Kaspersky Finds Banking Malware On Amazon Cloud

Security researchers have long warned that cloud services were providing cyber-criminals with extensive computing resources that could be used to launch powerful and damaging cyber-attacks. A Kaspersky researcher uncovered an example of how Amazon’s cloud services are being used to spread malware.

A cloud instance on Amazon web Services had links which pointed to “financial data stealing malware”, Dmitry Bestuzhev, a Kaspersky Lab expert, wrote on the Securelist blog. The malware appears fairly sophisticated, with the capability to block several security programs while stealing hardware and software information.

Links still active

Kaspersky notified Amazon of the malicious links over the weekend, but a company spokesperson confirmed that as of 6 June the links were still active.

“Unfortunately after my formal complaints to Amazon, and waiting more than 12 hours, all malicious links are still on-line and active!” Bestuzhev wrote.

“I also hope all malicious links will be deactivated by Amazon soon,” Bestuzhev said.

More and more criminals use commercial cloud services for malicious purposes, Bestuzhev said. There have been several notable examples, such as reports that the unknown attackers who successfully compromised Sony’s PlayStation Network and Sony Online Entertainment in mid-April rented servers from Amazon Elastic Cloud Compute to launch the attack. Academic researchers have also demonstrated how attackers can easily use EC2 and AWS to brute-force passwords.

Cyber-attacks “successfully abuse” legitimate cloud services in most cases, Bestuzhev said.

“I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks,” Bestuzhev said. It is very cheap to rent cloud servers, with prices ranging from three cents to $2.48 (£1.50) an hour.

The cloud instance hosted “a bunch of different” malicious codes, all of which were downloaded onto the victim’s machine. Some programs acted as a rootkit, looking for and stopping execution of at least four different antivirus programs, including AVG, Avira’s Antivir, ESET and Alwill Software’s Avast applications. The rootkit also looked for and blocked a special security application called GBPluggin, which is used by a number of Brazilian financial institutions to protect online banking transactions.

Even more disconcerting, the attackers had made sure that the malware samples were protected by a legitimate anti-piracy software called The Enigma Protector. The criminals used Enigma Protector to make it harder for security analysts to reverse engineer the malware, Bestuzhev speculated.

The malware is capable of stealing financial information from nine Brazilian and two “international” banks, Bestuzhev said. It also steals machine information, such as the CPU, hard drive volume number and computer name, as these are the types of information being collected by some Latin American banks during the login process to verify and authenticate online banking customers.

Stolen credentials

It can also steal Microsoft Live Messenger credentials and digitial certificates used by eTokens on the compromised machine. The stolen information can then either be emailed to the attacker’s Gmail account or using a special PHP script to insert the data into a remote database, according to Kaspersky.

“Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud,” Bestuzhev said.

The criminals behind the attack are from Brazil, according to Bestuzhev. They have several previously registered accounts on hand which were used to launch the infection.