Attackers turning to legit cloud services firms to plant malware

Researchers see significant growth in number of malware writers using services like Google Code to distribute their malicious wares

LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here.

Traditionally, malware writers had distributed their malicious code from their own sites.

But as security vendors get better at detecting and blacklisting those sites, hackers are increasingly distributing their malware products from legitimate host sites. The technique has been used a bit for more than two years, but now appears be gaining steam, researchers said.

Often, the owners of legitimate sites fail to properly scan the content they are hosting, which allows attackers to furtively post malicious code with relative ease, said Michael Sutton, vice president of research at ZScaler, a provider of cloud-based security services for enterprises.

Malicious content distributed from a legitimate site is more likely to make it past corporate defenses. Vendors are also unlikely to blacklist a legitimate hosted service, allowing malicious content hosted on one to stay up longer, he said.

Zscaler said he's heard reports of malicious files hosted on Dropbox, but the they appear to have been removed, the blog noted.

Sutton pointed to recent incidents were attackers posted and distributed malicious code on Google Code and Dropbox as an example of the trend. A blog on Zscaler's website lists nearly three-dozen malicious files hosted on the Google Code site, which contains tools for software developers.

The message for IT managers: Don't blindly trust domains that seem to be secure, Sutton said.

"Attackers are starting to leverage hosting services" to stage malicious code, he said. "It used to be that [attackers] would set up their own servers," to host malware. "Then we saw them infecting legitimate third-parties. Now they are using hosting services. They are no longer paying for hosting [malware] and are less likely to get blacklisted."

Meanwhile, Firehost, a provider of cloud-hosting services for enterprises, has seen an increase in Web application attacks originating from the networks of legitimate Web hosting services, said CEO Chris Drake.

In its latest quarterly security review, Firehost observed a noticeable increase in the number of SQL injection attacks, directory traversal attacks and other Web application attacks launched from within cloud service provider networks, Drake said.

Cloud providers often have weak validation procedures when signing up new customers, allowing attackers to create accounts with fake information. The accounts are then used to deploy and administer powerful botnets that run in the cloud infrastructure, he said.

In the second quarter of 2013, the IP filtering system that Firehost uses to protect its customers against malicious attacks blocked about 1.3 million unique attacks. Of the total, a noticeable number of attacks originated from IP addresses belonging cloud services companies, Drake said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingdropboxGoogleblack hatsecurityzscalercloud computinginternet

More about DrakeDropboxGoogleTopiczScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts