Zeus crimeware using Amazon's EC2 as command and control server

Zeus crimeware using Amazon's EC2 as command and control server

Summary: A recently intercepted variant of the most popular piece of crime, the Zeus bot, is using Amazon's EC2 service as a command and control server.

SHARE:

UPDATED: ScanSafe posted an update stating that "In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws, 45 of which were in 2009, 13 in 2008, and 22 in 2007."

Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon's EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon's RDS managed database hosting service as a backend alternative in case they loose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts.

Would 2010 be the year when crimeware will dive deep into the cloud, in an attempt to undermine the security industry's take down operations? With the clear migration towards the abuse of legitimate infrastructure we've observed throughout the entire 2009, this may well be the case.

Despite the fact that this is the first publicly reported case of Zeus crimeware (Modern banker malware undermines two-factor authentication) campaign abusing Amazon's cloud-based services, popular Web 2.0 services have also been under fire in recent months.

From the use of Twitter, to Google Groups and Facebook as command and control servers, these experiments clearly indicate that cybercriminals are cloud-aware, which isn't surprising given that from a distributed computing perspective, some of biggest botnets currently online can easily top the Top 500 Supercomputing list.

What exactly are they trying to achieve, and isn't the use of legitimate service for command and control purposes in fact a bad idea from a cybercriminal's perspective, compared to a situation where they'll be using the services of an ISP whose core competency lies in ignoring abuse notification and cooperation with the security industry and law enforcement in general?

It's traffic camouflaging in the sense of making it harder to blacklist and detect potentially malicious activity hidden within the traffic stream between the infected host and a legitimate service.

Topics: Collaboration, Amazon, Cloud, Networking, Security, Servers, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Anyone that "cloud aware"

    [i]has[/i] to be working for Google!! :)
    John Zern
    • Right on, this must all be another Google conspiracy!

      [b] [/b]
      AzuMao
      • A conspiracy of one?

        Do you actually understand the meaning of the word "conspiracy"?
        pvandck
        • Conspiracy

          Google is not one, they are legion. You will understand whence you're assimilated.
          questionsall
          • Exactly; resistance is futile!!!

            None of us are being sarcastic here, pvandck.
            Nope. Not at all. Not even a little teeny tiny
            bit. Nuh-uh. This is so totally Google's fault and
            you know it.
            AzuMao
  • I just can't WAIT to put all of my mission critical data on a cloud server.

    Yea right.
    ths40
    • That was random.

      Replied to the wrong article, ths40?

      Nothing in this one about data on cloud servers
      being compromised.

      Just that people are using them to host some nasty
      shit (which is true of all providers).
      AzuMao
    • Don't make this a 'Cloud' problem

      Miscreants have used Virtual Private Servers for years.

      It's not Amazon's responsibility to screen or police usage of their accounts.

      So, whether they used AWS or Rackspace, etc. is immaterial.
      D T Schmitz
      • Too late

        It already [i]is[/i] a cloud problem.

        And if it is [i]their[/i] servers, It's [i]their[/i] problem.

        Windows has a fault, it's Microsoft's problem, but if a server gets hijacked, it's not the parent company's problem? You make no sense DTS...
        The one and only, Cylon Centurion
      • Isn't that the actual problem?

        Nobody is responsible for anything that happens on the Internet.

        Shouldn't Amazon have to take responsibility for criminal activities that use their service/facilities?
        Shouldn't they have to at least make a token effort to prevent criminal activity?

        You are always slamming MS because it only makes "token efforts" to make Windows secure.

        lehnerus2000
        lehnerus2000
        • What makes you think..

          ..that there is a vulnerability in Amazon's
          servers? The impression I got was that they paid
          to use them, just like anyone else.

          Which is the equivalent of someone using Outlook
          Express to send bomb threats; not a fault in the
          product.
          AzuMao
          • No easy solutions

            If I was sending threats using my home PC (Outlook) and the cops found out, it would be difficult for me to claim that someone else had sent them. If the threats were sent from an online email provider (Yahoo, Google, etc) I could claim that my account was hacked or my address had been spoofed.

            In fact emails have been sent from my account (twice; not by me and no malware was found on my PC) and I have received emails that have my address on them and yet weren't sent by me.

            I didn't say that Amazon had been hacked. Once alerted by the authorities (with proof), Amazon should block the account and provide any relevant info or cooperate with them to run a "sting" operation (I am not saying that they don't cooperate).

            Unless we want to allow packet sniffing and activity logging, I don't know what the solution to this problem is.

            Additional:
            I don't think enough money is spent tracking down "scammers". I live in Australia and I regularly receive letters from some clowns in NY (often twice a week) saying that if I send them $30 they will send me cheques or flat screen TVs. They have a postal address and yet nobody seems to be able to shut them down.

            lehnerus2000
            lehnerus2000
          • Hmm..

            [i]If I was sending threats using my home PC
            (Outlook) and the cops found out, it would be
            difficult for me to claim that someone else had
            sent them. If the threats were sent from an
            online email provider (Yahoo, Google, etc) I
            could claim that my account was hacked or my
            address had been spoofed.[/i]

            So it's plausible for some big name server to
            get hacked, but not for joe sixpack's personal
            computer to get hacked? The "authorities" don't
            seem very well informed to me.

            [i]Additional:
            I don't think enough money is spent tracking
            down "scammers". I live in Australia and I
            regularly receive letters from some clowns in NY
            (often twice a week) saying that if I send them
            $30 they will send me cheques or flat screen
            TVs. They have a postal address and yet nobody
            seems to be able to shut them down.[/i]

            They might be dumb, but I doubt they are dumb
            enough to arrest someone just because an email
            gets sent with their postal address. Otherwise
            anyone could just send out spam with the postal
            addresses of people they don't like and get them
            arrested.
            AzuMao
          • My bad

            My bad. I didn't explain in enough detail.

            In the case of a home PC, I think that the cops would assume that you are lying ("Honestly, that isn't my kiddie porn"). In the case of the online email, there would be my complaint emails in their database. Let's face it, it is big news if Google or MS get hacked. Nobody hears about "Joe Sixpack's PC" getting hacked.

            Also the Authorities are pretty clueless, just examine the decisions that have been made in cases involving PCs (or software companies).

            I think you missed the part where I mentioned that the NY scammers send [b]actual "snail" mail[/b].

            lehnerus2000
            lehnerus2000
          • @lehnerus2000

            [i]My bad. I didn't explain in enough detail.

            In the case of a home PC, I think that the cops
            would assume that you are lying ("Honestly, that
            isn't my kiddie porn"). In the case of the
            online email, there would be my complaint emails
            in their database. Let's face it, it is big news
            if Google or MS get hacked. Nobody hears about
            "Joe Sixpack's PC" getting hacked.

            Also the Authorities are pretty clueless, just
            examine the decisions that have been made in
            cases involving PCs (or software companies).[/i]

            Wow. So guilty until proven innocent, huh?
            Because otherwise a crook might get away
            unscathed!
            WHAT A JOKE.



            [i]I think you missed the part where I mentioned
            that the NY scammers send actual "snail"
            mail.[/i]

            Oops. I forgot you couldn't write somebody
            else's address as the return address on a snail
            mail. My bad.
            AzuMao
          • Speed cameras

            In Australia you are guilty unless you can prove you're innocent, in the case of speed cameras. You have to prove that someone else was using your car, at the time of the alleged offence.

            Obviously the level of proof is based on your social standing. There was a case here involving a Judge. He signed a Statutory Declaration saying he wasn't driving his car and avoided being fined. Some time later it was discovered, that the person he named as the driver, had died a couple of years before the offence occurred.

            Additional:
            The Government here wants to introduce ISP filtering to prevent people from viewing porn and/or terrorist sites. The main selling strategy is to claim that it will stop "pedos" and protect kiddies from porn.

            Of course various other sites will "accidentally" get blocked, like sites critical of the government. During one of the early tests, the filter blocked out sites relating to breast cancer!

            lehnerus2000
            lehnerus2000
          • Right on, lehnerus2000!

            [i]In Australia you are guilty unless you can
            prove you're innocent, in the case of speed
            cameras. You have to prove that someone else was
            using your car, at the time of the alleged
            offence.[/i]

            Right, because it's not like hacking a piece of
            software is easier than going to the
            person's house in person and stealing their
            car..

            [i]Obviously the level of proof is based on your
            social standing. There was a case here involving
            a Judge. He signed a Statutory Declaration
            saying he wasn't driving his car and avoided
            being fined. Some time later it was discovered,
            that the person he named as the driver, had died
            a couple of years before the offence
            occurred.[/i]

            Right, because it's not like a Judge could
            commit any wrongs.

            [i]Additional:
            The Government here wants to introduce ISP
            filtering to prevent people from viewing porn
            and/or terrorist sites. The main selling
            strategy is to claim that it will stop
            "pedos"[/i]

            Great idea, stop the nasty "pedos" from viewing
            kiddie porn on the Internet, so that they prey
            on real children instead!


            [i]and protect kiddies from porn.[/i]

            Brilliant! So instead of them just looking on
            the Internet to find out about sex, they'll go
            out and experience it first hand. That'll
            protect them!

            [i]Of course various other sites will
            "accidentally" get blocked, like sites critical
            of the government. During one of the early
            tests, the filter blocked out sites relating to
            breast cancer![/i]

            Hah! That'll teach those women (and marijuana-
            smoking men) who's boss!
            AzuMao
          • How would they...

            [i]"Oops. I forgot you couldn't write somebody
            else's address as the return address on a snail
            mail. My bad."[/i]

            How would they collect the cheque or credit card details from someone else?
            Are you suggesting that they have insiders in the NY Postal Service?

            They are obviously successful as they can afford to send multiple letters/month ($2 a pop) to me, in Australia (maybe I am the only person outside the US that they harass).

            I don't expect the NY cops to go after these guys for me (a foreigner) but when I looked them up on the Internet, there were a lot of p***** off US citizens commenting about them.

            lehnerus2000
            lehnerus2000
          • Maybe..

            ..sell them something? Or buy something from them?
            Or scam them? I dunno. My point wasn't to give a
            detailed plan of how to do this, but rather just
            to point out that it is doable.
            AzuMao
          • Fair enough.

            [i]"Otherwise anyone could just send out spam with the postal addresses of people they don't like and get them arrested."[/i]
            Your point is fair enough (I can conceive of that happening).

            My point is that maybe not enough money is allocated to tracking down scammers. In my case there is a paper trail and physical locations that could be investigated and yet no one seems to be able to put these guys out of business.

            Obviously tracking down Internet scammers would be more difficult (they are probably on a different continent).

            Additional:
            I also receive scam letters from Singapore and Europe (not only the US).

            lehnerus2000
            lehnerus2000