Zeus Bot Appears in EC2 Cloud, Detected, Dismissed

A virtual machine in Amazon's EC2 cloud has been used as a command and control host for a password stealing version of Zeus, says a senior researcher in the Internet Security Intelligence Initiative, part of CA's security unit. "This is a particularly juicy target," says another security expert.On Dec. 9, Methusela Ferrer, senior researcher leading CA's Internet Security Intelligence Initiative, reported that a version of Zeus had been tracked to a server running an Amazon Machine Image, a virtual machine, in the Elastic Compute Cloud. Amazon Web Services offers infrastructure as a service on a pay by the hour basis, and doesn't police all the activity that goes on within EC2. How could it?

In talking to security experts, it appears that an unnamed Web site hosted by EC2 had been compromised. "All indications are that a hacker was able to exploit the operating system in that virtual machine and gain administrator access," said Amir Ben-Efram, CEO of Altor Networks, which specializes in virtual machine security.

Both operating systems and applications contain exposures. Constant vigilance is supposed to keep them from being exploited. Frequent patches by system administrators protect them, but sys admins have many responsibilities. It's hard for them to keep up. To be clear, it was the Web site operator's responsibility, not Amazon Web Services, to protect the virtual machine.

Ferrer in a blog post said that intruders with criminal intent used the Web site server as a command and control center. The basic ploy in this variation of Zeus is to spam a set of email addresses with a fake greeting card from a supposed online banking team. The user, thinking it's his or her bank, clicks on a link to the greeting to "preview" the card. In doing so, he plants malware on his machine that steals his password and banking credentials, with the malware then reporting in to the command post in EC2. "This was a particularly juicy target," says Todd Ignasiak, director of product marketing at Altor. To operate a bot inside EC2 on a legitimate Web site makes it much harder to track down the culprits. You may be wondering what you can do with cloud computing, but it seems parties that plan to steal money from online banking customers already know. Ferrer writes that the Web site owner and Amazon Web Services were notified and the bot was promptly removed. "The group behind this criminal activity was obviously doing it for financial gain," said Ferrer.

The Zeus code in the fake card "injects code into the system processes and connects to its cloud server for configuration of the master for its criminal activity," she wrote. The injected code waits for the user to enter his password and account information and captures them.

On the positive side, this intrusion occurred the usual way, probably through an open port that should have been closed on a server being run by Windows. This kind of intrusion can happen anywhere, including your data center. The fact that it's one of the first known cloud server intrusions, however, raises difficult questions.

Ignasiak says the intruder did not move out from the virtual machine on the server to other virtual machines on the same server. But it's not totally inconceivable that such a shift could occur, in the multi-tenant cloud. If your virtual machine was set up to talk to other virtual machines on that server, the malware could propagate itself to new locations using the communications between VMs. Then the VM bot becomes "the rotten apple in the cloud," spreading its decay. At the same time, it should be noted that the intrusion did not move up from the AMI to the hypervisor, supervising all the virtual machines on that physical server, says Ignasiak.

But imagine the potential for mischief if its makers had found a way to do either of those things. On a neighboring virtual machine, there's another opportunity to steal identities and passwords. On the hypervisor, there's the opportunity to watch all the activity going on in all the virtual machines.

"This attack is not unique to Amazon. The possibility of it is true for all cloud infrastructures. The enterprise private cloud is vulnerable the same way," said Ignasiak.

There are ways to defend against such intrusions. One is implement good security practices as you configure servers, whether in the data center or in the cloud. The other is, implant protections in the virtual machines you create, and attach a firewall plus intruder detection to the hypervisor governing the virtual machines on the cloud server. That's possible now with a new class of products, the hypervisor firewall.