Malware distributors are adopting cloud computing, either by buying services directly or by compromising legitimate accounts, as a quick and cost-effective way to bring their malware online, according to a new report. Major hosting providers such as Amazon and GoDaddy (which host 16 percent and a 14 percent of malware, respectively) can also help malware avoid blacklisting by hiding behind these providers’ reputations.
This is one of the main findings of the Quarterly Threat Intelligence Report for Q4 2013 released this week by the security engineering research team (or SERT) at managed security services provider Solutionary, a subsidiary of Japan-based NTT Group.
The report also found that US hosts 44 percent of all malware, making it the leading malware hosting nation, placing it well ahead of the second-leading malware-hosting nation, Germany, which is responsible for nine percent of all malware.
According to the report, the top malware hosting website in Q4 2013 is Download-instantly.com, which is hosted by Amazon in the US.
“Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier,” Solutionary SERT director of research Rob Kraus said in a statement. “Now we have to maintain our focus not only on the most dangerous parts of the Web but also on the parts we expect to be more trustworthy.”
What is also concerning is that detection of malicious code within clouds can be difficult with current methods. Solutionary created a test account made to simulate malware distribution, and 40 of the top anti-virus engines were unable to detect the 750-plus malicious binaries present.
Solutionary notes that server compromises can be reduced by using a strong patch management system for updates to Web servers and applications, hardening systems, implementing active vulnerability scanning, and performing periodic code analysis for vulnerabilities in in-house applications.
To prevent systems from becoming part of a Brobot-based botnet (which often target outdated versions of Joomla!, WordPress and CPanel) and other malicious installations, keeping code up to date is very important, as well as having an active and up to date virus solution.
To protect networks from DDoS attacks, Solutionary notes that Web Application Firewalls can help block many known types of malicious traffic, and more active methods, such as rate limiting in Intrusion Prevention Systems and third-party DDoS protection services, can provide even more protection.
Potentially Unwanted Applications (PUAs) that carry malware are – often unknowingly – installed by users can also be mitigated by adding restrictions at the user level, the application level or both to help prevent their installation.
Individuals should also be reminded to only download software from safe sources. But given the extent to which malware distributors are going to seem legitimate, this may be something that’s becoming more difficult to discern.