Subscribe

Cloud-nomics - utility computing goes criminal

Cyber-criminals use cloud-based technology to turn machines into botnets.

Rik Ferguson
By Rik Ferguson, Solutions architect, Trend Micro
Johannesburg, 26 Apr 2010

Over the past 12 to 24 months, criminal adoption of cloud-based technologies has increased drastically, as a means to spread malware, but also to try and control the cloud, and effectively target it.

In fact, it could be said criminals collectively have the biggest cloud of them all at their disposal. In a recent study, Trend Micro identified over 100 million IP addresses of compromised machines that were infected with bots, putting them under the control of criminals. Around 26 million of these IP addresses are currently actively being used to generate spam.

This study does not even account for all of the criminal controlled machines, those that are not sending spam, but instead stealing information such as banking or other credentials, and you can be sure there are millions more of those.

This is cyber-crime's utility computing model; capacity can be added or removed as required, access is paid for on a daily or job rate, and it is rented out to many different 'enterprises'.

Criminal gains

Aside from this, criminals also see the benefit of abusing commercial cloud services. They gain scalability, enterprise class infrastructure, and importantly, a higher degree of anonymity through the misappropriation of legitimate cloud services for their own ends.

For example, compromised, otherwise innocent servers in Amazon's EC2 cloud have been used to host configuration files for the Zeus bot. Twitter has been used as the landing page URL in spam campaigns, to attempt to overcome URL filtering in e-mail messages. Twitter, Facebook, Pastebin, Google Groups and a Google AppEngine have all been used as surrogate command and control infrastructures.

These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands contain further URLs that the bot then accesses to download commands or components.

Open attraction

The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a C&C infrastructure, which at the same time further reduces the chance of detection by traditional technologies.

In the cloud, you rarely get to meet your neighbours.

Rik Ferguson, solutions architect, Trend Micro

While network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known bad sites (C&C), or over-suspicious or unwanted channels such as IRC, it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is acting entirely normally.

However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure, and blend into the general white noise of the Internet, that is no longer the case.

ITWeb's 5th annual Security Summit

More information about ITWeb's Security Summit, which takes place on 11-13 May 2010 at the Sandton Convention Centre is available online here.

In the cloud, you rarely get to meet your neighbours; criminals are already finding victims there or even moving in themselves. When you move to the cloud make sure you take your security with you instead of accepting the lowest-common-denominator security on offer from the provider. After all, it only takes a credit card to bypass the perimeter.

* Rik Ferguson is a solutions architect at Trend Micro. He will deliver a talk on 'Why in-the-cloud security technologies are the answer', at next month's ITWeb Security Summit, which takes place from 11 to13 May at the Sandton Convention Centre.

Share