Cloud Hosting Services Used to Host and Spread Malware

Major cloud services including Amazon’s AWS and the Google cloud platform are being used to distribute malware, according to security researchers.

Georgia Tech graduate student Xiaojing Liao recently announced the results of a study of 20 major cloud hosting providers which revealed that cybercriminals are using these cloud storage platforms to deliver malware. The study, which was conducted by Liao and fellow researchers from Georgia Tech, Indiana University Bloomington and the University of California Santa Barbara, revealed these cloud platforms are not nearly as secure as was previously thought.

The cloud platforms were previously thought of as secure since the companies commit considerable resources to maintaining security and scanning for malware. Unfortunately, cybercriminals are one step ahead and have managed to compromise and estimated 10% of cloud repositories.

The malware is not stored in an active form which makes it particularly difficult to detect. The component parts, which are not detected as being malicious, can be constructed as required when an attack is about to take place.

Another problem for the cloud hosting companies is some of the malware components were lurking in customer repositories, which many not be scanned due to the service level agreements in place.

According to the researchers, several hundred buckets are actively providing malware. The components for the malware are spread across multiple repositories, making it even harder for them to be detected. When required, they can be rapidly assembled.

According to Raheem Beyer, associate chair for strategic initiatives and innovation in the School of Electrical and Computer Engineering, “When you scan the components in a piecemeal kind of way, you only see part of the malware, and the part you see may not be malicious.”

The repositories were protected by gatekeeper schemes which prevented the malware components from being detected by traditional scanners. To detect the malware the researchers developed a scanning tool that could search for features that were unique to these compromised repositories.

It was the structure used to hide the malware components that allowed the researchers to identify them. Beyer said, “The bad guys all had bodyguards at the door. That’s not normal for cloud storage, and we used that structure to detect them.”

In total, more than 140,000 sites were scanned using the researchers’ “BarFinder” tool. More than 700 active repositories were identified across 20 different cloud hosting sites. Beyer said “We believe this is a significant problem for the cloud hosting industry.”

The research will be presented at the ACM Conference on Computer and Communications Security in Vienna, Austria on October 24.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of