Security
researchers have long warned that cloud services were providing cyber-criminals
with extensive computing resources that could be used to launch powerful and
damaging cyber-attacks. A Kaspersky researcher uncovered an example of how
Amazon’s cloud services are being used to spread malware.
A
cloud instance on Amazon Web Services had links that pointed to “financial data
stealing malware,” Dmitry Bestuzhev, a Kaspersky Lab expert, wrote on the
Securelist blog. The malware appears fairly sophisticated, with the capability
to block several security programs while stealing hardware and software
information.
Kaspersky
notified Amazon of the malicious links over the weekend, but a company
spokesperson confirmed that as of June 6 the links were still active.
“Unfortunately
after my formal complaints to Amazon, and waiting more than 12 hours, all
malicious links are still on-line and active!” Bestuzhev wrote.
“I
also hope all malicious links will be deactivated by Amazon soon,” Bestuzhev
said.
More
and more criminals use legitimate cloud services for malicious purposes,
Bestuzhev said. There have been several notable examples, such as reports that
the unknown attackers who successfully compromised Sony’s PlayStation
Network and Sony
Online Entertainment in mid-April rented servers from Amazon
Elastic Cloud Compute to launch the attack. Academic researchers have also
demonstrated how attackers can easily use EC2 and AWS to brute-force
passwords.
Cyber-attacks
“successfully abuse” legitimate cloud services in most cases, Bestuzhev said.
“I
believe legitimate cloud services will continue to be used by criminals for
different kinds of cyber-attacks,” Bestuzhev said. It is very cheap to rent
cloud servers, with prices ranging from three cents to $2.48 an hour.
The
cloud instance hosted “a bunch of different” malicious codes, all of which were
downloaded onto the victim’s machine. Some programs acted as a rootkit, looking
for and stopping execution of at least four different antivirus programs,
including AVG, Avira’s Antivir, ESET and Alwill Software’s Avast applications.
The rootkit also looked for and blocked a special security application called
GBPluggin, which is used by a number of Brazilian financial institutions to
protect online banking transactions.
Even
more disconcerting, the attackers had made sure that the malware samples were
protected by a legitimate anti-piracy software called The Enigma Protector. The
criminals used The Enigma Protector to make it harder for security analysts to
reverse-engineer the malware, Bestuzhev speculated.
The
malware is capable of stealing financial information from nine Brazilian and
two “international” banks, Bestuzhev said. It also steals machine information,
such as the CPU, hard drive volume number and computer name, as these are the
types of information being collected by some Latin American banks during the
log-in process to verify and authenticate online banking customers.
It
can also steal Microsoft Live Messenger credentials and digital certificates
used by eTokens on the compromised machine. The stolen information can then
either be emailed to the attacker’s Gmail account or use a special PHP script
to insert the data into a remote database, according to Kaspersky.
“Cloud
providers should start thinking about better monitoring systems and expanding
security teams in order to cut down on malware attacks enabled and launched
from their cloud,” Bestuzhev said.
The
criminals behind the attack are from Brazil, according to Bestuzhev. They have
several previously registered accounts on hand that were used to launch the
infection.
IT Security & Network Security News & Reviews News & Reviews 
