Abstract
In this paper we investigate the way cyber-criminals abuse public cloud services to host part of their malicious infrastructures, including exploit servers to distribute malware, C&C servers to manage infected terminals, redirectors to increase anonymity, and drop zones to host stolen data.
We conduct a large scale analysis of all the malware samples submitted to the Anubis malware analysis system between 2008 and 2014. For each sample, we extracted and analyzed all malware interactions with Amazon EC2, a major public cloud service provider, in order to better understand the malicious activities that involve public cloud services. In our experiments, we distinguish between benign cloud services that are passively used by malware (such as file sharing, URL shortening, and pay-per-install services), and other dedicated machines that play a key role in the malware infrastructure. Our results reveal that cyber-criminals sustain long-lived operations through the use of public cloud resources, either as a redundant or a major component of their malware infrastructures. We also observe that the number of malicious and dedicated cloud-based domains has increased almost 4 times between 2010 and 2013. To understand the reasons behind this trend, we also present a detailed analysis using public DNS records. For instance, we observe that certain dedicated malicious domains hosted on the cloud remain active for an average of 110 days since they are first observed in the wild.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Best pay-per-install affiliate program reviews. http://pay-per-install.com. Accessed December 2014
Amazon, E.: Amazon elastic compute cloud (amazon ec2) (2010). http://aws.amazon.com/ec2/
AVTest Institute. Malware statistics & trends report. http://www.av-test.org/en/statistics/malware/
Azure, W.: Microsofts cloud platform (2013). http://azure.microsoft.com/
Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. NDSS 9, 8–11 (2009)
Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: a tool for analyzing malware. In: 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference (2006)
Bestuzhev, D.: Financial data stealing malware now on amazon web services cloud (2011). http://www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud. Accessed 15-May-2014
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: 20th USENIX Conference on Security (2011)
Canali, D., Balzarotti, D., Francillon, A.: The role of web hosting providers in detecting compromised websites. In: Proceedings of the 22nd International Conference on World Wide Web, International World Wide Web Conferences Steering Committee, pp. 177–188 (2013)
Cohen, R.: The cloud hits the mainstream: more than half of u.s. businesses now use cloud computing. In: Forbes Magazine (2013)
Ferrer, M.C.: Zeus in the cloud. http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx
Hamza, Y.A., Omar, M.D.: Cloud computing security: abuse and nefarious use of cloud computing. Int. J. Comput. Eng. Res. 3, 22–27 (2013)
He, K., Fisher, A., Wang, L., Gember, A., Akella, A., Ristenpart, T.: Next stop, the cloud: understanding modern web service deployment in ec2 and azure. In: ACM Internet Measurement Conference (IMC) (2013)
Higgins, K.J.: Dropbox, wordpress used as cloud cover in new apt attacks (2013). http://www.darkreading.com/attacks-breaches/dropbox-wordpress-used-as-cloud-cover-in-new-apt-attacks/d/d-id/1140098?. Accessed 15 May 2014
Ko, R.K., Jagadpramana, P., Mowbray, M., Pearson, S., Kirchberg, M., Liang, Q., Lee, B.S.: Trustcloud: a framework for accountability and trust in cloud computing. In: 2011 IEEE World Congress on Services (SERVICES), pp. 584–588. IEEE (2011)
Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 112–126. IEEE (2013)
Los, R., Shackleford, D., Sullivan, B.: The notorious nine cloud computing top threats in 2013. In: Cloud Security Alliance (2013)
Nappa, A., Xu, Z., Rafique, M.Z., Caballero, J., Cyberprobe, G.Gu.: Towards internet-scale active detection of malicious servers. In: Network and Distributed System Security Symposium (NDSS) (2014)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2010)
Solutionary. Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report (2014). http://www.solutionary.com/_assets/pdf/research/sert-q4-2013-threat-intelligence.pdf. Accessed 15 May 2014
Unuchek, R.: Gcm in malicious attachments (2013). http://www.securelist.com/en/blog/8113/GCM_in_malicious_attachments. Accessed 15 May 2014
Wang, L., Nappa, A., Caballero, J., Ristenpart, T., Akella, A.: Whowas: a platform for measuring web deployments on iaas clouds. In: ACM Internet Measurement Conference (IMC) (2014)
Acknowledgments
We would like to thank the reviewers for their valuable comments that allowed us to improve the quality of this paper. This research was partly funded by the French Ministry of education and research under Cifre grant given to Xiao Han, and by the European Unions Horizon 2020 project SUPERCLOUD under grant agreement 643964.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Han, X., Kheir, N., Balzarotti, D. (2015). The Role of Cloud Services in Malicious Software: Trends and Insights. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-20550-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20549-6
Online ISBN: 978-3-319-20550-2
eBook Packages: Computer ScienceComputer Science (R0)