Financial data stealing Malware now on Amazon Web Services Cloud

There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony… Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

The evidence indicates that the criminals behind the attack are from Brazil and they used several previously registered accounts to launch the infection. Unfortunately after my formal complaints to Amazon, and waiting more than 12 hours, all malicious links are still on-line and active! It’s worth mentioning that more and more criminals use legitimate cloud services for malicious purposes. In most cases, they successfully abuse them.

Now, just few words about malware hosted on Amazons WS Cloud:
It comes with a bunch of different malicious codes, all of them dropped
to the victim’s machines and acting in different ways:

• Acting as a Rootkit – looking for and denying a normal execution
  of 4 different Anti-Viruses and a special security application called
  GBPluggin and used for Brazilian on-line banking by many banks in that
  country:

DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgwdsvc.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgchsvx.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgtray.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgrsx.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgcsrvx.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10Identity ProtectionAgentBinAVGIDSAgent.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10Identity ProtectionAgentBinAVGIDSMonitor.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG10avgnsx.exe
DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast5AvastUI.exe
DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast5AvastSvc.exe
DeviceHarddiskVolume1Arquivos
de programasAviraAntiVir Desktopavscan.exe
DeviceHarddiskVolume1Arquivos
de programasAVGAVG8avgupd.exe
DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast4VisthUpd.exe
DeviceHarddiskVolume1Arquivos
de programasAviraAntiVir Desktopavupgsvc.exe
DeviceHarddiskVolume1Arquivos
de programasAlwil SoftwareAvast5AvastUI.exe
DeviceHarddiskVolume1Arquivos
de programasESETESET NOD32 Antivirusupdater.dll

DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpsv.exe
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbiehcef.dll
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbieh.gmd
DeviceHarddiskVolume1Arquivos
de programasGbPlugincef.gpc
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbieh.dll
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpdist.dll
DeviceHarddiskVolume1Arquivos
de programasGbPluginbb.gpc
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpkm.sys
DeviceHarddiskVolume1WINDOWSsystem32scpsssh2.dll
DeviceHarddiskVolume1WINDOWSsystem32driversgbpkm.sys
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesscpsssh2.inf
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesabn.gpc
DeviceHarddiskVolume1WINDOWSDownloaded
Program Fileserma.inf
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesgbieh.gmd
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesgbiehabn.dll
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesgbiehuni.dll
DeviceHarddiskVolume1WINDOWSDownloaded
Program FilesGbPluginABN.inf
DeviceHarddiskVolume1WINDOWSDownloaded
Program FilesGbPluginuni.inf
DeviceHarddiskVolume1WINDOWSDownloaded
Program Filesuni.gpc
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbiehuni.dll
DeviceHarddiskVolume1Arquivos
de programasGbPluginuni.gpc
DeviceHarddiskVolume1Arquivos
de programasScpadscpIBCfg.bin
DeviceHarddiskVolume1Arquivos
de programasScpadscpMIB.dll
DeviceHarddiskVolume1Arquivos
de programasScpadscpsssh2.dll
DeviceHarddiskVolume1Arquivos
de programasScpadsshib.dll
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbiehscd.dll
DeviceHarddiskVolume1Arquivos
de programasGbPlugingbpdist.dll
DeviceHarddiskVolume1Arquivos
de programasGbPluginscd.gpc
DeviceHarddiskVolume1Arquivos
de programasGbPluginGbpSv.exe

• Steal financial information from 9 Brazilian and 2 International
  Banks!
• Steal Microsoft Live Messenger credentials.
• Steal digital certificates used by eTokens in the system.
• Steal information about the CPU, Volume hard drive number, PC
  name and so on (this information is being used by some Latin American
  banks during login sessions to the bank in order to authenticate
  customers)
• Exfiltrate stolen data in two ways: via email to a
  cybercriminal’s Gmail account and via special php inserting data to a
  remote database.
• Finally, the malicious samples are protected by a legitimate
  anti-piracy software called The
  Enigma Protector. The criminals used it in order to make harder
  reverse engineering process for the analysts.

All samples are detected by KAV as:

Trojan-Downloader.Win32.Murlo.lib
Trojan-PSW.Win32.MSNer.a
Trojan-Banker.Win32.Banz.iok
Trojan-Banker.Win32.Banker.blpm
Trojan-Downloader.Win32.Homa.fgx
Trojan-Banker.Win32.Banker.blbt

I also hope all malicious links will be deactivated by Amazon soon as well. I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks. Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud.

UPDATE,  June 7, 2011:

As of yesterday (June 6),  all malicious links have been taken down by Amazon Web Services and are no longer active. 

Brazilian cyber criminals intentionally launched the attack on Friday night. They know that usually it takes more time to detect and neutralize threats launched during the weekend. The same technique has been widely used by phishers for a while.

In order to avoid falling victim to these kinds of attacks, Web users should pay special attention to any suspicious issue during the weekend.

The AWS Security team has a special Web page to report these security incidents: http://aws.amazon.com/security/vulnerability-reporting/