Amazon Cloud Misused for Harboring DDoS Bots

Kaspersky has lately said that cloud services from companies particularly Amazon are getting exploited so revenue hungry malicious cyber-criminals may regulate bots amassed for executing Distributed Denial-of-Service (DDoS) conditions.

In the early part of July 2014, a research analysis from Kaspersky was published regarding one advanced Linux Trojan which was dubbed Backdoor.Linux.Mayday.f and designed for carrying out Domain Name System based DDoS assaults. With more investigation, the security company detected two fresh samples of the Trojan, one identified as Backdoor.Linux.Mayday.g that too projected DNS-based working. The other sample appeared on the Elastic Compute Cloud (EC2) server of Amazon that had been compromised, and featured with inundating online sites with solely UDP type of Web-traffic.

According to Kurt Baumgartner, Lab Researcher at Kaspersky, the UDP traffic surge of an enormous form compelled victims towards shifting from their usual Internet Protocol addresses pertaining to hosting operations onto ones pertaining to certain anti-DDoS arrangement. The same form of traffic surge prompted Amazon to start informing its clients, perhaps due to possible unanticipated amassing of too much resource aimed at relating to clients, he notes. Securityweek.com published this, July 28, 2014.

Kaspersky explains that hackers of the EC2 originally abuse vulnerability within Elasticsearch 1.1.x a kind of search server with open source feature useful for hunting different kinds of documents, thus facilitating with scalability, close to 'immediate' search, as well as support to have multiple latencies.

The CVE-2014-3120 vulnerability is present within the software's feature of scripting that when exploited helps run random malware on the system that's infected with it.

With Elasticsearch ver.1.1.x that's flawed and continues to operate within certain organizations' EC2 instances, hackers alter the proof-of-concept related to CVE-2014-3120 followed with utilizing it for planting certain Web-shell written in Perl language so it acts like a backdoor for obeying instructions flowing from Linux shell of remote attackers.

The backdoor that Kaspersky identified as Backdoor.Perl.RShell.c subsequently helps in downloading the fresh Backdoor.Linux.Mayday.g bot for DDoS assaults.

Preferably now, people using Elasticsearch 1.1.x must change for a later edition while incase the software's scripting feature is needed, they must adopt the software creators' security recommendations issued 9th July 2014.

» SPAMfighter News - 8/5/2014