Bank-attack malware turns power of Amazon's cloud to the dark side, again

Brazilians, others use Amazon to distribute, control SpyEye malware

Gangs of botnet drivers and other cybercriminals are using Amazon's cloud platform as a distribution hub for malware and as a command-and-control mechanism for the computers their malware infects, according to reports from Kaspersky Labs.

A rootkit called SpyEye that is designed for attacks on online banking services was spotted on Amazon's cloud by Kaspersky researchers in early June. Kaspersky analyst Dmitry Bestuzhev wrote that the malware was uploaded by a gang from Brazil, which was using Amazon's infrastructure to spread the trojan and to control it.

Two days later Amazon had the links to the operation shut down.

As of Friday, SpyEye and the Brazilians were back, and had been for weeks, this time using Amazon's Simple Storage Service as a control mechanism.

Kaspersky posted a graph showing the consistent, heavy exploitation of Amazon cloud resources for SpyEye during the past several weeks.

It's not the first time Amazon has been used as a platform for cybercrime.

In 2009 botnet drivers ran command and control on an earlier SpyEye variant from Amazon's cloud; in May, hackers attacking Sony used Amazon as a jumping off point.

Last year Amazon servers were so heavily infected with the Zeus Trojan, Amazon had to distribute to customers instructions on how to clean Zeuss -- which Symantec called 'The King of Crimeware' – from their virtual infrastructures.

Amazon's efforts to keep its cloud clean are largely successful, but sometimes overzealous – banning legitimate users and code due to false positive malware readings and a tendency not to investigate too much before acting.

Overall that's an indication that the cloud will be no cleaner than any other environment humans have colonized.

The potential for much greater efficiency in automated malware and cyberattacks makes the use of public clouds much more potentially dangerous than typical malware seed sites, though.

During the past half year the volume of spam on the Internet has dropped drastically, while the incidence of malware, spear phishing and specifically targeted penetration attacks has also risen drastically.

They easy-to-increase power and capacity of cloud platforms isn't to blame for the increase, of course.

But criminals can see the same advantages in cloud legitimate users do, and exploit those advantages at least as effectively, especially automating and adding compute power dynamically to increase the effectiveness of short-term attacks.

That raises the stakes for companies trying to defend themselves against attacks, and law enforcers trying to stop them.

It's overdramatic to compare the migration of cybercrime to the cloud in terms similar to the movement of street criminals toward automatic weapons, because even the worst bit of malware doesn't put holes in its victims.

As a metaphor, though, it's accurate enough. Better tools make quicker work, whether it's bullets or DDOS attack commands you're firing off.

Automating malware gives hackers the ability to attack a single site far more often and in more ways than they could manage on their own.

Conveniently available, easy-to-access pay-by-the-drink compute power and storage just increases the size of that multiplier and makes the potential of a long-term effective defense seem even more remote.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies