Bank Login-Stealing Botnet Found Hiding in Amazon Cloud

News and Events 1335 Hits > 2009-12-11 15:37:55


We've all heard security nerds complain about the vulnerabilities of cloud computing; here's the news they've been waiting for.

Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.

The Zeus Trojan is a keylogger designed to steal data such as login credentials, account numbers and credit card information. It creates fake HTML forms on banking login pages to allow hackers to steal user data. This particular botnet has been linked to around $100 million in bank fraud in 2009.

Although we don't yet have details on exactly how the website in question was hacked, we have learned that the software has been removed from the Amazon cloud. This incident is the first example of malware being found on AWS' infrastructure.

As we were warned by black hats in April this year, cloud computing carries certain risks and opportunities for exploitation. Our own Sarah Perez wrote:

In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on EC2... While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.

As John Pescatore told the Financial Times, "The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."

Will hackers continue to employ web services to carry out their schemes in 2010? Twitter, Facebook, Google Apps, and now Amazon Web Services have all been used for evil this year. How can websites, corporations, and end users be smarter about online security to avoid personal and financial loss next year? Let us know what you think in the comments.






104 posts

joined 1734 days ago

Niranjan Shrestha



Warning: Unknown: write failed: Disk quota exceeded (122) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0