Forgot your password?
typodupeerror
Cloud Security The Internet

Amazon and GoDaddy Are the Biggest Malware Hosters 76

Posted by Unknown Lamer
from the spin-up-an-extortion-image dept.
An anonymous reader writes "The United States is the leading malware hosting nation, with 44 percent of all malware hosted domestically, according to Solutionary. The U.S. hosts approximately 5 times more malware than the second-leading malware-hosting nation, Germany, which is responsible for 9 percent of the detected malware. The cloud is allowing malware distributors to create, host and remove websites rapidly, and major hosting providers such as Amazon, GoDaddy and Google have made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems."
This discussion has been archived. No new comments can be posted.

Amazon and GoDaddy Are the Biggest Malware Hosters

Comments Filter:
  • by maliqua (1316471) on Wednesday January 15, 2014 @01:37PM (#45966963)

    also host the most malware

    mind blown

    • we host the most sites, but all the big hacks and l337 hax0rz are from other countries. just shows to go ya, we have lost the innovation edge in the US, outclassed by WhateverStan. I am so embarassed...

    • by Arrogant-Bastard (141720) on Wednesday January 15, 2014 @02:13PM (#45967485)
      Your comment is funny, but misses the point about economics of scale.

      Amazon, with its immense resources, should be one of the cleanest hosts on the planet. They can afford, using their spare change, to staff a 24x7 abuse desk with very senior people. The budgetary impact wouldn't even be a blip. And with the right people, suitably empowered, they could keep their operation nearly free of malware, phishing, spam, and other forms of abuse. They're far better positioned to do this than many smaller operations, who couldn't possibly afford it.

      But they haven't. Why not? Is it because they don't know? Unlikely. Of course they know. Is it because they don't know how to address it? Equally unlikely. Of course they do. They have some smart people on staff. No, they know what the problem is AND they know how to fix it.

      They just don't want to.

      Because even as (relatively) small as those costs would be, it's still cheaper for them to externalize them to the entire rest of the Internet, and let all of us deal with it. So rather than taking professional responsibility for their own operation, they've decided to just blow it off. After all: who's going to make them?

      I would say the same about GoDaddy, but it's not true. They actively support, encourage, and endorse spam, malware, phishing and every other form of abuse. They have from the beginning, only their method of lying about it has changed. (And don't forget GoDaddy's own history of self-promoting spam.) But once again: who's going to make them do anything differently?

      Until operations are held accountable for their actions -- which is something that we USED to do on this network, a long time ago -- most won't bother. And that is, in large part, why problems like spam and phishing and malware are epidemic.
      • by mcgrew (92797) *

        GoDaddy I can see, but Amazon? They just store data, which is likely heavily encrypted before it's ever uploaded. How can Amazon know what's on their servers that they didn't put there themselves?

        I also don't understand how "the cloud" storage matters at all, and I even RTFA which wasn't much more informative than the summary. Maybe you can explain it?

        • by Anonymous Coward

          You just upload and your malware is ready to be linked to millions with no maintenance on your part. Also keeps you from exposing yourself by hosting on your own server. Also makes it trivial to migrate to a new domain when you get shut down. All you have to do is upload the same template to a new host. And it won't get bogged down even if you had hundreds of domains(hopefully).

          • by Anonymous Coward

            Have you ever used AWS? You set up an instance, configure it and install your malware distribution app, save a snapshot in working state, and then share the AMI with as many accounts as you can create. One goes down, the next goes up, all within geographically distributed load balancers. I would imagine if you have enough AWS accounts you could keep a large enough pool to avoid detection at all. Hell, they even offer CLI tools that can do most if not all of this from a script.

            Disclaimer: I've never host

        • by Arrogant-Bastard (141720) on Wednesday January 15, 2014 @04:20PM (#45968955)
          There are a large number of reasonably well-understood methods for dealing with this.

          First, you have a working RFC 2142 role account address: abuse@ your domain. You pay attention to what shows up there. You reply promptly. You engage. After all, if someone is doing your job for you and doing it on THEIR dime, the least you can do is take advantage of it. Moreover, if you manage to do this reasonably well, word will get out, you'll earn the respect of your peers, and they will reward you with more reports -- again, doing your work for you for free.

          Worth noting is that Amazon makes it nearly impossible to communicate with their abuse desk and fails to respond to reports in any way, let alone a timely one. And it's well known that GoDaddy frequently forwards them to the abusers.

          Second, you pay attention to netflows. If a virtual host instance is opening up TCP connections on port 25 to a kazillion hosts/hour, then it's spamming. Any kind of perfunctory monitoring will spot this and a hundred other similar things in real time.

          Third, you pay attention to who's behind the incidents. If you don't, then they'll just sign up over and over and over again. So you work to avoid that, by looking at the who, what, where, when patterns -- and you ban repeat offenders. This isn't watertight, of course -- but it doesn't need to be. If you raise the bar high enough, they'll just go somewhere else, which reduces your workload and lets you focus more tightly on what's left.

          Fourth, you look at usage patterns. Most web sites do NOT display global usage patterns, particularly those which are connected to a domain registered yesterday. (Think about it.) If you observe that, then something's up: it might be legitimate. It's almost certainly not. The same thing applies to other services and other protocols.

          Fifth, if you're Amazon, you have a highly paid legal staff. Use them. Smack the crap out of a few particulaly egregious offenders in court. Make it noisy so that everyone else knows you're doing it. Again, this doesn't have to be watertight; it just has to discourage miscreants.

          Finally (and I'm stopping here for brevity, there's a lot more), do all this publicly. Encourage your peers to do the same. Challenge them. Raise the collective bar, not just your own. Cooperate with your competitors.

          All of this costs money. Not a stupid amount of money, but it does cost. Which is why it almost never gets done (see previous post).
          • It used to be that malware ran on cracked residential PCs, because there were lots of them around and they were much easier targets. But these days the place to be is renting cloud servers with stolen credit cards, and if they're good enough to pass initial validation you're probably golden for a month, or at least until your malware site gets caught. That's plenty long enough to steal some more credit cards, if you're a professional malware practitioner. And it's harder to get caught if you can fire up

      • Never credit conspiracy when stupidity will do.

        You can get in and out of a lot of providers with a credit card or less. No one wants to be the first to use a secondary auth to protect integrity. Worse: providers like Tumblr use Amazon storage as back-fill and more. So does Amazon police Tumblr?

        I believe your accusations against GoDaddy might be libel or worse; they're not actively seeking to do what you accuse them of, but they're not inhiibiting it, either. IANAL, but you might consider that they might be

      • by tranquilidad (1994300) on Wednesday January 15, 2014 @02:32PM (#45967767)

        "Amazon, with its immense resources,"

        Amazon, on sales of $2.98 Billion for the 12 months ending September 30, 2013, had net income of $130 million.

        You say the budgetary impact wouldn't even be a blip. How about putting a hard number on it?

        There's a difference between a company being big and having "immense resources" to spend on staffing "a 24x7 abuse desk with very senior people."

        Generally speaking, Amazon has been happy incurring a lot of losses in their bid for world domination. You may disagree with their allocation of resources as a company but it's difficult to conclude they have immense, unallocated resources sitting by and "they just don't want to" fix the problem.

        I'm curious as to what you think the solution is that would be so easy for their smart people to fix.

        • Amazon operates on very thin margins. This is partially because they want to give customers a good price, which means they don't make a lot of profit per sale. It is also because they reinvest their profits in their business, buying more infrastructure, that kind of thing.

          They are not like Apple, just hoarding tons of cash, they don't actually have a tone of money left over.

          • by wvmarle (1070040)

            They are not like Apple, just hoarding tons of cash, they don't actually have a tone of money left over.

            Companies like Apple and Microsoft make so much money that they simply don't know what to spend it on. They hoard out of sheer necessity. Google has a similar problem, but they're a tad more creative when it comes to spending money (hence the robotic cars and other hobby projects you see coming out of that company).

            • Actually they horde because the bulk of that cash is stuck overseas and if they brought it back to corporate to use it would get taxed and they don't want to pay the taxes. This is why there have been pushes for repatriation taxes that would be at a lower rate than the usual 35%. But to do that would be just encouraging more tax dodging.

              • by wvmarle (1070040)

                That argument would only work if there would be no ways to spend money outside of the US. Yet, contrary to what you (and many others from the US) seem to be thinking, there's actually a whole world out there, with plenty of opportunities to develop new business.

      • by amicusNYCL (1538833) on Wednesday January 15, 2014 @02:34PM (#45967805)

        They can afford, using their spare change, to staff a 24x7 abuse desk with very senior people.

        You think that the solution to this problem is a 24-hour abuse desk? Isn't that, by nature, a reactive solution instead of a proactive solution? This comes with the turf. When Amazon allows their customers to quickly and easily set up new virtual servers and things like that, this is going to happen. Unless they are actively scanning all files and data that go through their network to block things (and even that is not a full solution), we are going to continue to see the "cloud" malware sites. These are sites that pop up and maybe they only exist for a day or two, or a few hours, before they get shut down, but in that time they've done what they were supposed to do and once they go down another one pops up. A place that people can call to report malware is not going to solve that problem.

      • by cerberusti (239266) on Wednesday January 15, 2014 @03:11PM (#45968243)

        Amazon does control spam to at least some extent. They sent me an e-mail asking about it when one of the servers I have there started sending e-mail.

        They asked me to describe my use case and set a new limit on outgoing messages.

        Serving malware is probably difficult to do much about. I doubt they can directly scan servers for it (for a variety of reasons) and it would be difficult to distinguish from normal web traffic (especially if encrypted.) This probably means they need to wait for a problem before they can do something about it.

        I suppose they could require more information about their customers, or include a waiting period on servers... but nobody does that, and in my opinion it would be unreasonable to require it of them.

        • reacting to an increase in mail traffic from a known mail server? Spam has used botnets and distributed sending for a decade. Only the total noob mom-and-pop shop tries to direct mail spam anymore.

          Perhaps if they watched for more modern malware signatures instead they would be more effective.

          • Amazon cloud instances are a perfectly plausible place to send spam from, if you can get away with it and if it's cheaper than botnet service (and of course botnet services are just as happy to sell you compromised Amazon cloud instances instead of compromised home PCs if they have them.)

            But he didn't say he tried to spam from his Amazon server and got questioned - he said he tried to send mail, and Amazon questioned them. Most virtual machines don't send mail directly, just as most residential PCs don't,

      • by hackus (159037)

        It is more profitable to accept the malware business than it is to staff people.

        -Hack

        • by tlhIngan (30335)

          It is more profitable to accept the malware business than it is to staff people.

          Far more profitable. actually. Spammers and such often pay substantially more for service so they can do their business while the hosting company turns a blind eye.

          It's called Pink contracts [wikipedia.org]. ISPs naturally hate to reveal what spammers and such REALLY pay them (hint: it's a good premium).

      • by wvmarle (1070040)

        Until operations are held accountable for their actions -- which is something
        that we USED to do on this network, a long time ago -- most won't bother.
        And that is, in large part, why problems like spam and phishing and malware
        are epidemic.

        Here you go wrong with your argument.

        We DON'T want an ISP to police their network, do we? Why would an ISP have to be responsible for what users do with their network? Do you want them to police against possible copyright infringement, and block torrents, as well? Do you want them to read your messages, to make sure you don't post anything offensive on the networks?

        All along we have been arguing for net neutrality. Just give us the connection, and let us decide what data we pass over that connection. And le

      • Amazon, with its immense resources, should be one of the cleanest hosts on
        the planet. They can afford, using their spare change, to staff a 24x7 abuse desk
        with very senior people. The budgetary impact wouldn't even be a blip. And with
        the right people, suitably empowered, they could keep their operation nearly free of
        malware, phishing, spam, and other forms of abuse. They're far better positioned
        to do this than many smaller operations, who couldn't possibly afford it. .

        And I can't block Amazon, too much comes through their cloud.
        Nor can I block deploy.static.akamaitechnologies.com and a new one that's shown up sea09s01-in-f28.1e100.net both a caching services.

        Had to laugh checking I found: unknown-68-142-253-x.yahoo.com; Whois had it, now I must block.
        Name Server: ns5.yahoo.com
        Name Server: ns1.yahoo.com
        Name Server: ns4.yahoo.com
        Name Server: ns3.yahoo.com
        Name Server: ns2.yahoo.com

        So many sites to block only so many will my system take, up until last month my Win7 had no

  • Expected (Score:5, Insightful)

    by kamapuaa (555446) on Wednesday January 15, 2014 @01:42PM (#45967015) Homepage

    Spinning this as a national issue is like saying "California has far more car accidents than Rhode Island." Of course it's true, but the US is far larger than (say) Germany, and has the largest hosting providers in the world. It would be a great surprise if the US wasn't in the lead.

    • So, is it your assumption that size is directly responsible for the malware? Why can't a large hosting company also institute the best protection mechanisms to reduce their malware content? GoDaddy I can see not giving a crap, but Amazon should do some proper management to reduce this problem.
      • by MickyTheIdiot (1032226) on Wednesday January 15, 2014 @01:50PM (#45967129) Homepage Journal

        The assumption that "size is directly responsible for the malware" has been the excuse made by every Microsoft advocate ever to walk the face of the earth.

      • Re:Expected (Score:4, Interesting)

        by trongey (21550) on Wednesday January 15, 2014 @01:52PM (#45967167) Homepage

        So, is it your assumption that size is directly responsible for the malware? Why can't a large hosting company also institute the best protection mechanisms to reduce their malware content? GoDaddy I can see not giving a crap, but Amazon should do some proper management to reduce this problem.

        Do you realize how much business they would lose if they did that?
        You can't just kick off all your best customers.

    • by fyec (3404475)
      I agree with you, but I wonder if there is something that Amazon et al might be able to do about it. Would it be too cost/performance prohibitive to scan for known malware before a site is allowed to go live? Is that technically infeasible or are there confidentiality issues that prevent Amazon from doing that?
    • by Ecuador (740021) on Wednesday January 15, 2014 @02:44PM (#45967943) Homepage

      I mean, the whole problem is the legal framework, which is focused on dealing with the wrong issues. Imagine if instead of malware you attempted to host copyrighted content on Amazon or GoDaddy or whomever else. Immediate takedown of the content and people coming after you. If you host malware on the other hand, meh, as long as Amazon gets paid they can host it without getting into trouble.
      When I say it is a national issue, I don't mean it is only a US issue. It is a national issue for every country that writes the laws that corps ask for. Well, of course, it is the only country that I know off where corporate bribes are institutionalized, but that's another story.

    • It used to be that the US was the largest target/market for malware, but the malware itself was often running in China or Korea, and if it was running in the US it was on compromised home PCs. Now it's moved to the cloud. The Amazon part is more interesting, because it's general-purpose cloud service, as opposed to GoDaddy which specializes in hosting domain parking pages and similar malware-usable services.

    • by wvmarle (1070040)

      Interestingly, China and India - the biggest countries in the world in population, and among the biggest in land area, are not even mentioned. India, known for it's many IT professionals, and China, evil evil China, known for it's hackers and crackers and general evilness when it comes to computer security. Nor is Russia, home to many prolific Internet criminals.

  • this strange idea that blindly running remotely fetched code is a good idea, "malware" problems will become sparse.

    • Yep. Exactly. Mine is not THE most locked down computer in the world, but nothing runs without my explicit permission. Nothing downloads without my explicit permission. Nothing comes from third party sites, without my explicit permission. It gets a little irritating sometimes. Popup reminders, asking me if I really want to permit application X to run code from site Y. But, in the long run, it's worth it. I always get the opportunity to block something that I don't think is right.

  • popn size (Score:5, Funny)

    by minstrelmike (1602771) on Wednesday January 15, 2014 @01:56PM (#45967231)
    Alert. Largest subpopulations of a population have the most parasites.
    The longest books tend to have the most typos.
    Enquiring minds want to know why.
  • by urbanriot (924981) on Wednesday January 15, 2014 @01:59PM (#45967281)
    I often interact with large companies' IT departments and the general ID is to completely block all Amazon EC2 servers to prevent spam, malware attacks and access to filter bypass services like Ultrasurf, regardless of the possibility of legitimate sites hosted on Amazon. Occasionally they'll make exceptions for port 80 but the idea is basically, "since Amazon is complicit in hosting so much malicious or nefarious crap on the internet, just block Amazon."
    • by urbanriot (924981)
      Clearly there's a job opening for a grammer nazi in my life.
      • Clearly there's a job opening for a grammer nazi in my life.

        Do you also have budget for a Spelling Stalinist?

    • by sjwest (948274)

      We have been 'probed' by amazon, there abuse report standards would seem to indicate i have to run wireshark or a equivalent tool from the whois.

      Comment: All abuse reports MUST include:
      Comment: * src IP
      Comment: * dest IP (your IP)
      Comment: * dest port
      Comment: * Accurate date/timestamp and timezone of activity
      Comment: * Intensity/frequency (short log extracts)
      Comment: * Your contact details (phone and email) Without these we will be unable to identify the corre

    • by Indy1 (99447)

      Agreed. Spamazon's EC2 garbage servers are firewalled on my servers. Spamazon ignores and /dev/null's abuse complaints, so I nuke all their EC2 ranges.

      Same with Spamdaddy.

      Run a network sewer, get firewalled. Only way to protect your own network.

  • Highly unlikely, but we need Amazon and GoDaddy to police their customers.
    • by game kid (805301)

      Enjoy your one-week domain name free-trial settlement coupons.

      (Not transferable to other_registrar, of course.)

    • by EmagGeek (574360)

      While we're at it, let's start holding screwdriver manufacturers responsible when burglars use them to break into houses...

      • When you know your product is consistently used illegally by a person, repeatedly selling them more of that product IS actionable.

        "Hmm, Mr Gacy. It shows here you stuck the last three screwdrivers we sold you into people's skulls. We are going to have to refuse you any future product."

        VS the current:

        "Hmm, Mr Gacy. It shows here you stuck the last three screwdrivers we sold you into people's skulls. We have been authorized to offer you a bulk discount to meet your future needs."

  • Elephants drop largest turds of any land animal. (Except our project manager. I swear he slings shit everywhere).

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...