[注意]亚马逊云服务中发现Zeus僵尸网络

[注意]亚马逊云服务中发现Zeus僵尸网络

云计算服务正成为黑客的新疆域。

安全研究人员发现，Zeus僵尸网络在亚马逊的EC2云服务中运行着一个未授权的命令和控制中心。这是首次发现亚马逊云计算被用于此类非法活动。安全研究员Don DeBolt称，黑客是通过入侵一个使用EC2云服务的网站后，悄悄的在亚马逊的服务器上安装了一个命令和控制程序。

A new wave of a Zeus bot (Zbot) variant was spotted taking advantage of Amazon EC2’s cloud-based services for its C&C (command and control) functionalities.

This notable scheme is a highlight from the latest spammed executable “xmas2.exe” (63,488 bytes), for which we have recently published blog titled "Christmas is knocking on the door, so does the malware".

[Figure 01 – Zeus displays cyber-criminal activities]

[Figure 02  – Zeus bot variant communication]

As shown in Figure 03, the Zeus bot variant injects code into the system processes (such as svchost.exe) and connects to its cloud-server [Figure 02] for configuration (config.bin) of the master for it’s criminal activity.

Figure 03 – Injects code and waits for user to enter bank credentials

The group behind this criminal activity is obviously doing it for financial gain –  stealing both your identity and your money.

In this variant, we have learned how cloud on-demand (pay-as-you-use) offerings could be used to fuel such online cyber-crimes.

Please Note:The legitimate hacked website was contacted and informed about its participation in the Zeus bot activity and accordingly has stopped serving the malicious variant.

Furthermore, we also reported the observed abuse activities to Amazon Web Service. For future reference, this page explains how to report AWS suspicious activities.

Thanks to Zarestel for his valuable contribution in the code analysis.