Quantcast

How My Botnet Defeated the Russian Hackers: Screwing with the System

Michael SchrenkIn a Defcon presentation, professional web bot developer Michael Schrenk tells an absorbing story of creating a specific botnet to gain competitive advantage.

I’ve had the opportunity to do a lot of really cool things in my career with bots, but the one thing that gave me more satisfaction than anything else I’ve ever done is the time I wrote a botnet that purchased millions of dollars with the cars and defeated the Russian hackers.

Agenda

Agenda

So, let’s have some fun with this, alright? I’m going to tell you a story that involves hacking; that involves cars – I like cars; that involves Russian hackers, which is just pretty cool; and more than anything else it involves screwing with the system, or, as I like to tell my mother, creating “competitive advantages” for clients – that’s important.

Areas of bot creation expertise: most projects not allowed to talk about

Areas of bot creation expertise: most projects not allowed to talk about

I’ve been writing bots since about 1995. I started out doing remote medicine bots, if you can believe that. I’ve been involved with privacy, fraud detection, private investigations. I’ve done work for foreign governments. And I’ve got a fair amount of my business that is with automotive clients. What makes me a little bit different than a lot of other people that write bots is that I actually talk about it. Unfortunately, the only projects I get to talk about are things that are in-house projects that I’ve been doing. It’s really rare that I get the chance to talk about a specific project that I’ve done for a client.

Some press coverage

Some press coverage

But I got permission to talk about this one, and it came about largely because when my last book was done, they approached no starch – Linux Magazine, and they said: “Can Mike write an article for us?” And I really didn’t have anything ready to write for them, so I approached this old client and I said: “Enough time has passed; it’s been, like, six years. Let me write about this for a change.” And they agreed to let me do this. But that’s really key, because when you’ve got a piece of technology that provides a “competitive advantage”, that allows you to screw with the system strategically, you don’t want to tell people about it, right? That’s your trade secret, really. So, if you want to get a little bit different view of this project, if you can pick up one of the old copies of Linux Magazine (see upper right-hand image), I write about it in a little bit different way than the way I’m presenting it here.

Underlying knowledge to be provided

Underlying knowledge to be provided

Okay, what are you going to learn? You’re going to learn what makes a good bot project. I’m going to have to give you a little bit of insight in how retail automotive works in order for this whole thing to make sense. You’re going to get an awareness of commercial bots and botnets, and they actually do exist. And I’m also going to talk a little bit about, if I were to do this again today, how I would do this differently, because keep in mind this happened six-seven years ago.

Make your bot special

Make your bot special

So, what makes a good bot project? The very first thing you need to know is that you cannot be afraid to do something different. If your company has an Internet strategy, assuming it has an Internet strategy, that just involves browsers and things you can do with a browser – you’re really missing out, because you got the whole big wide Internet available to you, and everybody uses the same tool, browser, to access it. And if you expand your scope a little bit and do things outside of the way browsers work, or do things outside of the way websites are presented to you, you can create a lot of really cool things.

Bot-wise, think big

Bot-wise, think big

How many people here have written a screen scraper? How many people have written a spider? Well, if you’ve got a client, make sure they realize that just because you know how to scrape screens and you can write a spider, it doesn’t mean you can make a copy of the Internet. I get people approaching me all the time with ideas for projects; a lot of them basically want to create a copy of the Internet.

Pursue affordable objectives

Pursue affordable objectives

So, if your project requires both batch processing and real-time results, you’ve got a problem; or if you’ve got a project that requires just ridiculous scaling, you’ve got a problem – because unless you’ve got one of these (see right-hand image) your project is going to fail. You’re not going to replicate Google unless you’ve got one of these. And after I say to clients: “You really can’t do this,” they go: “Why not?” And I say: “Well, because Google spends about a million dollars a day on electricity – that’s why.” That’s why your project is going to fail.

You don’t own the target’s server

You don’t own the target’s server

I refer to ‘targets’ as the subject server – don’t assume you own that server. For example, I had a potential client approach me a few years ago, and he wanted to monitor prices on Amazon for about 100,000 items. I thought that sounded like a really useful thing to do (this guy is a big time Amazon seller) until I found out that he wanted to do this every five seconds (see right-hand image). That’s not going to work for lots of reasons. If you did something like this, Amazon would actually have to build additional infrastructure to support your project, and you’d end up in court with what they call a “trespass to chattels suit”. You want to avoid that, it’s very illegal.

Importance of a realistic profit model

Importance of a realistic profit model

Okay, number four, and this is maybe the most important thing: you have to have a realistic profit model. You notice I’m saying “profit model”, not “business model”. Why do I say that? This is why (see left-hand image).

Profit model does matter

Profit model does matter

And if I’m showing my age here a little bit, you can look at these (see right-hand image). Myspace actually made the list twice; I think that’s pretty impressive. So, why is it important that you have a realistic profit model? Why is it that when people approach me and they want to do something, that could just as easily be done on eBay for example? This is important because the developer has to get paid. That’s very important.

Downsides of new car sales

Downsides of new car sales

About automotive retailing: just a little bit here; without this the project doesn’t make sense. New car sales are not as profitable as people think they are, even if you combine service with that, because it’s incredibly capital intensive and it’s super-super competitive. But you need to have new car sales so that you’ve got credibility if you want to sell used cars. This is particularly true if you want to sell high-end used cars; nobody wants to go to the corner of your lot for that kind of stuff.

Not only trade-ins

Not only trade-ins

The thing that I learned – I didn’t realize it, I just assumed that the used cars on a car lot were all trade-ins – well, that’s not the case. It can’t be the case because you can’t grow a business if you’re going to do that, and it’s really limiting. Car dealerships spend tons of money acquiring good used cars to put on the car lot.

Not much negotiation room

Not much negotiation room

And it’s kind of bizarre, the way it works, because you walk into a car lot and you know what the price should be for a particular car because it’s very well documented – you can go to Kelley Blue Book or any place. So dealers don’t have a lot of space to work on the final retail price, but down on the wholesale side is where the margins are made. If you’re good at buying things for a great price, that’s how you make money with used cars, and that’s what this project is about.
 

To be continued…

Read next: How My Botnet Defeated the Russian Hackers 2: The Car-Purchasing Bot

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: