Zeus crimeware using Amazon's EC2 as command and control server
Summary: A recently intercepted variant of the most popular piece of crime, the Zeus bot, is using Amazon's EC2 service as a command and control server.
UPDATED: ScanSafe posted an update stating that "In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws, 45 of which were in 2009, 13 in 2008, and 22 in 2007."
Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon's EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon's RDS managed database hosting service as a backend alternative in case they loose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts.
Would 2010 be the year when crimeware will dive deep into the cloud, in an attempt to undermine the security industry's take down operations? With the clear migration towards the abuse of legitimate infrastructure we've observed throughout the entire 2009, this may well be the case.
Despite the fact that this is the first publicly reported case of Zeus crimeware (Modern banker malware undermines two-factor authentication) campaign abusing Amazon's cloud-based services, popular Web 2.0 services have also been under fire in recent months.
From the use of Twitter, to Google Groups and Facebook as command and control servers, these experiments clearly indicate that cybercriminals are cloud-aware, which isn't surprising given that from a distributed computing perspective, some of biggest botnets currently online can easily top the Top 500 Supercomputing list.
What exactly are they trying to achieve, and isn't the use of legitimate service for command and control purposes in fact a bad idea from a cybercriminal's perspective, compared to a situation where they'll be using the services of an ISP whose core competency lies in ignoring abuse notification and cooperation with the security industry and law enforcement in general?
It's traffic camouflaging in the sense of making it harder to blacklist and detect potentially malicious activity hidden within the traffic stream between the infected host and a legitimate service.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Anyone that "cloud aware"
Right on, this must all be another Google conspiracy!
A conspiracy of one?
Conspiracy
Exactly; resistance is futile!!!
Nope. Not at all. Not even a little teeny tiny
bit. Nuh-uh. This is so totally Google's fault and
you know it.
I just can't WAIT to put all of my mission critical data on a cloud server.
That was random.
Nothing in this one about data on cloud servers
being compromised.
Just that people are using them to host some nasty
shit (which is true of all providers).
Don't make this a 'Cloud' problem
It's not Amazon's responsibility to screen or police usage of their accounts.
So, whether they used AWS or Rackspace, etc. is immaterial.
Too late
And if it is [i]their[/i] servers, It's [i]their[/i] problem.
Windows has a fault, it's Microsoft's problem, but if a server gets hijacked, it's not the parent company's problem? You make no sense DTS...
Isn't that the actual problem?
Shouldn't Amazon have to take responsibility for criminal activities that use their service/facilities?
Shouldn't they have to at least make a token effort to prevent criminal activity?
You are always slamming MS because it only makes "token efforts" to make Windows secure.
lehnerus2000
What makes you think..
servers? The impression I got was that they paid
to use them, just like anyone else.
Which is the equivalent of someone using Outlook
Express to send bomb threats; not a fault in the
product.
No easy solutions
In fact emails have been sent from my account (twice; not by me and no malware was found on my PC) and I have received emails that have my address on them and yet weren't sent by me.
I didn't say that Amazon had been hacked. Once alerted by the authorities (with proof), Amazon should block the account and provide any relevant info or cooperate with them to run a "sting" operation (I am not saying that they don't cooperate).
Unless we want to allow packet sniffing and activity logging, I don't know what the solution to this problem is.
Additional:
I don't think enough money is spent tracking down "scammers". I live in Australia and I regularly receive letters from some clowns in NY (often twice a week) saying that if I send them $30 they will send me cheques or flat screen TVs. They have a postal address and yet nobody seems to be able to shut them down.
lehnerus2000
Hmm..
(Outlook) and the cops found out, it would be
difficult for me to claim that someone else had
sent them. If the threats were sent from an
online email provider (Yahoo, Google, etc) I
could claim that my account was hacked or my
address had been spoofed.[/i]
So it's plausible for some big name server to
get hacked, but not for joe sixpack's personal
computer to get hacked? The "authorities" don't
seem very well informed to me.
[i]Additional:
I don't think enough money is spent tracking
down "scammers". I live in Australia and I
regularly receive letters from some clowns in NY
(often twice a week) saying that if I send them
$30 they will send me cheques or flat screen
TVs. They have a postal address and yet nobody
seems to be able to shut them down.[/i]
They might be dumb, but I doubt they are dumb
enough to arrest someone just because an email
gets sent with their postal address. Otherwise
anyone could just send out spam with the postal
addresses of people they don't like and get them
arrested.
My bad
In the case of a home PC, I think that the cops would assume that you are lying ("Honestly, that isn't my kiddie porn"). In the case of the online email, there would be my complaint emails in their database. Let's face it, it is big news if Google or MS get hacked. Nobody hears about "Joe Sixpack's PC" getting hacked.
Also the Authorities are pretty clueless, just examine the decisions that have been made in cases involving PCs (or software companies).
I think you missed the part where I mentioned that the NY scammers send [b]actual "snail" mail[/b].
lehnerus2000
@lehnerus2000
In the case of a home PC, I think that the cops
would assume that you are lying ("Honestly, that
isn't my kiddie porn"). In the case of the
online email, there would be my complaint emails
in their database. Let's face it, it is big news
if Google or MS get hacked. Nobody hears about
"Joe Sixpack's PC" getting hacked.
Also the Authorities are pretty clueless, just
examine the decisions that have been made in
cases involving PCs (or software companies).[/i]
Wow. So guilty until proven innocent, huh?
Because otherwise a crook might get away
unscathed!
WHAT A JOKE.
[i]I think you missed the part where I mentioned
that the NY scammers send actual "snail"
mail.[/i]
Oops. I forgot you couldn't write somebody
else's address as the return address on a snail
mail. My bad.
Speed cameras
Obviously the level of proof is based on your social standing. There was a case here involving a Judge. He signed a Statutory Declaration saying he wasn't driving his car and avoided being fined. Some time later it was discovered, that the person he named as the driver, had died a couple of years before the offence occurred.
Additional:
The Government here wants to introduce ISP filtering to prevent people from viewing porn and/or terrorist sites. The main selling strategy is to claim that it will stop "pedos" and protect kiddies from porn.
Of course various other sites will "accidentally" get blocked, like sites critical of the government. During one of the early tests, the filter blocked out sites relating to breast cancer!
lehnerus2000
Right on, lehnerus2000!
prove you're innocent, in the case of speed
cameras. You have to prove that someone else was
using your car, at the time of the alleged
offence.[/i]
Right, because it's not like hacking a piece of
software is easier than going to the
person's house in person and stealing their
car..
[i]Obviously the level of proof is based on your
social standing. There was a case here involving
a Judge. He signed a Statutory Declaration
saying he wasn't driving his car and avoided
being fined. Some time later it was discovered,
that the person he named as the driver, had died
a couple of years before the offence
occurred.[/i]
Right, because it's not like a Judge could
commit any wrongs.
[i]Additional:
The Government here wants to introduce ISP
filtering to prevent people from viewing porn
and/or terrorist sites. The main selling
strategy is to claim that it will stop
"pedos"[/i]
Great idea, stop the nasty "pedos" from viewing
kiddie porn on the Internet, so that they prey
on real children instead!
[i]and protect kiddies from porn.[/i]
Brilliant! So instead of them just looking on
the Internet to find out about sex, they'll go
out and experience it first hand. That'll
protect them!
[i]Of course various other sites will
"accidentally" get blocked, like sites critical
of the government. During one of the early
tests, the filter blocked out sites relating to
breast cancer![/i]
Hah! That'll teach those women (and marijuana-
smoking men) who's boss!
How would they...
else's address as the return address on a snail
mail. My bad."[/i]
How would they collect the cheque or credit card details from someone else?
Are you suggesting that they have insiders in the NY Postal Service?
They are obviously successful as they can afford to send multiple letters/month ($2 a pop) to me, in Australia (maybe I am the only person outside the US that they harass).
I don't expect the NY cops to go after these guys for me (a foreigner) but when I looked them up on the Internet, there were a lot of p***** off US citizens commenting about them.
lehnerus2000
Maybe..
Or scam them? I dunno. My point wasn't to give a
detailed plan of how to do this, but rather just
to point out that it is doable.
Fair enough.
Your point is fair enough (I can conceive of that happening).
My point is that maybe not enough money is allocated to tracking down scammers. In my case there is a paper trail and physical locations that could be investigated and yet no one seems to be able to put these guys out of business.
Obviously tracking down Internet scammers would be more difficult (they are probably on a different continent).
Additional:
I also receive scam letters from Singapore and Europe (not only the US).
lehnerus2000