Zeus botnet moves to Amazon for some grid action
by Steve Ragan - Dec 10 2009, 22:25Researchers at CA have noticed an interesting twist on the use of Amazon’s EC2 cloud-based services after digging into the latest Christmas themed scams moving around online.
The CA researchers working for the company’s Internet Security Business Unit were far from shocked to see a scam arrive via email. They were expecting Christmas themed Spam with Malware anyway, only they didn’t expect to see it so soon.
The email arrives as a friendly message from the “Online Banking Team”, which in itself is odd, as the email makes no mention of a bank or brand. It is simply addressed to a user's email, and addresses them as “Dear Online Banking member” and offers a Christmas Holiday e-card from the team.
While the sentiment is nice we’re sure, the e-card is like most other e-cards that arrive from random emails, that is, it’s completely malicious. As CA explained, the e-card is actually a variant of the Zeus family of Malware (ZBot).
After digging into the scam some, CA discovered that the Malware itself behaved like normal, infecting the system and reaching out to a Command and Control server for instructions. However, the C&C itself was what caught their eye. It was hosted on Amazon’s EC2 services.
“The group behind this criminal activity is obviously doing it for financial gain – stealing both your identity and your money. In this variant, we have learned how cloud on demand (pay-as-you-use) offerings could be used to fuel such online cyber-crimes,” the CA report on the cloud-based C&C said.
In the case of the C&C on Amazon, and the hijacked account used to serve the e-card, both have been corrected, and for the short-term this avenue of attack has been blocked. The keyword here being short-term, as the criminals are sure to move on and repeat the attack frequently as Christmas approaches, and then move on to New Year themed campaigns.
The latest Threat Report from CA centers on email-based scams, such as the e-cards, as well as using popular search terms to poison search results online in a process called BlackHat SEO. The two go hand in hand as criminals link their Spam run around holidays and current events to spread their Malware or harvest information.
“Cyber-criminals have made a business out of conducting attacks on the most popular online destinations because they promise the highest payoff,” said Don DeBolt, director of threat research for CA’s Internet Security Business Unit.
“Cyber-criminals keep up with trends, major events, holidays, and the like, and focus on where they’ll get the biggest returns. Search engines, like Google and Yahoo, or social networking sites, like Twitter or Facebook, have the mass appeal to attract these criminals. In addition to Internet security software, the best weapon against today’s threats is education, so that consumers know what to look for when they are conducting activities online.”
The State of the Internet 2009 report from CA is here.
Comment on this Story