Zeus Bot Appears in EC2 Cloud, Detected, Dismissed - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:44 PM
Charles Babcock
Charles Babcock
Connect Directly

Zeus Bot Appears in EC2 Cloud, Detected, Dismissed

A virtual machine in Amazon's EC2 cloud has been used as a command and control host for a password stealing version of Zeus, says a senior researcher in the Internet Security Intelligence Initiative, part of CA's security unit. "This is a particularly juicy target," says another security expert.

A virtual machine in Amazon's EC2 cloud has been used as a command and control host for a password stealing version of Zeus, says a senior researcher in the Internet Security Intelligence Initiative, part of CA's security unit. "This is a particularly juicy target," says another security expert.On Dec. 9, Methusela Ferrer, senior researcher leading CA's Internet Security Intelligence Initiative, reported that a version of Zeus had been tracked to a server running an Amazon Machine Image, a virtual machine, in the Elastic Compute Cloud. Amazon Web Services offers infrastructure as a service on a pay by the hour basis, and doesn't police all the activity that goes on within EC2. How could it?

In talking to security experts, it appears that an unnamed Web site hosted by EC2 had been compromised. "All indications are that a hacker was able to exploit the operating system in that virtual machine and gain administrator access," said Amir Ben-Efram, CEO of Altor Networks, which specializes in virtual machine security.

Both operating systems and applications contain exposures. Constant vigilance is supposed to keep them from being exploited. Frequent patches by system administrators protect them, but sys admins have many responsibilities. It's hard for them to keep up. To be clear, it was the Web site operator's responsibility, not Amazon Web Services, to protect the virtual machine.

Ferrer in a blog post said that intruders with criminal intent used the Web site server as a command and control center. The basic ploy in this variation of Zeus is to spam a set of email addresses with a fake greeting card from a supposed online banking team. The user, thinking it's his or her bank, clicks on a link to the greeting to "preview" the card. In doing so, he plants malware on his machine that steals his password and banking credentials, with the malware then reporting in to the command post in EC2. "This was a particularly juicy target," says Todd Ignasiak, director of product marketing at Altor. To operate a bot inside EC2 on a legitimate Web site makes it much harder to track down the culprits. You may be wondering what you can do with cloud computing, but it seems parties that plan to steal money from online banking customers already know. Ferrer writes that the Web site owner and Amazon Web Services were notified and the bot was promptly removed. "The group behind this criminal activity was obviously doing it for financial gain," said Ferrer.

The Zeus code in the fake card "injects code into the system processes and connects to its cloud server for configuration of the master for its criminal activity," she wrote. The injected code waits for the user to enter his password and account information and captures them.

On the positive side, this intrusion occurred the usual way, probably through an open port that should have been closed on a server being run by Windows. This kind of intrusion can happen anywhere, including your data center. The fact that it's one of the first known cloud server intrusions, however, raises difficult questions.

Ignasiak says the intruder did not move out from the virtual machine on the server to other virtual machines on the same server. But it's not totally inconceivable that such a shift could occur, in the multi-tenant cloud. If your virtual machine was set up to talk to other virtual machines on that server, the malware could propagate itself to new locations using the communications between VMs. Then the VM bot becomes "the rotten apple in the cloud," spreading its decay. At the same time, it should be noted that the intrusion did not move up from the AMI to the hypervisor, supervising all the virtual machines on that physical server, says Ignasiak.

But imagine the potential for mischief if its makers had found a way to do either of those things. On a neighboring virtual machine, there's another opportunity to steal identities and passwords. On the hypervisor, there's the opportunity to watch all the activity going on in all the virtual machines.

"This attack is not unique to Amazon. The possibility of it is true for all cloud infrastructures. The enterprise private cloud is vulnerable the same way," said Ignasiak.

There are ways to defend against such intrusions. One is implement good security practices as you configure servers, whether in the data center or in the cloud. The other is, implant protections in the virtual machines you create, and attach a firewall plus intruder detection to the hypervisor governing the virtual machines on the cloud server. That's possible now with a new class of products, the hypervisor firewall.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll