Amazon EC2 Used as Botnet Command and Control
Trend Micro released a report Dec. 9 highlighting what it expects to see as far as security threats in 2010. Among the more interesting predictions -- attacks on cloud infrastructures will increase.
Almost as if on cue, a report surfaced the same day that the Zeus Trojan was observed abusing the Amazon EC2 (Elastic Compute Cloud) for its command and control needs. According to Don DeBolt, CA's director of threat research for its Internet Security Business unit, a server within the Amazon EC2 network was compromised by unknown means and used as the command and control server. Files were placed on the server that bots were programmed to access from across the Internet, he said.
"Zeus Bots would call to the compromised server inside of EC2 to download instructions inside the 'config.bin' file," DeBolt explained. "The Zeus Bot then will post bank account data back to the C&C ... located inside of Amazon ... This shows how aggressive the groups behind malware are today."
This isn't the first time attackers have used an unconventional means of controlling their bots. Earlier in 2009, Twitter was used as a C&C. In addition, Symantec found a scheme to use Google groups to send commands to malware.
Though attackers may begin to focus more of their energy on cloud services, to DeBolt, this incident with Amazon.com was likely a case of opportunity knocking.
"Attackers will target any and all vulnerable services they can find on the Internet," he told eWEEK. "The challenge with cloud services is making sure access and application controls are as secure as possible. The fact that the servers and applications are in a remote facility can weaken security if controls are not implemented properly. This year we have also seen Web 2.0 applications like Twitter be used as a C&C point for bots. So any application on the Internet today will be targeted. The more complexity within the application and services offered, the more opportunity there is for exploitation."