good bot. Trade in cars is not as arrived as it seems. Sale of new cars exists in the most severe competition, requires large capital investments and is not very profitable. Therefore, if you are selling new cars, you must have a proven reputation and customer confidence, and if you sell used cars, these qualities should come first.
The main thing that I understood when dealing with trade-in problems is that there are very few people in the trade in used cars who really earn big money on it. And if you do not develop your business, you will be lost. Prices for used cars are well known, so there is too little room for price maneuvers in this market. All prices for new cars, five-year cars and so on can be found in the Kelly Blue Book almanac. From it you can find out how much your car costs and for how much you can sell it. Therefore, the seller can only manipulate the purchase price, not the sale. The seller must buy the car from the owner as cheaply as possible so that at resale to make a profit due to the low price at the start.
Customers come to me with a request to find a site where you can cheaply buy a really good car. For example, own or rental car age 2 years with mileage from 12 to 16 thousand miles. Unfortunately, due to the big competition and bad web design, they are unable to buy the cars they want. Hundreds of dealers in this sales chain want the same cars, and the design of car sites is so terrible that you cannot buy anything.
Every day, two or three hundred cars are put up for sale, which are displayed on the website as a photo with a brief description of the characteristics. And the "Buy Now" button under this ad is not active! This is the time of the sale, while the button is in this state. It takes quite some time, and the button becomes active.
What does the client do? He sits in front of the computer screen and periodically manually refreshes the browser page until the button becomes active, so as not to miss the right moment and have time to buy a car before the competitor does.
This leads to another problem - server delays. My client should involve as many assistants as possible in the car buying process, who will also sit and click the F5 key, refreshing the page every second.
Imagine that he managed to find six more people who are also involved in the buying process. Suppose you need to buy 6 cars. This means that all 6 pages in the browser will be open at the same time, each with its own machine. And they all sit and periodically click a button, updating the browser.
Let 750 dealers watch the purchase at the same time. So, we have 6 x 6 = 36 x 750 = 27 000 requests that hit the server at the same time. And at the crucial moment of purchase, when you don’t need it at all, a peak of delays occurs on the server, which coincides with the click on the “Buy Now” button. And this delay can be 30 seconds, until the page is finally refreshed and you succeed or fail to make a purchase of the car. Sometimes you never manage to press the button first, and the buyer becomes another. This is really a serious problem.
The next problem is competition. Suppose 200 cars are offered for sale every day, of which 5 cars will be bought for every car dealer in the country, because they have the right color, a great price or for some other reason. So, each dealer wants to buy the same cars, and competition is tied between dealers.
This is how attempts to buy the same car look like when applications are received from different parts of the country. Add to this the server delays, the disgusting design of sites and so on. That is why people call us and ask if the network bot can help them in this matter.
They say: “Mike, can you help me? Just take a look at this. ” So, we have two problems: too much manual labor is required and the active “Buy” button appears on the screen for too long.
You have to manually scroll the page to find the car you need, punch through the VIN numbers of the cars, sometimes even call the car dealer to find out the details you are interested in. Therefore, the choice of car can take you 15-20 minutes. Knocking the refresh button all day is also a little fun. Plus, the "Buy" button does not appear on the screen immediately, which is due to server delays.
Problem solving consists of two stages. I note that the bot has an unusual design, because it happened 6 years ago, and now I no longer use such solutions.
Here is the interface of my bot. It consists of four HTML-lines, each is designed for 1 client. This bot runs on the BOTNET network and starts working simultaneously on all the computers we control. No, it is better to say this: “which belong to us,” there is a difference in this, isn't it? All the commercial bots I wrote only worked on our own hardware, that’s true. The bot client communicates with the bot server, and the bot communicates with the server of the desired site.
So, my client refused the services of all these people, updating the pages, he launched the bot on several of his computers, chose the user name and logged in to the account. Then he brought in the VIN-number of the car that he was going to buy, checked whether the car that had that number was put up for sale was legal. When you use a bot, it does not do what an ordinary person sitting at a computer does. This behavior of the bot attracts attention.
For example, if the bot did not check the VIN, the store administrator might be interested in why the user avoids this action despite the fact that there is a lot of traffic coming from his IP and could block my client.
After checking the number in the bot window, a counter appeared next to the VIN line, which showed how many seconds were left before buying the car, as the bot synchronized its internal clock with the clock of the server selling. The less time left before pressing the button, the faster the page was updated due to this synchronization. And when the time reached 0, the bot gave the bot server a command to buy the selected machine.
Bot acted as a trigger for the bot server, initiating the fastest purchase. Sometimes we missed our chance, but most often the inscription “Purchase is successful” appeared on the screen.
After that, the confirmation of the purchase came to the address of my client, and this served as the basis for paying for the car.
Here is a diagram that shows the number of unsuccessful and successful purchases before and after using BOTNET - the number of successful purchases increased from 0 to 99%.
The success was simply phenomenal. I called my customers 15-20 minutes after the announcement of the sale on the site, and they said: “Mike, today I bought 5 of 6 cars that I wanted to buy”! Or 7 or 7, or 9 out of 12. And I answered them: “don't tell anyone about it, don't cut the goose that lays the golden eggs”. Why did our bot provide success?
Because people caused server delays, periodically updating pages until the button becomes active. As a result, the buyer was the one who managed to click on the "Buy" button before the others. The buying process turned into a real lottery.
Our bot did so that the counter displayed the real time that remained until the “Buy” button was activated, analyzing the activity of other customers and the server’s power. He instantly sent the command “press the button” as soon as it became active on the site.
A bot of this type is usually called a "sniper." Once I was about to write an email to my client that this morning my snipers are going to hit 6 cars, or I don’t remember to kill them. But then he realized that it was better not to send such a text by mail, but simply to call him by phone. Or do not call at all. In general, in our business you need to keep track of your language.
We continue our story. One of my clients was successful for 6 months, and then lost 50% of the profits - he was able to buy only 2 of 7 machines, because the connection of his computer to the server was constantly cut off. It turned out that the culprit was a group of Russian hackers who were hired to write a competing bot program, and they were somewhere outside of New Jersey. So, competition is always good, it’s like an arms race that provokes innovations in the Botnet networks.
Consider the second part of the solution. I will tell you how the bot works and why it synchronizes with the sales server clock. It calculates the delay time, counting how many users are working in the system.
Each bot client causes the bot server to make many attempts to buy a car, about 5-7 attempts per second. Each attempt takes place a little before the actual time of sale and is based on the calculation of system delays. And it really brings success.
Thus, if before the client bought about half of the machines, with our bot, the figure was close to 100%. How successful was this bot? We used it for 40 weeks, every week we bought 20 cars, about 5 pieces a day, for a total of 800 cars were bought. Each car cost about $ 16 thousand, in total our client made purchases for $ 12.8 million. This is a very big achievement for such a small dealer as ours.
I gave you an example from which you can see how important BOTNET is for business. You just need to abandon the traditional ways of using the browser and look at the problem in a different way, try to solve the problem outside, and not inside the usual framework.
What will I change today if I need to solve a similar problem? My bot should be even more successful than expected. This should be a very "lightweight" software client, literally one page of Java Script code. It should be easily updated and spread quickly over the network. Next, I have to build analytics and collect metrics describing the work of my bot. I must know exactly what I owe my success, I must know exactly how many cars were sold thanks to the bot client.
I have to help the client in the process of choosing a car. I have to look at the Kelley Blue Book almanac and track the market prices for cars of interest to my client. Next, I have to modify the HTML code to create a "Buy" button inside the bot server, which acts as a proxy server. Only then will I be able to make a purchase earlier than the others, using this “Buy” button on the website page.
The website selling cars in the example used standard HTML code that is easily emulated and submits to simple PHP / cURL scripts.
Modern websites are much more complicated, they use many Java Script modules, AJAX, background browser data exchange with a web server, complex forms, and so on. Therefore, today it will be much more difficult to solve this problem.
For example, the desired car must be recorded via the web interface as a Task Queue task sequence, which is sent to the bot server.
This sequence depends on the individual computers, which I call Harvester, “harvesting machines,” or “reapers.” They can be located anywhere - in data centers, in offices, in the clouds, if you use a virtual storage technology and data processing.
For their work, special iMacro software modules are used that will constantly work with your browser, for example, Firefox. Do any of you use iMacro? This is an amazing tool that copies and reproduces user actions, as if a real person was sitting at a computer.
The reapers dynamically create these iMacro, and after the task is completed, they contact the bot server that updates the Task Queue, and the process continues. If you are interested in the details of this technology, see my report at the DEFCON 17 conference, where I told you how all these iMacro work, how to use screen-scrapers on different sites and many more useful things.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
I love to tell my mom that I create competitive advantages for clients, making it easier for them to get loans. I started writing bots back in 1995 to remotely test the medical network, investigate breaches of confidentiality of information, network fraud, carried out private investigations, worked for foreign governments, and so on. I had a lot to do with customers involved in the car trade, which is a bit different from the rest of the hacker-bot writers. I speak about it so freely, because I have permission from clients to disclose information on these projects.
These stories are described in my latest book and in the Linux magazine, in the December 2012 issue, they relate to the technology of Internet attacks. 6 years have passed since then, and I finally got the opportunity to write about it. This is interesting because the botnet technology gives you the opportunity to gain a competitive advantage in business and make strategic penetration into the system. You do not want to tell anyone about this, because this is your trade secret. Therefore, if you want to look at it from a different point of view, read old copies of the Linux journal. I write there a little differently than I will tell you today.
')
So, the first thing you start with is learning how to create a good bot project. I will tell you about this on the example of a bot for a car sales network. Then you need to realize the commercial value of BOTNET and bots, just keep in mind that it was 6-7 years ago. The first thing you need to know if you want to create a really good bot is that you shouldn't be afraid to do something else, you should use a slightly different approach. If your company has an online strategy based on the leading role of browsers, this is not enough for success. Browsers have everything, everyone works with the Internet through a browser. You need to look at things more widely, to see from the side how browsers and websites work, and then you can create really cool things.
How many of those present here wrote "screen-scrapers" (programs that use data displayed on the screen by other programs)? Lot! And how many of you have written software spiders? Too much! So, know that if you can do it, it is not enough to make a copy of the entire Internet! People periodically approached me with ideas on how to make a copy of the Internet, so please note - if your project requires batch processing and real-time results at the same time, you will have a problem. Or if your project requires scaling of data arrays, you will also have problems. If your project has such requirements, it is doomed to failure. It's like trying to make a copy of Google. When customers ask me why Google cannot be repeated, I answer: “because Google spends a million dollars a day on electricity, that’s why”!
So, if a client offers you a server for work, do not think that this server belongs to you. Let me give an example: a few years ago I had a client who wanted to track the price change on Amazon by about 100,000 trading positions. I thought that this guy is just a solid seller on Amazon who wants to be aware of price changes for goods. But when I found out that he wants to do this every 5 seconds, I refused this project. Because it is impossible to update such an array of data at such short intervals. If you try to do this, know that you will need to build a special network structure where you have to copy the entire Amazon. So beware of dealing with customers who make such offers, because it’s also illegal.
Next, you should have a realistic profit model, rather than a regular business model. For example, for trading on e-Bay. This is very important, because you are paid by a client who needs a specific result, and not general methods.
And now about the car trade. This is an important example for understanding how to write a good bot. Trade in cars is not as arrived as it seems. Sale of new cars exists in the most severe competition, requires large capital investments and is not very profitable. Therefore, if you are selling new cars, you must have a proven reputation and customer confidence, and if you sell used cars, these qualities should come first.
The main thing that I understood when dealing with trade-in problems is that there are very few people in the trade in used cars who really earn big money on it. And if you do not develop your business, you will be lost. Prices for used cars are well known, so there is too little room for price maneuvers in this market. All prices for new cars, five-year cars and so on can be found in the Kelly Blue Book almanac. From it you can find out how much your car costs and for how much you can sell it. Therefore, the seller can only manipulate the purchase price, not the sale. The seller must buy the car from the owner as cheaply as possible so that at resale to make a profit due to the low price at the start.
Customers come to me with a request to find a site where you can cheaply buy a really good car. For example, own or rental car age 2 years with mileage from 12 to 16 thousand miles. Unfortunately, due to the big competition and bad web design, they are unable to buy the cars they want. Hundreds of dealers in this sales chain want the same cars, and the design of car sites is so terrible that you cannot buy anything.
Every day, two or three hundred cars are put up for sale, which are displayed on the website as a photo with a brief description of the characteristics. And the "Buy Now" button under this ad is not active! This is the time of the sale, while the button is in this state. It takes quite some time, and the button becomes active.
What does the client do? He sits in front of the computer screen and periodically manually refreshes the browser page until the button becomes active, so as not to miss the right moment and have time to buy a car before the competitor does.
This leads to another problem - server delays. My client should involve as many assistants as possible in the car buying process, who will also sit and click the F5 key, refreshing the page every second.
Imagine that he managed to find six more people who are also involved in the buying process. Suppose you need to buy 6 cars. This means that all 6 pages in the browser will be open at the same time, each with its own machine. And they all sit and periodically click a button, updating the browser.
Let 750 dealers watch the purchase at the same time. So, we have 6 x 6 = 36 x 750 = 27 000 requests that hit the server at the same time. And at the crucial moment of purchase, when you don’t need it at all, a peak of delays occurs on the server, which coincides with the click on the “Buy Now” button. And this delay can be 30 seconds, until the page is finally refreshed and you succeed or fail to make a purchase of the car. Sometimes you never manage to press the button first, and the buyer becomes another. This is really a serious problem.
The next problem is competition. Suppose 200 cars are offered for sale every day, of which 5 cars will be bought for every car dealer in the country, because they have the right color, a great price or for some other reason. So, each dealer wants to buy the same cars, and competition is tied between dealers.
This is how attempts to buy the same car look like when applications are received from different parts of the country. Add to this the server delays, the disgusting design of sites and so on. That is why people call us and ask if the network bot can help them in this matter.
They say: “Mike, can you help me? Just take a look at this. ” So, we have two problems: too much manual labor is required and the active “Buy” button appears on the screen for too long.
You have to manually scroll the page to find the car you need, punch through the VIN numbers of the cars, sometimes even call the car dealer to find out the details you are interested in. Therefore, the choice of car can take you 15-20 minutes. Knocking the refresh button all day is also a little fun. Plus, the "Buy" button does not appear on the screen immediately, which is due to server delays.
Problem solving consists of two stages. I note that the bot has an unusual design, because it happened 6 years ago, and now I no longer use such solutions.
Here is the interface of my bot. It consists of four HTML-lines, each is designed for 1 client. This bot runs on the BOTNET network and starts working simultaneously on all the computers we control. No, it is better to say this: “which belong to us,” there is a difference in this, isn't it? All the commercial bots I wrote only worked on our own hardware, that’s true. The bot client communicates with the bot server, and the bot communicates with the server of the desired site.
So, my client refused the services of all these people, updating the pages, he launched the bot on several of his computers, chose the user name and logged in to the account. Then he brought in the VIN-number of the car that he was going to buy, checked whether the car that had that number was put up for sale was legal. When you use a bot, it does not do what an ordinary person sitting at a computer does. This behavior of the bot attracts attention.
For example, if the bot did not check the VIN, the store administrator might be interested in why the user avoids this action despite the fact that there is a lot of traffic coming from his IP and could block my client.
After checking the number in the bot window, a counter appeared next to the VIN line, which showed how many seconds were left before buying the car, as the bot synchronized its internal clock with the clock of the server selling. The less time left before pressing the button, the faster the page was updated due to this synchronization. And when the time reached 0, the bot gave the bot server a command to buy the selected machine.
Bot acted as a trigger for the bot server, initiating the fastest purchase. Sometimes we missed our chance, but most often the inscription “Purchase is successful” appeared on the screen.
After that, the confirmation of the purchase came to the address of my client, and this served as the basis for paying for the car.
Here is a diagram that shows the number of unsuccessful and successful purchases before and after using BOTNET - the number of successful purchases increased from 0 to 99%.
The success was simply phenomenal. I called my customers 15-20 minutes after the announcement of the sale on the site, and they said: “Mike, today I bought 5 of 6 cars that I wanted to buy”! Or 7 or 7, or 9 out of 12. And I answered them: “don't tell anyone about it, don't cut the goose that lays the golden eggs”. Why did our bot provide success?
Because people caused server delays, periodically updating pages until the button becomes active. As a result, the buyer was the one who managed to click on the "Buy" button before the others. The buying process turned into a real lottery.
Our bot did so that the counter displayed the real time that remained until the “Buy” button was activated, analyzing the activity of other customers and the server’s power. He instantly sent the command “press the button” as soon as it became active on the site.
A bot of this type is usually called a "sniper." Once I was about to write an email to my client that this morning my snipers are going to hit 6 cars, or I don’t remember to kill them. But then he realized that it was better not to send such a text by mail, but simply to call him by phone. Or do not call at all. In general, in our business you need to keep track of your language.
We continue our story. One of my clients was successful for 6 months, and then lost 50% of the profits - he was able to buy only 2 of 7 machines, because the connection of his computer to the server was constantly cut off. It turned out that the culprit was a group of Russian hackers who were hired to write a competing bot program, and they were somewhere outside of New Jersey. So, competition is always good, it’s like an arms race that provokes innovations in the Botnet networks.
Consider the second part of the solution. I will tell you how the bot works and why it synchronizes with the sales server clock. It calculates the delay time, counting how many users are working in the system.
Each bot client causes the bot server to make many attempts to buy a car, about 5-7 attempts per second. Each attempt takes place a little before the actual time of sale and is based on the calculation of system delays. And it really brings success.
Thus, if before the client bought about half of the machines, with our bot, the figure was close to 100%. How successful was this bot? We used it for 40 weeks, every week we bought 20 cars, about 5 pieces a day, for a total of 800 cars were bought. Each car cost about $ 16 thousand, in total our client made purchases for $ 12.8 million. This is a very big achievement for such a small dealer as ours.
I gave you an example from which you can see how important BOTNET is for business. You just need to abandon the traditional ways of using the browser and look at the problem in a different way, try to solve the problem outside, and not inside the usual framework.
What will I change today if I need to solve a similar problem? My bot should be even more successful than expected. This should be a very "lightweight" software client, literally one page of Java Script code. It should be easily updated and spread quickly over the network. Next, I have to build analytics and collect metrics describing the work of my bot. I must know exactly what I owe my success, I must know exactly how many cars were sold thanks to the bot client.
I have to help the client in the process of choosing a car. I have to look at the Kelley Blue Book almanac and track the market prices for cars of interest to my client. Next, I have to modify the HTML code to create a "Buy" button inside the bot server, which acts as a proxy server. Only then will I be able to make a purchase earlier than the others, using this “Buy” button on the website page.
The website selling cars in the example used standard HTML code that is easily emulated and submits to simple PHP / cURL scripts.
Modern websites are much more complicated, they use many Java Script modules, AJAX, background browser data exchange with a web server, complex forms, and so on. Therefore, today it will be much more difficult to solve this problem.
For example, the desired car must be recorded via the web interface as a Task Queue task sequence, which is sent to the bot server.
This sequence depends on the individual computers, which I call Harvester, “harvesting machines,” or “reapers.” They can be located anywhere - in data centers, in offices, in the clouds, if you use a virtual storage technology and data processing.
For their work, special iMacro software modules are used that will constantly work with your browser, for example, Firefox. Do any of you use iMacro? This is an amazing tool that copies and reproduces user actions, as if a real person was sitting at a computer.
The reapers dynamically create these iMacro, and after the task is completed, they contact the bot server that updates the Task Queue, and the process continues. If you are interested in the details of this technology, see my report at the DEFCON 17 conference, where I told you how all these iMacro work, how to use screen-scrapers on different sites and many more useful things.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The Truth About VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?
Source: https://habr.com/ru/post/351762/
All Articles