Picture from stackbots.com.
Cross-posted to the Blue Coat security blog.
I’d been attempting to figure out how in the future it will be that botnets will continue to be relevant. It occurred to me that with cloud infrastructure, that malware authors have the perfect opportunity to create or destroy as many machines as they want – by virtualising their machines in the cloud. Obviously, this carries a cost that isn’t present when they can take over a machine for ‘free’ by duping an unsuspecting end user. However, as more and more is abstracted into the cloud, these costs are dropping significantly.
It’s a fairly straightforward path from A to B then to suggest that malware authors will start controlling things more in the cloud. It turns out this is already happening – Brian Fung of the Washington Post demonstrates (based on a report by Solutionary) that Amazon Web Services is already hosting quite a bit of malware, and four of the top ten malware command and control (C&C) structures were hosted on Amazon Web Services when he investigated.
Amazon is aware of this issue, and they have methods in place to do everything possible to allow for the reporting and removal of such content. However, as with the game “whack-a-mole” this is a task not easily done. They do their best, and have taken down a number of instances of malware C&C, but of course by the nature of the cloud and the abstraction of machines into it, as soon as something is taken down, something else pops up in a different place.
That’s the key to this trend – cloud infrastructure can be used by anyone for anything. People can create their own cloud infrastructures if they want. More and more things will be abstracted into this infrastructure, and even the infrastructure itself can be abstracted. Let’s look at some scenarios:
- Full virtual machines can be provisioned in seconds. This is great for the IT department that needs a new, fully-patched machine brought up quickly. However, that IT department needs to keep a handle on their cloud infrastructure account – a single user login is a very tempting target for malware authors. Imagine if a malicious actor took over the AWS account for an organisation and was provisioning hundreds of machines repeatedly? The costs of convenience previously only available to the IT department are now a heavy burden.
- Better auditing and compliance are available with cloud infrastructures. However, as more and more infrastructure disappears, and end-points are more and more “bring your own device” (BYOD), it’s easy to see how even though something can be audited easily, it may not be so easy to find. You may have access to the policy on a particular device, but what if it’s six timezones away and you need to get it back? What happens when malware across a series of phones are communicating via the cloud and you can’t find all the phones and/or their owners? You’ll may have remote capabilities, but then so might the malicious actor.
- As things are more abstracted, IT will become more like a utility. This will enable IT to be regulated and easier to deal with, but as with any utility, you have to be concerned with who is reading the meter! This is not just governments who may have tapped the lines between cloud infrastructure points, but it could be those with malicious intent. (These may not be separate, either.)
- SSL will provide a relief for the previous point, but is a double-edged sword, in that it is also available to malware authors for their use. (This is often how C&C evades detection today.)
- Finally, as cloud-based infrastructure becomes more prevalent, APIs will be the method by which inter-entity communication will take place. The obvious disadvantage to this is that even though there may be authentication for the APIs, any corruption of that authentication allows malicious actors the same ease-of-use and communication ability.
These are just a few points to consider, but as cloud infrastructure becomes more and more command and more and more of our technology ‘disappears’ into our surroundings, malware authors will have more and more virtual resources at their disposal. I see the trend of botclouds continuing in 2014.