Major cloud is infested with malware, researchers say

Researchers say 10% of repositories hosted by cloud providers, including some on Amazon and Google, are compromised, and ‘lurking malice’ is hidden in them

Major cloud is infested with malware, researchers say

Cloud repositories are actively supplying malware, according to computer experts. And problematically, it’s insidious and hard to find.

Hundreds of buckets have been undermined, says Xiaojing Liao, a graduate student at Georgia Tech who’s the lead author on a study that’s looking into the problem. Buckets are chunks of storage used in cloud operations.

It’s “challenging to find,” Georgia Tech writes in an article on its website. The problem being that the resulting malware is quick to “assemble from stored components that individually may not appear to be malicious.”

Amazon Web Services and Google affected

The recent “study of cloud hosting services has found that as many as 10 percent of the repositories hosted by them have been compromised,” the article continues. The “bad repositories,” called “Bars,” were found on “leading cloud platforms like Amazon and Google” the paper says (PDF).

Those major cloud services are often thought of as being highly secure because of their use of encryption and large numbers of staff dedicated to security.

“You don’t need to worry about security anymore,” Gartner research director Steve Riley is indeed quoted as saying of the “top-tier providers,” which include Amazon and Google, in a Wall Street Journal blog post last month.

His advice is directed at CIOs who may be concerned about loss of data. However, what Liao and her fellow researchers from Indiana University Bloomington and the University of California Santa Barbara are pointing out is that among all that squeaky clean cloud is “lurking” malware and other unwholesome stuff.

“The bad guys are using the cloud to deliver malware and other nefarious things while remaining undetected,” says Raheem Beyah, also of Georgia Tech.

“Traditional exploits, to simply taking advantage of poor configurations,” are used. The problem is that the malware components aren’t identifiable through traditional scanning simply because they aren’t assembled as malware until the moment of attack.

“Some exploits appear to be benign” until then, says Beyah.

The bad guys are getting away with it probably because of the sheer amount of data held in the cloud. It’s too much to scan deeply. Plus, looking for Bars in customer repositories, by cloud suppliers, could be restricted by service agreements, the researchers say.

Special scanning tool finds the invaders

A special scanning tool designed to look for the invaders was developed by the researchers. Using it, the group was able to penetrate many of the redirects and “gatekeeper” tricks. Those ploys include the fact that the gangsters keep their plagued elements spread out among multiple buckets.

Amusingly, the team was able to find the malware pieces primarily because of the trickery employed by the scammers.

“Many of the bad actors had redundant repositories connected by specific kinds of redirection schemes,” the Georgia article explains. “That allowed attacks to continue if one bucket were lost. The bad buckets also usually had ‘gatekeepers’ designed to keep scanners out of the repositories.”

Evil web pages had simple give-away formations “that were easy to propagate.”

In other words, the structure gave the game away.

The researchers say they scanned 140,000 sites with their special scanner and found 700 active Bars.

“It’s pervasive in the cloud,” says Beyah of malware. “We found problems in every last one of the hosting services we studied.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.