Cybercriminals Used Amazon Cloud Services To Spread Financial Malware

Amazon takes down malicious links -- 60 hours after being alerted

Dark Reading Staff, Dark Reading

June 8, 2011

2 Min Read

A Kaspersky Lab researcher over the weekend alerted Amazon that cybercriminals were using its Amazon Web Services cloud offering to spread financial-stealing malware. The attackers apparently deployed registered accounts to wage the attacks on 11 international banks, nine of which are in Brazil.

Dmitry Bestuzhev, senior malware researcher at Kaspersky, says it took Amazon 60 hours to shut down the malicious links after he informed them of the activity on its cloud service. Cloud abuse is an emerging vector of attack for cybercriminals. "I don’t believe classic botnets will be replaced totally or in a majority of the cases by malware in the cloud soon. However, [the] more cloud we’re going to use, [the] more attacks like this we’ll see. For now not much will change -- only C&C may slightly move to the commercial clouds," Bestuzhev says.

Bestuzhev says cloud providers need to better monitor their infrastructure and systems to catch attacks originating from their networks. He says Amazon, in theory, could have detected the abuse of its Web Services: "However, before all malicious links were [taken] down, we had to wait around 60 hours. What should be done? To have more proactive monitoring and multiscanner checks of all links on AWS, and especially if it’s about binary files. Also, response time should be improved," he says.

The attackers appear to be out of Brazil, he says, and the main targets are Brazilian bank customers. They dropped a rootkit that detected and blocked four different antivirus programs, he says, as well as a security application used in Brazil for online banking called GBPluggin.

Other malware they spread was able to steal Microsoft Live Messenger credentials, digital certificates, and CPU and hard drive information. The attackers moved the stolen data over email to their Gmail accounts and to a remote database via a special PHP-inserting process.

They tried to cover their tracks by employing antipiracy software in their malware so that researchers would have trouble reverse-engineering the code, Bestuzhev says.

Kaspersky has identified and labeled the malware samples as Trojan-Downloader.Win32.Murlo.lib; Trojan-PSW.Win32.MSNer.a; Trojan-Banker.Win32.Banz.iok; Trojan-Banker.Win32.Banker.blpm; Trojan-Downloader.Win32.Homa.fgx; and Trojan-Banker.Win32.Banker.blbt.

"I believe legitimate cloud services will continue to be used by criminals for different kinds of cyberattacks. Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud," Bestuzhev said in a blog post that includes screen shots.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights