Amazon EC2 is one of the most amazing feats of cloud computing infrastructure in existence. This is the place to go if you need an on-demand, virtually endless capacity for hosting applications. Geeks’ eyes brighten when you mention the name. If something
embodies the Cloud, it is probably EC2.
And if something embodies the
Dark Cloud, it is the notorious Zeus Trojan, also known as the Zbot.
Now the two join forces. The Dark Cloud directly uses the Cloud to scale up and protect its operations.
CA researcher Methusela Cebrian Ferrer published a
blog revealing how fraudsters operating a Zeus Trojan tap Amazon’s cloud computing platform for their sinister needs. The Trojan is spread by sending fake Christmas greeting cards that lead to an infection site, often a legitimate site that was hijacked
(drive by download).
Alex Vaystikh, a top malware researcher in RSA, brought this breaking news to my attention (thanks Alex!) and I asked him to talk a bit about the use of EC2 in the attack.
Q: Before talking about the Cloud usage, what can you say about this specific Zeus Trojan?
A: we too detected and analyzed this crimeware. I checked it against all leading anti-virus companies using a service called VirusTotal. Hardly anyone was capable of detecting this Trojan at that point. This changed by now; most AVs already detect
it.
Q: What specific use do the fraudsters have for EC2?
A: They host the latest Trojan variants at EC2, as well as the configuration files with the various triggers for stealing data. So when the user’s PC gets infected, the latest variant and configuration file is pulled in real time from EC2.
But that’s just the beginning. They also host the ‘drop zone’ for the Trojan’s stolen data in EC2. That’s where all of the stolen records go to. In Zeus we talk not just about online banking passwords and credit cards, but a huge amount of other data: Zeus
typically grabs HTML forms, records from a huge amount of triggered sites, and almost every HTTPs site (due to the more sensitive nature of data in such sites). It’s not a key logger: it virtually grabs all your communication. This requires a big, always-available
space to store the data, parse it and query it for useful information.
Q: Does hosting the drop zone in EC2 make it more difficult to intercept?
A: Amazon isn’t a regular ISP, and a huge amount of legitimate users tap their cloud computing services at any given point of time. On-demand instances cost less than 10 cents per hour, making the service extremely popular. It’s hard to expect Amazon
to quickly respond whenever a drop zone or a malware content server is found, so hosting in EC2 makes it a bit more difficult to intercept when compared to a regular drop zone hosted in a standard ISP.
Q: Is this the first known link between the Dark Cloud and the Cloud?
A: When it comes to cybercrime, it probably is. Spam is already known to emanate from EC2 – Brian Krebs from the Washington Post blog Security Fix
wrote about it over a year ago. It should be noted that right now this seems to be an early bird; a “proof of concept” in white hat lingo. But it’s only a matter of time until cybercrime use of cloud computing grows.
Let us summarize. Zeus, king of the Dark Cloud, now taps Amazon EC2, famously known as one of the pillars of cloud computing. Endless scalability, availability and resilience are now at the fingertips of cybercriminals. This isn’t the most shocking piece
of breaking news we had this year, but it all adds up. 2009 stands out as a year in which the
Dark Cloud shaped out to be a major threat in our lives.
Oh, and don’t open fake Christmas e-Cards J