Saturday, March 3, 2012

Cloud Infections on Fire - Amazon's WS

It has been seen recently that Amazon's Web Service (AWS) has become the playground for attackers to host malware. Some incidents have been reported early. However, cloud services are providing a good storage as well as remote access property for serving malware through cloud. Attackers are always impressive in circumventing the normal operations of any cloud services in order to distribute malware effectively. We came across another incident in which malware is hosted at AWS server.

We started exploring the malware driven directory. The direct access to the directory was not allowed and we received following error.

This shows that the directory is in forbidden state which resulted in the HTTP error as presented above. We required to have direct link to the malicious executable. On analyzing further and gathering information, the Amazon cloud was hosting malware as shown below

After successful downloading, we analyzed that executable was packed with UPX packer with 33.6% compression. On unpacking, the code seemed to unroll a bit and presented us with some complex and lengthy code file. The executable file was actually a package file written in Borland. Its main functionality was to download another set of malicious files from different Amazon AWS directory. The complete set of files were downloaded into "c:\winsys" directory. We extracted another set of files as presented below

This shows that the package acts as a dropper. We take a look at one of the executable named as "BROWN.exe" which was packed with UPX again. So we unpacked it again to understand the crux.

The executable was written in "Visual Basic". So, we ran a check using anti virus and without a doubt it was a malware as shown below

So we are not digging deeper. If you require samples, please drop us a line.