Financial data stealing Malware now on Amazon Web Services Cloud

There were some recent comments about Amazon Cloud
as a platform for successful attacks on Sony… Well, today I found that
Amazon Web services (Cloud) now is being used to spread financial data
stealers.

The evidence indicates that the criminals behind the attack are from
Brazil and they used several previously registered accounts to launch
the infection. Unfortunately after my formal complaints to Amazon, and
waiting more than 12 hours, all malicious links are still on-line and
active! It’s worth mentioning that more and more criminals use
legitimate cloud services for malicious purposes. In most cases, they
successfully abuse them.
Now, just few words about malware hosted on Amazons WS Cloud:
It comes with a bunch of different malicious codes, all of them dropped
to the victim’s machines and acting in different ways:

  • Acting as a Rootkit – looking for and denying a normal execution
    of 4 different Anti-Viruses and a special security application called
    GBPluggin and used for Brazilian on-line banking by many banks in that
    country:

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgwdsvc.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgchsvx.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgtray.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgrsx.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgcsrvx.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10Identity ProtectionAgentBinAVGIDSAgent.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10Identity ProtectionAgentBinAVGIDSMonitor.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgnsx.exe

DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast5AvastUI.exe

DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast5AvastSvc.exe

DeviceHarddiskVolume1Arquivos
de programasAviraAntiVir Desktopavscan.exe

DeviceHarddiskVolume1Arquivos
de programasAVGAVG8avgupd.exe

DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast4VisthUpd.exe

DeviceHarddiskVolume1Arquivos
de programasAviraAntiVir Desktopavupgsvc.exe

DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast5AvastUI.exe

DeviceHarddiskVolume1Arquivos
de programasESETESET NOD32 Antivirusupdater.dll

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpsv.exe

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbiehcef.dll

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbieh.gmd

DeviceHarddiskVolume1Arquivos
de programasGbPlugincef.gpc

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbieh.dll

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpdist.dll

DeviceHarddiskVolume1Arquivos
de programasGbPluginbb.gpc

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpkm.sys

DeviceHarddiskVolume1WINDOWSsystem32scpsssh2.dll
DeviceHarddiskVolume1WINDOWSsystem32driversgbpkm.sys
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesscpsssh2.inf

DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesabn.gpc

DeviceHarddiskVolume1WINDOWSDownloaded
Program Fileserma.inf

DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesgbieh.gmd

DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesgbiehabn.dll

DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesgbiehuni.dll

DeviceHarddiskVolume1WINDOWSDownloaded
Program FilesGbPluginABN.inf

DeviceHarddiskVolume1WINDOWSDownloaded
Program FilesGbPluginuni.inf

DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesuni.gpc

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbiehuni.dll

DeviceHarddiskVolume1Arquivos
de programasGbPluginuni.gpc

DeviceHarddiskVolume1Arquivos
de programasScpadscpIBCfg.bin

DeviceHarddiskVolume1Arquivos
de programasScpadscpMIB.dll

DeviceHarddiskVolume1Arquivos
de programasScpadscpsssh2.dll

DeviceHarddiskVolume1Arquivos
de programasScpadsshib.dll

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbiehscd.dll

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpdist.dll

DeviceHarddiskVolume1Arquivos
de programasGbPluginscd.gpc

DeviceHarddiskVolume1Arquivos
de programasGbPluginGbpSv.exe

  • Steal financial information from 9 Brazilian and 2 International
    Banks!
  • Steal Microsoft Live Messenger credentials.
  • Steal digital certificates used by eTokens in the system.
  • Steal information about the CPU, Volume hard drive number, PC
    name and so on (this information is being used by some Latin American
    banks during login sessions to the bank in order to authenticate
    customers)
  • Exfiltrate stolen data in two ways: via email to a
    cybercriminal’s Gmail account and via special php inserting data to a
    remote database.
  • Finally, the malicious samples are protected by a legitimate
    anti-piracy software called The
    Enigma Protector
    . The criminals used it in order to make harder
    reverse engineering process for the analysts.

All samples are detected by KAV as:

Trojan-Downloader.Win32.Murlo.lib
Trojan-PSW.Win32.MSNer.a
Trojan-Banker.Win32.Banz.iok
Trojan-Banker.Win32.Banker.blpm
Trojan-Downloader.Win32.Homa.fgx
Trojan-Banker.Win32.Banker.blbt

I also hope all malicious links will be deactivated by Amazon soon as
well. I believe legitimate cloud services will continue to be
used by criminals for different kinds of cyber-attacks. Cloud providers
should start thinking about better monitoring systems and expanding
security teams in order to cut down on malware attacks enabled and
launched from their cloud.

UPDATE,  June 7, 2011:

As of yesterday (June 6),  all malicious links have been taken
down by Amazon Web Services and are no longer active. 

Brazilian cyber criminals intentionally launched the attack on Friday
night. They know that usually it takes more time to detect and
neutralize threats launched during the weekend. The same technique has
been widely used by phishers for a while.
In order to avoid falling victim to these kinds of attacks, Web users
should pay special attention to any suspicious issue during the weekend.

The AWS Security team has a special Web page to report these security
incidents: http://aws.amazon.com/security/vulnerability-reporting/

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *