by Rik Ferguson

Cloud /klaƱd/ -v. tr. to obscure

Apr 19, 2010
Security Software

Businesses and political parties alike have spoken of the need to adopt cloud-basedtechnologies and to make greater use of open source in a bid to drive down cost, standardise and improve performance. In fact the Conservative partyhave even made manifesto commitments to that effect. However it isn’t just legitimate business and government that see the advantages offered by new technologies, some of the earliest adopters are the online criminals. Over the past twelve to twenty-four months criminal adoption of cloud-based technologieshas increased drastically; both as a means to spread malware but also as a means to control it and even to effectively target it. In fact it could be said that criminals collectively have the biggest cloud of them all at their disposal. In a recent study Trend Micro, who I represent, identified over 100 million IP addresses of compromised machines that were infected with bots, putting them under the control of criminals; around 26 million of these IP addresses are currently actively being used to generate Spam. This study does not even account for all of the criminal controlled machines, those that are not sending Spam, but instead stealing information such as banking or other credentials were not counted in this study and you can be sure there are millions more of those. This is cybercrime’s utility computing model, capacity can be added or removed as required, access is paid for on a daily rate, or on a job rate and it is rented out to many different “enterprises”. Aside from this, criminals also see the benefit of abusing commercial cloud services. They gain scalability, enterprise class infrastructure, and importantly a higher degree of anonymity through the misappropriation of legitimate cloud services for their own ends. Compromised, otherwise innocent, servers in Amazon’s EC2 cloud, for example, have been used to host configuration files for the ZeuS bot1. Twitter has been used as the landing page URL in spam campaigns, to attempt to overcome URL filtering in email messages2. Twitter3, Facebook4, Pastebin5, Google Groups6 and a Google AppEngine7 have all been used as surrogate Command & Control infrastructures. These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands contain further URLs which the bot then accesses to download commands or components. The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a C&C infrastructure, which at the same time further reduces the chance of detection by traditional technologies. Whilst network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known-bad sites (C&C), or over suspicious or unwanted channels such as IRC; it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is as acting entirely normally. However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure and blend into the general white noise of the internet, that is no longer the case. In the cloud you rarely get to meet your neighbours, criminals are already finding victims there or even maybe moving in themselves. When you move to the cloud make sure you take your security with you instead of accepting the lowest-common-denominator security on offer from the provider, after all, it only takes a credit card to bypass the perimeter… References: 1. 2. 3. 4. 5. 6. 7.