English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeBlogIncidentsJune 05 2011Financial data stealing Malware now on Amazon Web Services Cloud

Financial data stealing Malware now on Amazon Web Services Cloud

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted June 05, 06:05  GMT
Tags: Amazon, Instant Messengers, Internet Banking, Identity Theft, Malware Technologies, Rootkits
0.5
 

    There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony… Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

The evidence indicates that the criminals behind the attack are from Brazil and they used several previously registered accounts to launch the infection. Unfortunately after my formal complaints to Amazon, and waiting more than 12 hours, all malicious links are still on-line and active! It’s worth mentioning that more and more criminals use legitimate cloud services for malicious purposes. In most cases, they successfully abuse them.
Now, just few words about malware hosted on Amazons WS Cloud:
It comes with a bunch of different malicious codes, all of them dropped to the victim’s machines and acting in different ways:

  • Acting as a Rootkit – looking for and denying a normal execution of 4 different Anti-Viruses and a special security application called GBPluggin and used for Brazilian on-line banking by many banks in that country:

\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\avgwdsvc.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\avgchsvx.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\avgtray.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\avgrsx.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\avgcsrvx.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG10\avgnsx.exe
\Device\HarddiskVolume1\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe
\Device\HarddiskVolume1\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
\Device\HarddiskVolume1\Arquivos de programas\Avira\AntiVir Desktop\avscan.exe
\Device\HarddiskVolume1\Arquivos de programas\AVG\AVG8\avgupd.exe
\Device\HarddiskVolume1\Arquivos de programas\Alwil Software\Avast4\VisthUpd.exe
\Device\HarddiskVolume1\Arquivos de programas\Avira\AntiVir Desktop\avupgsvc.exe
\Device\HarddiskVolume1\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe
\Device\HarddiskVolume1\Arquivos de programas\ESET\ESET NOD32 Antivirus\updater.dll

\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpsv.exe
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbiehcef.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbieh.gmd
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\cef.gpc
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbieh.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpdist.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\bb.gpc
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpkm.sys
\Device\HarddiskVolume1\WINDOWS\system32\scpsssh2.dll
\Device\HarddiskVolume1\WINDOWS\system32\drivers\gbpkm.sys
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\scpsssh2.inf
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\abn.gpc
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\erma.inf
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\gbieh.gmd
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\gbiehabn.dll
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\gbiehuni.dll
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\GbPluginABN.inf
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\GbPluginuni.inf
\Device\HarddiskVolume1\WINDOWS\Downloaded Program Files\uni.gpc
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbiehuni.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\uni.gpc
\Device\HarddiskVolume1\Arquivos de programas\Scpad\scpIBCfg.bin
\Device\HarddiskVolume1\Arquivos de programas\Scpad\scpMIB.dll
\Device\HarddiskVolume1\Arquivos de programas\Scpad\scpsssh2.dll
\Device\HarddiskVolume1\Arquivos de programas\Scpad\sshib.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbiehscd.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\gbpdist.dll
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\scd.gpc
\Device\HarddiskVolume1\Arquivos de programas\GbPlugin\GbpSv.exe

  • Steal financial information from 9 Brazilian and 2 International Banks!
  • Steal Microsoft Live Messenger credentials.
  • Steal digital certificates used by eTokens in the system.
  • Steal information about the CPU, Volume hard drive number, PC name and so on (this information is being used by some Latin American banks during login sessions to the bank in order to authenticate customers)
  • Exfiltrate stolen data in two ways: via email to a cybercriminal’s Gmail account and via special php inserting data to a remote database.
  • Finally, the malicious samples are protected by a legitimate anti-piracy software called The Enigma Protector. The criminals used it in order to make harder reverse engineering process for the analysts.
All samples are detected by KAV as:

Trojan-Downloader.Win32.Murlo.lib
Trojan-PSW.Win32.MSNer.a
Trojan-Banker.Win32.Banz.iok
Trojan-Banker.Win32.Banker.blpm
Trojan-Downloader.Win32.Homa.fgx
Trojan-Banker.Win32.Banker.blbt

I also hope all malicious links will be deactivated by Amazon soon as well. I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks. Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud.

UPDATE,  June 7, 2011:

As of yesterday (June 6),  all malicious links have been taken down by Amazon Web Services and are no longer active. 

Brazilian cyber criminals intentionally launched the attack on Friday night. They know that usually it takes more time to detect and neutralize threats launched during the weekend. The same technique has been widely used by phishers for a while.
In order to avoid falling victim to these kinds of attacks, Web users should pay special attention to any suspicious issue during the weekend.

The AWS Security team has a special Web page to report these security incidents: http://aws.amazon.com/security/vulnerability-reporting/


Comments

If you would like to comment on this article you must first
login



Print
Bookmark and Share
Share

Analysis

Spyware. HackingTeam
Winnti. More than just a game
Winnti 1.0 technical analysis
Kaspersky Security Bulletin 2012. Cyber Weapons
Kaspersky Security Bulletin 2012. The overall statistics for 2012

Blog

Jumcar. From Peru with a focus on Latin America [First part]
CeCOS VII
Lock, stock and two smoking Trojans-2
The Winnti honeypot - luring intruders
Winnti FAQ. More than just a game

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search