Attackers turning to legit cloud services firms to plant malware
Researchers see significant growth in number of malware writers using services like Google Code, Dropbox to distribute their malicious wares
Computerworld - LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here.
Traditionally, malware writers had distributed their malicious code from their own sites.
But as security vendors get better at detecting and blacklisting those sites, hackers are increasingly distributing their malware products from legitimate host sites. The technique has been used a bit for more than two years, but now appears be gaining steam, researchers said.
Often, the owners of legitimate sites fail to properly scan the content they are hosting, which allows attackers to furtively post malicious code with relative ease, said Michael Sutton, vice president of research at ZScaler, a provider of cloud-based security services for enterprises.
Malicious content distributed from a legitimate site is more likely to make it past corporate defenses. Vendors are also unlikely to blacklist a legitimate hosted service, allowing malicious content hosted on one to stay up longer, he said.
Zscaler said he's heard reports of malicious files hosted on Dropbox, but the they appear to have been removed, the blog noted.
Sutton pointed to recent incidents were attackers posted and distributed malicious code on Google Code and Dropbox as an example of the trend. A blog on Zscaler's website lists nearly three-dozen malicious files hosted on the Google Code site, which contains tools for software developers.
The message for IT managers: Don't blindly trust domains that seem to be secure, Sutton said.
"Attackers are starting to leverage hosting services" to stage malicious code, he said. "It used to be that [attackers] would set up their own servers," to host malware. "Then we saw them infecting legitimate third-parties. Now they are using hosting services. They are no longer paying for hosting [malware] and are less likely to get blacklisted."
Meanwhile, Firehost, a provider of cloud-hosting services for enterprises, has seen an increase in Web application attacks originating from the networks of legitimate Web hosting services, said CEO Chris Drake.
In its latest quarterly security review, Firehost observed a noticeable increase in the number of SQL injection attacks, directory traversal attacks and other Web application attacks launched from within cloud service provider networks, Drake said.
Cloud providers often have weak validation procedures when signing up new customers, allowing attackers to create accounts with fake information. The accounts are then used to deploy and administer powerful botnets that run in the cloud infrastructure, he said.
In the second quarter of 2013, the IP filtering system that Firehost uses to protect its customers against malicious attacks blocked about 1.3 million unique attacks. Of the total, a noticeable number of attacks originated from IP addresses belonging cloud services companies, Drake said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts