ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Zeus crimeware using Amazon's EC2 as command and control server

By | December 9, 2009, 8:13am PST

Summary: A recently intercepted variant of the most popular piece of crime, the Zeus bot, is using Amazon’s EC2 service as a command and control server.

UPDATED: ScanSafe posted an update stating that “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws, 45 of which were in 2009, 13 in 2008, and 22 in 2007.

Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon’s EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon’s RDS managed database hosting service as a backend alternative in case they loose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts.

Would 2010 be the year when crimeware will dive deep into the cloud, in an attempt to undermine the security industry’s take down operations? With the clear migration towards the abuse of legitimate infrastructure we’ve observed throughout the entire 2009, this may well be the case.

Despite the fact that this is the first publicly reported case of Zeus crimeware (Modern banker malware undermines two-factor authentication) campaign abusing Amazon’s cloud-based services, popular Web 2.0 services have also been under fire in recent months.

From the use of Twitter, to Google Groups and Facebook as command and control servers, these experiments clearly indicate that cybercriminals are cloud-aware, which isn’t surprising given that from a distributed computing perspective, some of biggest botnets currently online can easily top the Top 500 Supercomputing list.

What exactly are they trying to achieve, and isn’t the use of legitimate service for command and control purposes in fact a bad idea from a cybercriminal’s perspective, compared to a situation where they’ll be using the services of an ISP whose core competency lies in ignoring abuse notification and cooperation with the security industry and law enforcement in general?

It’s traffic camouflaging in the sense of making it harder to blacklist and detect potentially malicious activity hidden within the traffic stream between the infected host and a legitimate service.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Amazon.com Inc., Social Networking, Cloud Computing, Network Technology, Security, Networking, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
33
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Zeus crimeware using Amazon's EC2 as command and control server
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Anyone that "cloud aware"
John Zern 9th Dec 2009
has to be working for Google!! happy
0 Votes
+ -
Right on, this must all be another Google conspiracy!
AzuMao 9th Dec 2009
0 Votes
+ -
A conspiracy of one?
pvandck 14th Dec 2009
Do you actually understand the meaning of the word "conspiracy"?
0 Votes
+ -
Conspiracy
questionsall 14th Dec 2009
Google is not one, they are legion. You will understand whence you're assimilated.
0 Votes
+ -
Exactly; resistance is futile!!!
AzuMao 14th Dec 2009
None of us are being sarcastic here, pvandck.
Nope. Not at all. Not even a little teeny tiny
bit. Nuh-uh. This is so totally Google's fault and
you know it.
0 Votes
+ -
I just can't WAIT to put all of my mission critical data on a cloud server.
ths40 9th Dec 2009
Yea right.
0 Votes
+ -
That was random.
AzuMao 9th Dec 2009
Replied to the wrong article, ths40?

Nothing in this one about data on cloud servers
being compromised.

Just that people are using them to host some nasty
**** (which is true of all providers).
0 Votes
+ -
Don't make this a 'Cloud' problem
D T Schmitz 10th Dec 2009
Miscreants have used Virtual Private Servers for years.

It's not Amazon's responsibility to screen or police usage of their accounts.

So, whether they used AWS or Rackspace, etc. is immaterial.
0 Votes
+ -
Too late
Cylon Centurion Updated - 14th Dec 2009
It already is a cloud problem.

And if it is their servers, It's their problem.

Windows has a fault, it's Microsoft's problem, but if a server gets hijacked, it's not the parent company's problem? You make no sense DTS...
0 Votes
+ -
Isn't that the actual problem?
lehnerus2000 14th Dec 2009
Nobody is responsible for anything that happens on the Internet.

Shouldn't Amazon have to take responsibility for criminal activities that use their service/facilities?
Shouldn't they have to at least make a token effort to prevent criminal activity?

You are always slamming MS because it only makes "token efforts" to make Windows secure.

lehnerus2000
0 Votes
+ -
What makes you think..
AzuMao 14th Dec 2009
..that there is a vulnerability in Amazon's
servers? The impression I got was that they paid
to use them, just like anyone else.

Which is the equivalent of someone using Outlook
Express to send bomb threats; not a fault in the
product.
0 Votes
+ -
No easy solutions
lehnerus2000 Updated - 14th Dec 2009
If I was sending threats using my home PC (Outlook) and the cops found out, it would be difficult for me to claim that someone else had sent them. If the threats were sent from an online email provider (Yahoo, Google, etc) I could claim that my account was hacked or my address had been spoofed.

In fact emails have been sent from my account (twice; not by me and no malware was found on my PC) and I have received emails that have my address on them and yet weren't sent by me.

I didn't say that Amazon had been hacked. Once alerted by the authorities (with proof), Amazon should block the account and provide any relevant info or cooperate with them to run a "sting" operation (I am not saying that they don't cooperate).

Unless we want to allow packet sniffing and activity logging, I don't know what the solution to this problem is.

Additional:
I don't think enough money is spent tracking down "scammers". I live in Australia and I regularly receive letters from some clowns in NY (often twice a week) saying that if I send them $30 they will send me cheques or flat screen TVs. They have a postal address and yet nobody seems to be able to shut them down.

lehnerus2000
0 Votes
+ -
Hmm..
AzuMao 14th Dec 2009
If I was sending threats using my home PC
(Outlook) and the cops found out, it would be
difficult for me to claim that someone else had
sent them. If the threats were sent from an
online email provider (Yahoo, Google, etc) I
could claim that my account was hacked or my
address had been spoofed.

So it's plausible for some big name server to
get hacked, but not for joe sixpack's personal
computer to get hacked? The "authorities" don't
seem very well informed to me.

Additional:
I don't think enough money is spent tracking
down "scammers". I live in Australia and I
regularly receive letters from some clowns in NY
(often twice a week) saying that if I send them
$30 they will send me cheques or flat screen
TVs. They have a postal address and yet nobody
seems to be able to shut them down.

They might be dumb, but I doubt they are dumb
enough to arrest someone just because an email
gets sent with their postal address. Otherwise
anyone could just send out spam with the postal
addresses of people they don't like and get them
arrested.
0 Votes
+ -
My bad
lehnerus2000 Updated - 15th Dec 2009
My bad. I didn't explain in enough detail.

In the case of a home PC, I think that the cops would assume that you are lying ("Honestly, that isn't my kiddie porn"). In the case of the online email, there would be my complaint emails in their database. Let's face it, it is big news if Google or MS get hacked. Nobody hears about "Joe Sixpack's PC" getting hacked.

Also the Authorities are pretty clueless, just examine the decisions that have been made in cases involving PCs (or software companies).

I think you missed the part where I mentioned that the NY scammers send actual "snail" mail.

lehnerus2000
0 Votes
+ -
@lehnerus2000
AzuMao 15th Dec 2009
My bad. I didn't explain in enough detail.

In the case of a home PC, I think that the cops
would assume that you are lying ("Honestly, that
isn't my kiddie porn"). In the case of the
online email, there would be my complaint emails
in their database. Let's face it, it is big news
if Google or MS get hacked. Nobody hears about
"Joe Sixpack's PC" getting hacked.

Also the Authorities are pretty clueless, just
examine the decisions that have been made in
cases involving PCs (or software companies).

Wow. So guilty until proven innocent, huh?
Because otherwise a crook might get away
unscathed!
WHAT A JOKE.



I think you missed the part where I mentioned
that the NY scammers send actual "snail"
mail.

Oops. I forgot you couldn't write somebody
else's address as the return address on a snail
mail. My bad.
0 Votes
+ -
Speed cameras
lehnerus2000 Updated - 15th Dec 2009
In Australia you are guilty unless you can prove you're innocent, in the case of speed cameras. You have to prove that someone else was using your car, at the time of the alleged offence.

Obviously the level of proof is based on your social standing. There was a case here involving a Judge. He signed a Statutory Declaration saying he wasn't driving his car and avoided being fined. Some time later it was discovered, that the person he named as the driver, had died a couple of years before the offence occurred.

Additional:
The Government here wants to introduce ISP filtering to prevent people from viewing porn and/or terrorist sites. The main selling strategy is to claim that it will stop "pedos" and protect kiddies from porn.

Of course various other sites will "accidentally" get blocked, like sites critical of the government. During one of the early tests, the filter blocked out sites relating to breast cancer!

lehnerus2000
0 Votes
+ -
Right on, lehnerus2000!
AzuMao Updated - 15th Dec 2009
In Australia you are guilty unless you can
prove you're innocent, in the case of speed
cameras. You have to prove that someone else was
using your car, at the time of the alleged
offence.

Right, because it's not like hacking a piece of
software is easier than going to the
person's house in person and stealing their
car..

Obviously the level of proof is based on your
social standing. There was a case here involving
a Judge. He signed a Statutory Declaration
saying he wasn't driving his car and avoided
being fined. Some time later it was discovered,
that the person he named as the driver, had died
a couple of years before the offence
occurred.

Right, because it's not like a Judge could
commit any wrongs.

Additional:
The Government here wants to introduce ISP
filtering to prevent people from viewing porn
and/or terrorist sites. The main selling
strategy is to claim that it will stop
"pedos"

Great idea, stop the nasty "pedos" from viewing
kiddie porn on the Internet, so that they prey
on real children instead!


and protect kiddies from porn.

Brilliant! So instead of them just looking on
the Internet to find out about sex, they'll go
out and experience it first hand. That'll
protect them!

Of course various other sites will
"accidentally" get blocked, like sites critical
of the government. During one of the early
tests, the filter blocked out sites relating to
breast cancer!

Hah! That'll teach those women (and marijuana-
smoking men) who's boss!
0 Votes
+ -
How would they...
lehnerus2000 18th Dec 2009
"Oops. I forgot you couldn't write somebody
else's address as the return address on a snail
mail. My bad."

How would they collect the cheque or credit card details from someone else?
Are you suggesting that they have insiders in the NY Postal Service?

They are obviously successful as they can afford to send multiple letters/month ($2 a pop) to me, in Australia (maybe I am the only person outside the US that they harass).

I don't expect the NY cops to go after these guys for me (a foreigner) but when I looked them up on the Internet, there were a lot of p***** off US citizens commenting about them.

lehnerus2000
0 Votes
+ -
Maybe..
AzuMao 18th Dec 2009
..sell them something? Or buy something from them?
Or scam them? I dunno. My point wasn't to give a
detailed plan of how to do this, but rather just
to point out that it is doable.
0 Votes
+ -
Fair enough.
lehnerus2000 Updated - 19th Dec 2009
"Otherwise anyone could just send out spam with the postal addresses of people they don't like and get them arrested."
Your point is fair enough (I can conceive of that happening).

My point is that maybe not enough money is allocated to tracking down scammers. In my case there is a paper trail and physical locations that could be investigated and yet no one seems to be able to put these guys out of business.

Obviously tracking down Internet scammers would be more difficult (they are probably on a different continent).

Additional:
I also receive scam letters from Singapore and Europe (not only the US).

lehnerus2000
0 Votes
+ -
In the Land of the Great White North,We Serfs need PORKWARE...
Feldwebel Wolfenstool 9th Dec 2009
...to keep the government from picking our pockets.
0 Votes
+ -
Shut Up, Your making us look bad!
shaunehunter 14th Dec 2009
I apologize on behalf of Canada for the above comment. We will send him back south to you right away.
0 Votes
+ -
On the contrary; you're going to keep your retard.
AzuMao 14th Dec 2009
Too many here already to accept any more of them
anymore.
  • Flagged
0 Votes
+ -
RE: Zeus crimeware using Amazon's EC2 as command and control server
pwn0tr0n 10th Dec 2009
"It's not Amazon's responsibility to screen or police usage of their accounts."

True, but it is their responsibility to take action to police their servers once notified of a crime being committed. If they don't they become an accessory because they are knowingly allowing their equipment to be used for illegal purposes at that point.

The requisite bad car analogy is if you rent your car to someone and they rob a bank, you technically aren't responsible or an accessory to the robbery. If they tell you they are robbing a bank and you rent them your car, knowing it will be used in the robbery, you are an accessory.

Proving your position one way or the other is a whole different ball of wax... however the analogy is valid.
0 Votes
+ -
It doesn't make the car insecure though
AzuMao 10th Dec 2009
(like ths40 tried to imply).
0 Votes
+ -
RE: Zeus crimeware using Amazon's EC2 as command and control server
phigmeta Updated - 10th Dec 2009
uhhm actually EC2 is the problem... click and buy cloud offering will quickly see issues such as this .... and well not blaming the provider for making access easy...

let me put that another way:

No gun dealer would never put a vending machine out front with guns in it... that would be irresponible. A dealer would want your number and some form of ID.

Cloud used for crime ... guns used for crime.

get it.
0 Votes
+ -
RE: Zeus crimeware using Amazon's EC2 as command and control server
phigmeta 10th Dec 2009
dude .... MS in in redmond

what else do ya want
0 Votes
+ -
Finally! A use for Cloud Computing!
nitecourt@... 14th Dec 2009
Ha Ha!
0 Votes
+ -
OMG! WORLD'S LONGEST SENTENCE!
slamspam 15th Dec 2009
OMG! This is THE longest sentence I have ever encountered. Period! Maybe we need a new editor? Seriously! LOOK at it:

"What exactly are they trying to achieve, and isn?t the use of legitimate service for command and control purposes in fact a bad idea from a cybercriminal?s perspective, compared to a situation where they?ll be using the services of an ISP whose core competency lies in ignoring abuse notification and cooperation with the security industry and law enforcement in general?"

Seriously, my English teacher would smack me for writing paragraphs that long!
0 Votes
+ -
and for...
jedikitty@... 17th Dec 2009
replacing apostrophes with questions marks wink

But I do agree with you on the world's longest sentence; that one was hard to read. My English teacher always suggested: if you cannot say the rest of your sentence without taking a (deep) breath, make it shorter.
0 Votes
+ -
The question marks aren't his fault.
AzuMao 17th Dec 2009
They're the fault of whoever wrote the ****** code
for this blog. It mangles anything outside of the
basic ASCII charset.
0 Votes
+ -
RE: Zeus crimeware using Amazon's EC2 as command and control server
jaktalk 15th Dec 2009
In this text, I think that you meant to use the word "lose" rather than "loose": "The cybercriminals appear to be using Amazon?s RDS managed database hosting service as a backend alternative in case they loose access to the original domain ..."
0 Votes
+ -
RE: Zeus crimeware using Amazon's EC2 as command and control server
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix