CAPTCHA Solving Botnet, How Hackers Can Use Their Victims for More Than Just Computing Power

So I had an interesting idea when a friend of mine asked what a hacker could use a botnet for.

I gave the casual responses like using bots for DDOS attacks, Bitcoin mining, and perhaps ad impressions. Basically anything that a computer can do without human interaction a botnet can do on a larger scale.

But then I thought what if a hacker used the human part of the botnet to complete his work? What if the hacker needed humans to complete his diabolical plan? Could you really use humans to power your botnet?

I’d say you could, and what is one thing humans beat computers at?

Of course the answer would be CAPTCHAs, a system designed purely to stop spam bots from abusing services across the internet. 

 

Obligatory XKCD Comic

Image from http://xkcd.com/632/

 

It’s really a genius system when you think about it, but if you’re not aware this is how it works in simplistic terms:

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.

Source: http://www.google.com/recaptcha/learnmore

So basically Google has scanned images of book pages that need to be turned into plain text. The best OCR out their cannot do it so they need humans to do it for them. But that’s expensive, and in a very innovative solution they now use sections of these book pages to use as an anti bot system. So in return for blocking automated bots from abusing people’s services, Google gets endless free human OCR.

Sweet deal huh?

So sweet that services have emerged to solve these CAPTCHAs cheaply for people who run spam/bot services that need to bypass these CAPTCHAs.

Indian Labor Zone

This is a CAPTCHA solving service that charges low rates to get these roadblocks solved for anyone with Paypal, Credit/Debit Cards, or many other payment gateways.

How do they do it? Cheap labor, and lots of it! They even force you to pay more at certain hours when their workers will be normally asleep so that they can attract more people to the night shift.

We rely on a workforce that is mostly located in South Asia and South-East Asia. The Nighshift Worker Compensation is intended to increase the amount of workers online during their nighttime, thus, increasing the overall capacity of the service. Please read here for more information.

Source: http://deathbycaptcha.com/user/faq

Not only that but they offer the service pretty cheaply, just take a look at their rates! Have 5,000 CAPTCHAs solved for only $6.95!

But I’m getting a little off topic here, the point is, humans are a much needed commodity in today’s shifty digital market. CAPTCHAs need to be solved and their are many people willing to pay money to have them solved.

So, the idea came to me that it shouldn’t be to hard to build a botnet that forces people to solve CAPTCHAs for you. Some malware convinces people to buy MoneyPak cards in order to get their computer working again so perhaps that sort of strategy could be used? But what would be a _believable _scenario where somebody would be forced to solve a CAPTCHA image?

I remember back to a crazy incident where Comcast (an ISP) started injecting Javascript into pages over HTTP. This is horrific for so many reasons but it’s completely true.

Not only were they injecting Javascript but they were doing it with poorly made Javascript which would no doubt break many pages that it was injected into. So we know that an ISP or two is willing to do dirty things such as this so why wouldn’t they also force people to verify that they’re human and not abusing Comcast’s precious internet service?

Meet the Comcast Anti Abuse Service:

Hard to believe I'm not a graphic designer huh?

Hard to believe I’m not a graphic designer huh?

After some (very bad) coding in Visual Basic I made a slick proof of concept on what a CAPTCHA botnet would look like (or what I imagined it to be). This malware is not very advanced and you could easily kill it if you wanted to, the real thing I’d imagine could detect your ISP and serve up logos/messages accordingly. It’d be even better if it could detect if you were using a web browser and only popup then – or better yet disable your browser until you enter in a CAPTCHA image.

Disclaimers:

  • This was not made to be ACTUAL malware, DO NOT message me and tell me it’s poorly made. I am aware, it was NOT designed to be actually used – the control panel is actually vulnerable to tons of exploitation. I am OK with this because if someone actually decides to use this software I hope that they do get hacked (no offense, but I hate removing this type of malware off of my relatives computers!)
  • The use of the Comcast Logo is protected under the Fair Use clause stating “the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;”. The ideas represented fictionally here are not those of the Comcast company as a whole. If their are any issues feel free to contact me at mandatory (at) gmail dot com. Thank you.

Even though I’ll probably regret it, I’m making the full source downloadable in case anyone wants to see more of how it works.

Click Here to Download the Full Source

To close, I’m sure there are many other ways hackers could utilize humans for their “humanity” via botnets and I think it’s an exciting area to explore.

What other problems could be solved by mass use of human labor? Not necessarily unethically with an illegal botnet but with legal ones as well?

-mandat0ry

 

 

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.