Cloud-based malware can be hard to detect, but a team of researchers has done just that.

Photo: Shutterstock

The cloud is a wonderfully useful development in computing. But unfortunately, it works for the bad guys as well. Though we haven’t really heard much about it, it turns out that there is a good amount of malicious software in the cloud, too. It’s just hard to notice.

A team of researchers from three universities worked together to investigate the existence of malware on the cloud. Of the 20 services they investigated, over 140,000 individual sites, they found about 700 hosting malicious software.

“Bad actors have migrated to the cloud along with everybody else,” says Raheem Beyah, one of the researchers and a professor in Georgia Tech’s School of Electrical and Computer Engineering. “The bad guys are using the cloud to deliver malware and other nefarious things while remaining undetected.”

The researchers found the malware because they were able to run deep scans capable of looking for things that don’t normally flag security programs.

Cloud services have security software that looks for malicious programs and doesn’t allow them to be hosted. However, people uploading the malware found a way around that: they uploaded it in pieces around multiple sites. They broke the software down into component parts that are read as benign by the security software. Afterwards, they cobble it together in the cloud to put it into effect.

While the malware was hidden by splitting it up, the strategy also created a way for the researchers to find the “bad buckets” hosting it. The team discovered that the bad buckets had “gatekeepers” designed to keep software scanners out of them.

“We observed that there is an inherent structure associated with how these attackers have set things up,” says Beyah. “For instance, the bad guys all had bodyguards at the door. That’s not normal for cloud storage, and we used that structure to detect them.”

But hackers can only stay ahead of “white hat” software engineers for so long. The research team discovered malware-unique features called “bars” that they could search for in order to find the malware parts. They developed BarFinder, a scanning tool which look for these, which allows security programs to locate and identify malware parts so they can be removed.

The cloud allows bad actors to use a variety of attacks, and by distributing their malware over multiple sites, they most likely make it harder to track down the source of the malware. Considering only about 10 percent of cloud repositories held malware though, it seems like in this case, the good guys caught on before the bad guys really figured out how to use the cloud to their advantage.