Nav: Home

Study finds 'lurking malice' in cloud hosting services

October 18, 2016

A study of 20 major cloud hosting services has found that as many as 10 percent of the repositories hosted by them had been compromised - with several hundred of the "buckets" actively providing malware. Such bad content could be challenging to find, however, because it can be rapidly assembled from stored components that individually may not appear to be malicious.

To identify the bad content, researchers created a scanning tool that looks for features unique to the bad repositories, known as "Bars." The features included certain types of redirection schemes and "gatekeeper" elements designed to protect the malware from scanners. Researchers from the Georgia Institute of Technology, Indiana University Bloomington and the University of California Santa Barbara conducted the study.

Believed to be the first systematic study of cloud-based malicious activity, the research will be presented October 24 at the ACM Conference on Computer and Communications Security in Vienna, Austria. The work was supported in part by the National Science Foundation.

"Bad actors have migrated to the cloud along with everybody else," said Raheem Beyah, a professor in Georgia Tech's School of Electrical and Computer Engineering. "The bad guys are using the cloud to deliver malware and other nefarious things while remaining undetected. The resources they use are compromised in a variety of ways, from traditional exploits to simply taking advantage of poor configurations."

Beyah and graduate student Xiaojing Liao found that the bad actors could hide their activities by keeping components of their malware in separate repositories that by themselves didn't trigger traditional scanners. Only when they were needed to launch an attack were the different parts of this malware assembled.

"Some exploits appear to be benign until they are assembled in a certain way," explained Beyah, who is the Motorola Foundation Professor and associate chair for strategic initiatives and innovation in the School of Electrical and Computer Engineering. "When you scan the components in a piecemeal kind of way, you only see part of the malware, and the part you see may not be malicious."

In the cloud, malicious actors take advantage of how difficult it can be to scan so much storage. Operators of cloud hosting services may not have the resources to do the deep scans that may be necessary to find the Bars - and their monitoring of repositories may be limited by service-level agreements.

While splitting the malicious software up helped hide it, the strategy also created a technique for finding the "bad buckets" hosting it, Beyah said. Many of the bad actors had redundant repositories connected by specific kinds of redirection schemes that allowed attacks to continue if one bucket were lost. The bad buckets also usually had "gatekeepers" designed to keep scanners out of the repositories, and where webpages were served, they had simple structures that were easy to propagate.

"We observed that there is an inherent structure associated with how these attackers have set things up," he explained. "For instance, the bad guys all had bodyguards at the door. That's not normal for cloud storage, and we used that structure to detect them."

The researchers began by studying a small number of known bad repositories to understand how they were being used. Based on what they learned, they created "BarFinder," a scanner tool that automatically searches for and detects features common to the bad repositories.

Overall, the researchers scanned more than 140,000 sites on 20 cloud hosting sites and found about 700 active repositories for malicious content. In total, about 10 percent of cloud repositories the team studied had been compromised in some way. The researchers notified the cloud hosting companies of their findings before publication of the study.

"It's pervasive in the cloud," said Beyah. "We found problems in every last one of the hosting services we studied. We believe this is a significant problem for the cloud hosting industry."

In some cases, the bad actors simply opened an inexpensive account and began hosting their software. In other cases, the malicious content was hidden in the cloud-based domains of well-known brands. Intermingling the bad content with good content in the brand domains protected the malware from blacklisting of the domain.

Beyah and Liao saw a wide range of attacks in the cloud hosted repositories, ranging from phishing and common drive-by downloads to fake antivirus and computer update sites. "They can attack you directly from these buckets, or they can redirect you to other malicious buckets or a series of malicious buckets," he said. "It can be difficult to see where the code is redirecting you."

To protect cloud-based repositories from these attacks, Beyah recommends the usual defenses, including patching of systems and proper configuration settings.

Looking ahead, the researchers hope to make BarFinder available to a broader audience. That could include licensing the technology to a security company, or making it available as an open-source tool.

"Attackers are very clever, and as we secure things and make the cloud infrastructure more challenging for them to attack, they will move onto something else," he said. "In the meantime, every system that we can secure makes the internet just a little bit safer."
-end-
This work was supported in part by the National Science Foundation (grants CNS-1223477, 1223495, 1527141 and 1618493). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

CITATION: Xiaojing Liao, et al., "Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service," ACM Conference on Computer and Communications Security (CCS).

Georgia Institute of Technology

Related Malware Articles:

Network traffic provides early indication of malware infection
By analyzing network traffic going to suspicious domains, security administrators could detect malware infections weeks or even months before they're able to capture a sample of the invading malware, a new study suggests.
Combination of features produces new Android vulnerability
A new vulnerability affecting Android mobile devices results not from a traditional bug, but from the malicious combination of two legitimate permissions that power desirable and commonly used features in popular apps.
Weaponizing the internet for terrorism
Writing in the International Journal of Collaborative Intelligence, researchers from Nigeria suggest that botnets and cyber attacks could interfere with infrastructure, healthcare, transportation, and power supply to as devastating an effect as the detonation of explosives of the firing of guns.
Android apps can conspire to mine information from your smartphone
'What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone,' said researcher Gang Wang.
Desktop scanners can be hijacked to perpetrate cyberattacks
The researchers conducted several demonstrations to transmit a message into computers connected to a flatbed scanner.
New technique completely protects internet video from cyberattacks -- Ben-Gurion University study
To counter this emerging threat, Professor Hadar developed a series of algorithms that can completely prevent attackers from being able to infiltrate and extract information through videos or pictures.
Staying a heartbeat ahead of hackers
Nearly a million new forms of malware are unleashed on the world every day.
Cameras can steal data from computer hard drive LED lights -- Ben-Gurion U. study
The research team utilized the hard-drive (HDD) activity LED lights that are found on most desktop PCs and laptops.
NTU and FireEye join forces to grow the ranks of Singapore's cyber security experts
Nanyang Technological University, Singapore (NTU Singapore) and leading cyber security company FireEye are inking a partnership to explore new areas in cyber security research, and to develop courses to meet the rising demand for cyber security professionals needed to help defend critical networks.
Bring your own (security) disaster
Bring your own device (BYOD) to work is common practice these days.

Related Malware Reading:

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski (Author), Andrew Honig (Author)

Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
by Monnappa K A (Author)

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
by Michael Ligh (Author), Steven Adair (Author), Blake Hartstein (Author), Matthew Richard (Author)

Malware Data Science: Attack Detection and Attribution
by Joshua Saxe (Author), Hillary Sanders (Author)

Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
by Alex Matrosov (Author), Eugene Rodionov (Author), Sergey Bratus (Author)

Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly
by No Starch Press

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
by Michael Hale Ligh (Author), Andrew Case (Author), Jamie Levy (Author), AAron Walters (Author)

Hacking: The Art of Exploitation, 2nd Edition
by Jon Erickson (Author)

Rtfm: Red Team Field Manual
by Ben Clark (Author)

Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides
by Cameron H. Malin (Author), Eoghan Casey (Author), James M. Aquilina (Author)

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Bias And Perception
How does bias distort our thinking, our listening, our beliefs... and even our search results? How can we fight it? This hour, TED speakers explore ideas about the unconscious biases that shape us. Guests include writer and broadcaster Yassmin Abdel-Magied, climatologist J. Marshall Shepherd, journalist Andreas Ekström, and experimental psychologist Tony Salvador.
Now Playing: Science for the People

#513 Dinosaur Tails
This week: dinosaurs! We're discussing dinosaur tails, bipedalism, paleontology public outreach, dinosaur MOOCs, and other neat dinosaur related things with Dr. Scott Persons from the University of Alberta, who is also the author of the book "Dinosaurs of the Alberta Badlands".