Arbor Networks recently reported that Google’s AppEngine was tapped to act as the master control channel that feeds commands to large networks of infected computers. More precisely, the custom application was used to feed URLs to the already infected computers so as to download PCClient backdoor from a third-party server. Google shut down the rogue application shortly after being notified of it.
It is widely known that botnets have used all sorts of communications protocols to receive updated code and information. What makes the above news significant is that the code that was responsible for updating the zombie computers was running on Google’s AppEngine platform. This instance highlights that malware authors are being drawn to the cloud by many of the same benefits attracting everyone else. In arstechnica it is stated that attackers choosed Google’s AppEngine because it provides free, limited use of this service and it allows the person herding the botnet a great opportunity for anonymity. Finally, as Jose Nazario, the manager of security research at Arbor Networks, stated at the Register : ” It’s the low cost, it’s the high availability and the security measures in place for most of these things are retroactive, meaning it takes somebody to identify and investigate and take them down”.
