In this paper we investigate the way cyber-criminals abuse public cloud services to host part of their malicious infrastructures, including exploit servers to distribute malware, C&C servers to manage infected terminals, redirectors to increase anonymity, and drop zones to host stolen data.
We conduct a large scale analysis of all the malware samples submitted to the Anubis malware analysis system between 2008 and 2014. For each sample, we extracted and analyzed all malware interactions with Amazon EC2, a major public cloud service provider, in order to better understand the malicious activities that involve public cloud services. In our experiments, we distinguish between benign cloud services that are passively used by malware (such as file sharing, URL shortening, and pay-per-install services), and other dedicated machines that play a key role in the malware infrastructure. Our results reveal that cyber-criminals sustain long-lived operations through the use of public cloud resources, either as a redundant or a major component of their malware infrastructures. We also observe that the number of malicious and dedicated cloud-based domains has increased almost 4 times between 2010 and 2013. To understand the reasons behind this trend, we also present a detailed analysis using public DNS records. For instance, we observe that certain dedicated malicious domains hosted on the cloud remain active for an average of 110 days since they are first observed in the wild.
