A variant of the Zeus bot (Zbot) was found using Amazon’s Elastic Computer Cloud (EC2) infrastructure for Command&Control commands to infected machines.
Zbot is a password-stealing software, logs financial data and sends them to the botnet. Last year more than 100M US fraud was linked with Zeus malware variants. It was also held responsible for the “destruction” of 100.000 infected computers by deleting registry key data, making them inoperable. Zeus botnet is estimated to consist of millions of infected computers around the world.
The last Zbot executable is spreading through spam mails like a Christmas e-card mail faking users to download and run a file “xmas2.exe” (63,488 bytes) ,or through drive-by downloads . When executed the malware injects code into system processes (like svchost.exe) and begins to communicate with the C&C server, located in EC2 cloud, for configuration . An example of the infected machine’s browser connection shown below:
The hackers did not hack the Amazon’s infrastructure directly. They exploited a web site which was hosted in the infrastructure and installed the Zeus C&C server software. This was done either by just stealing site’s administrator password or taking advantage of a vulnerability of the site’s software. Don DeBolt, director of threat research with HCL Technologies, stated that it was the first time Amazon’s EC2 was used for that type of illegal activities/actions. He also said that the server software was identified and removed from Amazon EC2.
