skip to main content
10.1145/2976749.2978349acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service

Published: 24 October 2016 Publication History

Abstract

The popularity of cloud hosting services also brings in new security challenges: it has been reported that these services are increasingly utilized by miscreants for their malicious online activities. Mitigating this emerging threat, posed by such "bad repositories" (simply Bar), is challenging due to the different hosting strategy to traditional hosting service, the lack of direct observations of the repositories by those outside the cloud, the reluctance of the cloud provider to scan its customers' repositories without their consent, and the unique evasion strategies employed by the adversary. In this paper, we took the first step toward understanding and detecting this emerging threat. Using a small set of "seeds" (i.e., confirmed Bars), we identified a set of collective features from the websites they serve (e.g., attempts to hide Bars), which uniquely characterize the Bars. These features were utilized to build a scanner that detected over 600 Bars on leading cloud platforms like Amazon, Google, and 150K sites, including popular ones like groupon.com, using them. Highlights of our study include the pivotal roles played by these repositories on malicious infrastructures and other important discoveries include how the adversary exploited legitimate cloud repositories and why the adversary uses Bars in the first place that has never been reported. These findings bring such malicious services to the spotlight and contribute to a better understanding and ultimately eliminating this new threat.

References

[1]
Buckets. https://cloud.google.com/storage/docs/json_api/v1/buckets. {Online}.
[2]
Servnet. https://servnetshsztndci.onion. {Online}.
[3]
A. authors. Details omitted for double-blind reviewing.
[4]
C. M. Bishop. Pattern recognition and machine learning. springer, 2006.
[5]
K. Borgolte, C. Kruegel, and G. Vigna. Delta: automatic identification of unknown web-based infection campaigns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 109--120. ACM, 2013.
[6]
BuiltWith. Builtwith. http://builtwith.com/, 2015. {Online}.
[7]
Clean-MX. Clean mx realtime database. http://support.clean-mx.de/clean-mx/viruses.php, 2015. {Online}.
[8]
W. Cohen, P. Ravikumar, and S. Fienberg. A comparison of string metrics for matching names and records. In Proceedings of Kdd workshop on data cleaning and object consolidation, 2003.
[9]
C. Crawl. Common crawl. https://commoncrawl.org/, 2015. {Online}.
[10]
damballa. Dgas in the hands of cyber-criminals:examining the state of the art in malware evasion techniques. https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf, 2015. {Online}.
[11]
M. F. Der, L. K. Saul, S. Savage, and G. M. Voelker. Knock it off: profiling the online storefronts of counterfeit merchandise. In Proceedings of the 20th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 1759--1768. ACM, 2014.
[12]
DNSDB. Passivedns. https://www.dnsdb.info/, 2015. {Online}.
[13]
Google. Google hosted libraries. https://developers.google.com/speed/libraries/?csw=1, 2015. {Online}.
[14]
Google. Publish website content. https://developers.google.com/drive/web/publish-site, 2015. {Online}.
[15]
C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, et al. Manufacturing compromise: the emergence of exploit-as-a-service. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 821--832. ACM, 2012.
[16]
X. Han, N. Kheir, and D. Balzarotti. The role of cloud services in malicious software: Trends and insights. In DIMVA 2015, 12th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 9--10, 2015, Milan, Italy, Milan, ITALY, 07 2015.
[17]
J. Idziorek, M. Tannian, and D. Jacobson. Detecting Fraudulent Use of Cloud Resources. In Proc. 3rd ACM Workshop on Cloud Computing Security Workshop, Chicago, IL, Oct. 2011.
[18]
L. Invernizzi, P. M. Comparetti, S. Benvenuti, C. Kruegel, M. Cova, and G. Vigna. Evilseed: A guided approach to finding malicious web pages. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 428--442. IEEE, 2012.
[19]
L. Invernizzi, S. Miskovic, R. Torres, S. Saha, S. Lee, M. Mellia, C. Kruegel, and G. Vigna. Nazca: Detecting malware distribution in large-scale networks. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014.
[20]
Z. Li, S. Alrwais, X. Wang, and E. Alowaisheq. Hunting the red fox online: Understanding and detection of mass redirect-script injections. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 3--18. IEEE, 2014.
[21]
Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 112--126. IEEE, 2013.
[22]
X. Liao, C. Liu, D. Mccoy, E. Shi, and R. Beyah. Characterizing long-tail seo spam on cloud web hosting services. In Proceedings of the International World Wide Web Conference, 2016.
[23]
T. Moore, N. Leontiadis, and N. Christin. Fashion crimes: trending-term exploitation on the web. In Proceedings of the 18th ACM conference on Computer and communications security, pages 455--466. ACM, 2011.
[24]
M. Mulazzani, S. Schrittwieser, M. Leithner, and M. Huber. Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. In Proc. 20th USENIX Security Symposium, San Francisco, CA, Aug. 2011.
[25]
T. Nelms, R. Perdisci, M. Antonakakis, and M. Ahamad. Webwitness: Investigating, categorizing, and mitigating malware download paths. In 24th USENIX Security Symposium (USENIX Security 15), pages 1025--1040, Washington, D.C., Aug. 2015. USENIX Association.
[26]
T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security, pages 199--212. ACM, 2009.
[27]
Scipy. scipy.cluster.hierarchy.linkage. http://docs.scipy.org/doc/scipy/reference/generated/scipy.cluster.hierarchy.linkage.html, 2015. {Online}.
[28]
Sklearn. sklearn.svm.svc. http://scikit-learn.org/stable/modules/generated/sklearn.svm.SVC.html, 2015. {Online}.
[29]
Snort. Snort ssl and tls. http://manual.snort.org/node147.html, 2015. {Online}.
[30]
solutionary. Threat-intelligence. https://www.solutionary.com/_assets/pdf/research/sert-q4--2013-threat-intelligence.pdf, 2015. {Online}.
[31]
G. Stringhini, C. Kruegel, and G. Vigna. Shady paths: Leveraging surfing crowds to detect malicious web pages. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 133--144. ACM, 2013.
[32]
Sucuri. Sucuri. https://sucuri.net/, 2015. {Online}.
[33]
Symantec. The future of ids. http://www.symantec.com/connect/articles/future-ids, 2015. {Online}.
[34]
VirusTotal. Virustotal. https://www.virustotal.com/, 2015. {Online}.
[35]
WhatWeb. Whatweb. http://www.morningstarsecurity.com/research/whatweb, 2015. {Online}.
[36]
Y. Xu, W. Cui, and M. Peinado. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland). IEEE -- Institute of Electrical and Electronics Engineers, May 2015.
[37]
Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In Proc. 21st Conference on Computer and Communications Security (CCS), Scottsdale, AZ, Oct. 2014.

Cited By

View all
  • (2025)Web of shadows: Investigating malware abuse of internet servicesComputers & Security10.1016/j.cose.2024.104182149(104182)Online publication date: Feb-2025
  • (2024)Weird Machines in Package Managers: A Case Study of Input Language Complexity and Emergent Execution in Software Systems2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00021(169-179)Online publication date: 23-May-2024
  • (2024)Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00017(155-172)Online publication date: 8-Jul-2024
  • Show More Cited By

Index Terms

  1. Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
    October 2016
    1924 pages
    ISBN:9781450341394
    DOI:10.1145/2976749
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 24 October 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. cloud
    2. malicious
    3. security
    4. seo

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    CCS'16
    Sponsor:

    Acceptance Rates

    CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)283
    • Downloads (Last 6 weeks)24
    Reflects downloads up to 18 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Web of shadows: Investigating malware abuse of internet servicesComputers & Security10.1016/j.cose.2024.104182149(104182)Online publication date: Feb-2025
    • (2024)Weird Machines in Package Managers: A Case Study of Input Language Complexity and Emergent Execution in Software Systems2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00021(169-179)Online publication date: 23-May-2024
    • (2024)Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00017(155-172)Online publication date: 8-Jul-2024
    • (2021)CDNFinder: Detecting CDN-hosted Nodes by Graph-Based Semi-Supervised Classification2021 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC53001.2021.9631549(1-7)Online publication date: 5-Sep-2021
    • (2020)MLTracer: Malicious Logins Detection System via Graph Neural Network2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00099(715-726)Online publication date: Dec-2020
    • (2020)Quantifying Cloud Misbehavior2020 IEEE 9th International Conference on Cloud Networking (CloudNet)10.1109/CloudNet51028.2020.9335812(1-8)Online publication date: 9-Nov-2020
    • (2020)A collective attestation scheme towards cloud systemCluster Computing10.1007/s10586-020-03174-326:5(2467-2478)Online publication date: 3-Sep-2020
    • (2019)Cyber-Storms Come from Clouds: Security of Cloud Computing in the IoT EraFuture Internet10.3390/fi1106012711:6(127)Online publication date: 4-Jun-2019
    • (2017)Classifying malware attacks in IaaS cloud environmentsJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-017-0098-86:1(1-12)Online publication date: 1-Dec-2017
    • (2017)Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.32(805-823)Online publication date: May-2017

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media