The Role of Cloud Services in Malicious Software: Trends and Insights

In this paper we investigate the way cyber-criminals abuse public cloud services to host part of their malicious infrastructures, including exploit servers to distribute malware, C&C servers to manage infected terminals, redirectors to increase anonymity, and drop zones to host stolen data. We conduct a large scale analysis of all the malware samples submitted to the Anubis malware analysis system between 2008 and 2014. For each sample, we extracted and analyzed all malware interactions with Amazon EC2, a major public cloud service provider, in order to better understand the malicious activities that involve public cloud services. In our experiments, we distinguish between benign cloud services that are passively used by malware such as file sharing, URL shortening, and pay-per-install services, and other dedicated machines that play a key role in the malware infrastructure. Our results reveal that cyber-criminals sustain long-lived operations through the use of public cloud resources, either as a redundant or a major component of their malware infrastructures. We also observe that the number of malicious and dedicated cloud-based domains has increased almost 4 times between 2010 and 2013. To understand the reasons behind this trend, we also present a detailed analysis using public DNS records. For instance, we observe that certain dedicated malicious domains hosted on the cloud remain active for an average of 110 days since they are first observed in the wild.

[1]  Keqiang He,et al.  Next stop, the cloud: understanding modern web service deployment in EC2 and azure , 2013, Internet Measurement Conference.

[2]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.

[3]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[4]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[5]  Yasir Ahmed Hamza,et al.  Cloud Computing Security: Abuse and Nefarious Use of Cloud Computing , 2013 .

[6]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[7]  Bu-Sung Lee,et al.  TrustCloud: A Framework for Accountability and Trust in Cloud Computing , 2011, 2011 IEEE World Congress on Services.

[8]  Fang Yu,et al.  Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures , 2013, 2013 IEEE Symposium on Security and Privacy.

[9]  Guofei Gu,et al.  CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers , 2014, NDSS.

[10]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[11]  Aditya Akella,et al.  WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds , 2014, Internet Measurement Conference.

[12]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.