Such botnets would be relatively easy to set up and administer if one learns the cloud provider's API (application programming interface), would take less time to build than traditional botnets because replicating cloud instances can be done very fast, would be more stable because cloud instances have a very good uptime, would be more effective because of the increased computing power and bandwidth available to the cloud instances and wouldn't cost much, Hayati said.
"Based on our experiment, with the budget of as low as $7 and minimum hardware specification, it is possible to set up a botCloud with tens to hundreds of Cloud instances," the Stratsec consultant said. "We define 'botCloud' as a group of Cloud instances that are commanded and controlled by a malicious entity to initiate cyber-security attacks."
However, there are also disadvantages to operating such a botnet. For example, this type of botnet is probably not very resilient to takedown efforts, because cloud providers will likely shut down the offending cloud instances down once they receive an abuse notification from security researchers or victims.
"Computing is becoming cheaper and cheaper and for something like $10 one can buy enough computing power to take down a small website for a few hours," Costin Raiu, director of the Global Research & Analysis Team at antivirus vendor Kaspersky Lab, said Tuesday via email. "However, it's also important to say that 'traditional' methods of infecting users with trojans are probably even cheaper and much more resilient to takedowns."
"It takes a lot of time to find a user which is infected by something like a bot from the Pandora DDoS family and convince him to clean his PC," Raiu said. "Such infections can last for weeks or for months - making them a lot cheaper than cloud computing solutions."
That said, cloud platforms can definitely be useful to launch vulnerability scans that can be followed or complemented by other attacks executed with the help of traditional botnets, Raiu said. "I believe that cloud providers should definitely look a bit more into improving the security of their configs."
"The experiment suggests that providers BAE looked at may not be prioritizing monitoring for malicious traffic and the sound implementation of security measures that you'd expect to be implemented on a corporate network," David Harley, a senior research fellow at antivirus vendor ESET, said Tuesday via email. "I can't comment on how typical these providers were. However, when and where cloud providers do implement such countermeasures, the overheads for developing a resilient malicious network are likely to increase sharply."