DEFCON 21. “How my Botnet earned millions of dollars selling cars and defeated Russian hackers”

Thank you for coming to listen to my performance. I will tell you some cool things about my career, my bots and the botnet system, which brought me more satisfaction than anything else. For example, that the bot I wrote allowed me to earn millions of dollars in car trading and defeat Russian hackers. I’ll tell a story that includes hacking, cars (I like cars), Russian hackers, a story about how I crack a system, and much more.

I like to tell my mother that I am creating competitive advantages for clients that make it easier for them to get loans. I started writing bots back in 1995 for remote testing of a medical network, researching information privacy violations, network fraud, carried out private investigations, worked for foreign governments and so on. I had a lot of business with clients involved in the car trade, which somewhat distinguishes me from the rest of the hacker-botographer. I talk about it so freely, because I have permission from clients to disclose information on these projects.

These stories are described in my last book and in the Linux magazine, in the December 2012 issue, and they deal with Internet attack technology. Six years have passed since then, and I finally got the opportunity to write about it. This is interesting, because botnet technology gives you the opportunity to gain a competitive advantage in the business and make strategic penetration into the system. You do not want to tell anyone about this, because it is your trade secret. Therefore, if you want to look at it from a different perspective, read the old instances of the Linux log. I write there a little differently than I will tell you today.

So, the first thing you start with is learning how to create a good bot project. I will tell you about this using the example of a bot for a car sales network. Then you should realize the commercial value of BOTNET and bots, just keep in mind that this was 6-7 years ago. The first thing you should know if you want to create a really good bot - you should not be afraid to do something else, you should use a slightly different approach. If your company has an Internet strategy based on the leading role of browsers, this is not enough for success. Everyone has browsers, everyone works with the Internet through a browser. You need to look at things more broadly, to see from the side how browsers and sites work, and then you can create really cool things.

How many of those present here wrote “screen-scrapers” (programs that use data displayed on the screen by other programs)? Lot! How many of you wrote spider programs? Too many! So, know that if you can do this, this is not enough to make a copy of the entire Internet! I was periodically approached by people with ideas on how to make a copy of the Internet, so keep in mind - if your project simultaneously requires batch processing of data and obtaining results in real time, you will have a problem. Or if your project requires scaling data arrays, you will also have problems. If your project has such requirements, it is doomed to failure. It's like trying to make a copy of Google. When customers ask me why Google can’t be repeated, I reply: «потому что Гугл тратит миллион долларов в день на электричество, вот почему»!

So, if the client offers you a server for work, do not think that this server belongs to you. Let me give you an example: a few years ago I had a client who wanted to track changes in Amazon prices by about 100 thousand trading positions. I thought this guy was just a solid Amazon seller who wants to keep abreast of price changes for goods. But when I found out that he wants to do this every 5 seconds, I abandoned this project. Because it is not possible to update such an array of data at such short intervals. If you try to do this, know that for this you need to build a special network structure where you have to copy the entire Amazon. Therefore, beware of dealing with customers who make such suggestions, because it is also against the law.

Next, you should have a realistic profit model, not a regular business model. For example, to trade on e-Bay. This is very important because you are paid by a client who needs a specific result, not general methods.

And now about the car trade. This is an important example for understanding how to write a good bot. Trading cars wasn’t as profitable as it seems. Selling new cars exists in fierce competition, requires large investments and is not too profitable. Therefore, if you trade in new cars, you must have a proven track record and trust of the client, and if you sell used cars, these qualities should come first.

The main thing that I understood when dealing with trade-in problems is that there are very few people who really earn big money in the sale of used cars. And if you do not develop your business, you will be lost. Prices for used cars are well known, so there is too little room for price maneuvers in this market. All prices for new cars, five-year-old cars and so on can be found in the Kelly Blue Book almanac. From it you can find out how much your car costs and how much it can be sold. Therefore, the seller can only manipulate the purchase price, not the sale. The seller must buy the car from the owner as cheaply as possible in order to make a profit on resale due to the low price at the start.

Customers come to me with a request to find a site where you can cheaply buy a really good car. For example, your own or a rental car 2 years old with a range of 12 to 16 thousand miles. Unfortunately, due to great competition and poor web design, they are unable to buy the cars they want. Hundreds of dealers in this sales chain want the exact same cars, and the design of car sales sites is so terrible that you can't buy anything.

Every day, two to three hundred cars are put up for sale, which are displayed on the site as a photograph with a brief description of the characteristics. And the Buy Now button under this announcement is not active! This is exactly the time of sale, while the button is in this state. Very little time passes and the button becomes active.

What does the client do? He sits in front of the computer screen and periodically manually refreshes the browser page until the button becomes active, so as not to miss the right moment and have time to buy a car until this is done by a competitor.

This leads to another problem - server delays. My client should involve as many assistants as possible in the car buying process, who will also sit and press the F5 key, refreshing the page every second.

Imagine that he managed to find six more people who are also involved in the purchase process. Suppose you need to buy 6 cars. This means that everyone will have 6 pages in a browser at the same time, each with its own machine. And they all sit and periodically click a button, updating the browser.

Let 750 dealers follow the purchase at the same time. So, we have 6 x 6 = 36 x 750 = 27,000 requests arriving at the server at the same time. And at the most crucial moment of the purchase, when you do not need it at all, a peak of delays occurs on the server, which coincides with the click on the Buy Now button. And this delay can be 30 seconds, until the page finally refreshes and you succeed or fail to complete the purchase of the machine. Sometimes you never manage to press the button first, and the buyer becomes different. This is a really serious problem.

The next problem is competition. Let's say 200 cars are offered for sale every day, of which 5 cars you would like to buy for every car dealer in the country, because they have the right color, great price, or for some other reason. So, each dealer wants to buy the same cars, and a competition ensues between dealers.

This is how attempts to buy the same car look when applications come from different parts of the country. Add to that server delays, disgusting website designs and more. That's why people call us and ask if the network bot can help them in this matter.

They say, “Mike, can you help me? Just look at that. ” So, we have two problems: it takes too much manual labor and the active Buy button appears on the screen for too long.

You have to manually scroll through the page to find the right car, break through the VIN-numbers of the cars, sometimes even call the seller of the car to find out the details you are interested in. Therefore, the choice of car may take you 15-20 minutes. Pounding the page refresh key all day is also a little fun. Plus, the Buy button does not appear on the screen immediately, which is associated with server delays.

Solving problems consists of two stages. I note that the bot has an unusual design, because it happened 6 years ago, and now I no longer use such solutions.

This is what the interface of my bot looks like. It consists of four HTML lines, each intended for 1 client. This bot runs on the BOTNET network and starts working simultaneously on all the computers that we control. No, it’s better to say this: “who belong to us”, that makes a difference, isn't it? All the commercial bots that I wrote worked only on our own hardware, that’s true. The bot client communicates with the bot server, and the latter communicates with the server of the desired site.

So, my client refused the services of all these people, updating the pages, he launched the bot on several of his computers, chose a username and logged into the account. Then he entered the VIN number of the car that he was going to buy, checked whether the car with that number was for sale legal. When you use a bot, it doesn’t do what a normal person sitting at a computer does. This bot behavior attracts attention.

For example, if the bot did not check the VIN, the store administrator might be interested in why the user avoids this action because there is a lot of traffic coming from his IP and could block my client.

After checking the number in the bot window, a counter appeared next to the VIN line, which showed how many seconds remained before buying a car, since the bot synchronized its internal clock with the clock of the selling server. The less time left before the button was pressed, the faster the page was updated due to such synchronization. And when the time reached 0, the bot gave the bot server a command to buy the selected machine.

The bot acted as a trigger for the bot server, initiating the fastest purchase. Sometimes we missed our chance, but more often on the screen appeared the inscription "Purchase successful."

After that, a confirmation of purchase came to the address of my client, and this served as the basis for paying for the car.

Here is the diagram that shows the number of unsuccessful and successful purchases before and after using BOTNET - the number of successful purchases increased from 0 to 99%.

The success was simply phenomenal. I called my customers 15-20 minutes after the announcement of the sale on the site, and they said: "Mike, today I bought 5 of the 6 cars that I wanted to buy!" Or 7 or 7, or 9 out of 12. And I answered them: "Do not tell anyone about this, do not cut the chicken that lays the golden eggs." Why did our bot ensure success?

Because people caused server delays by periodically updating pages until the button becomes active. As a result, the buyer was the one who managed to click the Buy button earlier than others. The buying process turned into a real lottery.

Our bot did so that the counter displayed the real time that remained until the activation of the Buy button, analyzing the activity of other customers and the server’s power. He instantly sent the command “click a button” as soon as it became active on the site.

A bot of this type is commonly called a “sniper.” Once I was about to write to my client an email that this morning my snipers were going to hit 6 cars, or kill, I don’t remember. But then I realized that it’s better not to send such a text by mail, but just call him on the phone. Or do not call at all. In general, in our business we need to monitor our language.

We continue our story. One of my clients was successful for 6 months, and then lost 50% of the profit - he was able to buy only 2 out of 7 machines, because the connection of his computer with the server was constantly disconnected. It turned out that the group of Russian hackers who were hired to write a competing bot program, and they were somewhere outside of New Jersey, was to blame. So competition is always good, it’s like an arms race that provokes innovation in Botnet networks.

Consider the second part of the solution to the problem. I will tell you how the bot works and why it is synchronized with the sales server clock. It calculates the delay time by counting how many users work in the system.

Each bot-client forces the bot-server to make many attempts to buy a car, about 5-7 attempts per second. Each attempt occurs a little earlier than the current time of sale and is based on the calculation of system delays. And it really brings success.

Thus, if before that the client bought about half of the cars, with our bot, the indicator approached 100%. How successful was this bot? We used it for 40 weeks, every week 20 cars were bought, about 5 pieces daily, a total of 800 cars were bought. Each car cost about $ 16 thousand, total our customer made purchases of $ 12.8 million. This is a great achievement for a small dealer like ours.

I gave you an example that shows how important Botnet is to business. It is only necessary to abandon the traditional ways of using the browser and look at the problem in a different way, try to solve the problem from the outside, and not inside the usual framework.

What will I change today if I need to solve a similar problem? My bot should be even more successful than expected. It should be a very “lightweight” software client, literally one page of Java Script code. It should be easy to update and spread quickly across the network. Next, I have to build analytics and collect metrics that characterize the work of my bot. I must know exactly what I owe my success to, I must know exactly how many cars were sold thanks to the bot client.

I have to help the client in the process of choosing a car. I have to look into the Kelley Blue Book almanac and track the market prices for cars that interest my client. Next, I have to modify the HTML code to create a Buy button inside the bot server, which acts as a proxy server. Only then can I make a purchase before others using the real Buy button on the site page.

The car sales website in the example used standard HTML code that is easily emulated and follows simple PHP / cURL scripts.

Modern sites are much more complex, they use many Java Script, AJAX modules, background browser data exchange with a web server, complex forms and so on. Therefore, today it will be much more difficult to solve such a problem.

For example, the desired car must be recorded via the web interface in the form of a task queue, which is sent to the bot server.

This sequence depends on the individual computers that I call Harvester - "harvesting machines", or "reapers." They can be located anywhere - in data centers, in offices, in the clouds, if you use virtual technology for storing and processing data.

For their work, special iMacro software modules are used, which will constantly work with your browser, for example, Firefox. Do any of you use iMacro? This is an amazing tool that copies and reproduces the user's actions, as if a living person were sitting at the computer.

The Reapers dynamically create these iMacro, and after the task is completed, they contact the bot server that updates the Task Queue, and the process continues. If you are interested in the details of this technology, see my report at the DEFCON 17 conference, where I talked about how all these iMacro work, how to use “screen-scrapers” on different sites and many more useful things.

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analog of entry-level servers that was invented by us for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure class using Dell R730xd E5-2650 v4 servers costing 9,000 euros per penny?