Amazon's cloud computing service plays host to some of the most prolific malware distributors on the Internet, security researchers have discovered.
Of the 10 sites that pump out malware most frequently, four are hosted on Amazon Web Services (AWS) — including the number one site, download-instantly.com, according to a threat report published Wednesday by the IT security firm Solutionary.
The report comes a week after we learned that hackers allegedly used Amazon's cloud hosting solution as a platform for a botnet that scraped personal information from potentially millions of LinkedIn subscribers.
Cloud computing is becoming an attractive way for online criminals to launch attacks against businesses and consumers because of its low cost. It allows users to instantly set up an array of virtual servers that can be ordered to perform both legitimate and abusive functions.
Together, the four Amazon-hosted sites accounted for 6 percent of all malware Solutionary found in the fourth quarter of 2013, according to the report. Amazon (whose chief executive, Jeffrey P. Bezos, owns The Washington Post) is the leading malware host among global hosting providers, followed closely by GoDaddy.
The e-commerce giant has taken an active stance on its abusive customers. In 2009, after reports surfaced of a botnet controller living on AWS, the company said it had located the offending malware and shut it down. Amazon also operates an e-mail hotline dedicated to handling reports of AWS abuse.
But that hasn't stopped cybercriminals from taking advantage of Amazon's cloud service. In a 2009 presentation at the Black Hat security conference, one consultant demonstrated how AWS's massive computing power could be used as a super-powered password cracker. A typical eight-character alphanumeric password might cost as little as $45 to crack. More recently, AWS was found to be hosting SpyEye, a trojan that let hackers gain access to the online accounts of banking customers.
Amazon has argued that it's much better to find the malware on its own systems, where it can be cordoned off and eliminated, rather than have it hosted on the servers of other, less responsive companies.
"We take security very seriously, and investigate all reported vulnerabilities," the company writes on its threat reporting page.
A spokesperson for AWS did not return a request for comment Wednesday.
Amazon hosting most of the net's malware, says security firm
Report says net's large cloud providers, including Google and GoDaddy, are unknowingly harbouring ‘on-demand’ malware
https://i.guim.co.uk/img/static/sys-images/Guardian/Pix/pictures/2014/1/16/1389871099387/80807695-0745-47ee-b157-14ce95854b41-2060x1236.jpeg?w=700&q=85&auto=format&sharp=10&s=c57813934b7ccdc46834b2e5c4d2d5c7 700w, https://i.guim.co.uk/img/static/sys-images/Guardian/Pix/pictures/20... 645w, https://i.guim.co.uk/img/static/sys-images/Guardian/Pix/pictures/20... 465w" />Amazon web services are the biggest malware server in the world along with GoDaddy and Google, as malware producers take advantage of the cloud, according to a new report.
The report from security firm Solutionary claims that malware writers are using the big cloud hosting platforms to quickly and effectively serve malware to oblivious internet users, allowing them to bypass detection and geographic blacklisting by serving from a trusted provider like Amazon.
“Malware and, more specifically, its distributors are utilising the technologies and services that make processes, application deployment and website creation easier. Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy," said Rob Kraus, Solutionary's director of research for the security engineering research team.
Solutionary discovered that hackers compromise legitimate sites for nefarious purposes, as well as buying and hosting their own sites.
The report claims malware producers use the cloud hosting services like Amazon and GoDaddy for the same reasons legitimate publishers use them.
The ease of website creation, low cost and speed of deployment allows malware producers to create and remove malware serving websites quickly, easily and cost effectively, allowing them to infect millions of computers and vast numbers of enterprise systems, according to the report.
Cloud providers such as Amazon, GoDaddy and Google all have stringent security policies against this kind of malicious activity, and remove offenders as soon as they are discovered on their systems.
The sheer number of websites and services hosted on their cloud systems, however, make that discovery job very difficult with the malware producers attempting to seeking safety in numbers.
“Ultimately it is still up to providers to take action to stop the proliferation of malware and to be accountable for policing the activities on their properties,” the Solutionary reportstated.
Data from Solutionary also showed that in the last three months of 2013, the US was the world’s number one malware hosting nation with 44% of the global share of malware, five times larger than Germany which was responsible for 9% of the malware detected by the company’s security research team and the second leading malware hosting nation.
The report claims Amazon was the top malware-hosting provider with a 16% share, with GoDaddy ranking second with a 14% share.
Amazon was contacted for comment.
U.S. malware share rising, Amazon service No.1 in hosting it
Solutionary’s Top 10 list also includes Google and Akamai.
In its quarterly report on global malware distribution and threats, security firm Solutionary Tuesday said that 56% of the malware it captured via sensors and other means was hosted in the U.S.— a 12% increase from six months ago — and about half of the malware overall appeared to originate at 10 Internet service and hosting providers.
This “Top 10” list includes Amazon Web Services, France’s OVH, Akamai, Google, Akrino, Hetzner Online, CloudFlare, CDN, GoDaddy and Website Welcome, according to Solutionary.
In a comparison to what it found in the fourth quarter of 2013 through the same methodology, Solutionary reports that GoDaddy’s percentage of actively hosted malware dropped from 14% to 2%. But “on the other end of the spectrum, sites supported through Amazon services showed a massive increase moving from 16% to 41% of the identified malware hosts, retaining their top spot in the top 10.”
+ Also on NetworkWorld: The Worst Security SNAFUS this year---so far +
In its malware hosting analysis, Solutionary also notes the “new appearance of smaller providers, such as Akrino and Website Welcome, in the top 10.”
The jump in overall U.S. malware share from 44% to 56% “is likely attributed to malicious actors’ increased utilization of Amazon’s cloud infrastructure and Dropbox,” says Rob Kraus, director of research at Solutionary’s Security Engineering Research Team. “However, it appears Dropbox utilizes some of Amazon’s infrastructure to support its cloud storage service. Many of the distributing domains also utilize virtual private servers to distribute warez. Due to the affordability and increased presence of hosting providers, these have become a popular platform for malicious activity.”
So, who is to blame, the hosting provider or the customer for not cleaning up this malware? Kraus says both bear responsibility in order to be “mutually protected.”
“The providers who are hosting content for their clients can be affected and may have responsibilities from a few different viewpoints,” says Kraus. “First, they are hosting content for their clients, they should ensure the reputation and ecosystem for their services are well guarded. Ensuring technologies are deployed to detect malicious hosted content can significantly help identify and reduce these types of threats.” He adds that these processes do exist, but may not be as widely used as would be hoped.
Another factor in all this is if the content being hosted is solely for the purpose of malicious actions by someone who has rented hosting services to take advantage of them, Kraus notes. Attackers are using ISPs and hosting providers to set up malware distribution points, download drive-by centers or “even drop points for data exfiltrated from a company targeted during a breach,” he notes.
Unlike the U.S. where malware on ISPs and hosting providers is said to have risen, a few countries saw their share of malware drop.
The Russian Federation, for example, dropped from 7% to 3%, Germany went from 9% to 7% and The Netherlands from 7% to 3%. France, however, saw its share rise, according to Solutionary, from 4% to 7%, putting it at No.2 on the Top 10 list. It also notes that unexpectedly, the Virgins Islands suddenly rose to No.5 on the list with 5% of total worldwide hosted malware.
