What counts as ‘malware’? AWS clarifies its definition

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!

Amazon Web Services had strong words this week about research published on a new form of malware discovered in its serverless computing service, AWS Lambda.

In a statement (screengrab shared below), the public cloud giant went to great lengths to dispute the findings — making an unusual claim in the process.

In particular, the AWS statement circulated to multiple media outlets this week, including VentureBeat, which misrepresented what “malware” is, a number of security experts confirmed.

The statement came in response to an investigation into the cryptocurrency mining software “Denonia” discovered by Cado Security researchers in a Lambda serverless environment.

From the AWS statement: “Since the software relies entirely on fraudulently obtained account information, it is a distortion of the facts to even refer to it as malware because it is incapable of gaining unauthorized access to any system on its own.” .”

It’s the second line in the statement above – “it’s a distortion of the facts to even refer to it as malware” – that security experts say is false.

“Software doesn’t have to gain unauthorized access to a system on its own to be considered malware,” said Allan Liska, intelligence analyst at Recorded Future. “In fact, most of the software that we classify as malware is not allowed unauthorized access and is deployed at a later stage of the attack.”

bad intention

Defining the nature of a piece of software has everything to do with the intent of the person using it, according to Ken Westin, director of security strategy at Cybereason.

Simply put, “If their goal is to compromise an asset or information with it, then it’s considered malware,” Westin said.

Some malware variants have the ability to autonomously gain unauthorized access to systems, said Alexis Dorais-Joncas, security intelligence team leader at ESET. One of the most famous cases is NotPetya, which spread itself massively over the Internet by exploiting a software vulnerability in Windows, Dorais-Joncas noted.

However, “the vast majority of all programs that ESET believes to be malware do not have that capability,” he said.

So in Denonia’s case, the only factor that really matters is that the code was intended to run without authorization, said Stel Valavanis, founder and CEO of OnShore Security.

“That’s intentional malware,” Valavanis said.

Crypto mining software

Denonia turned out to be a modified variant of XMRig, a popular cryptominer, noted Avi Shua, co-founder and CEO at Orca Security.

While XMRig can be used for non-malicious crypto mining, the vast majority of security vendors consider it malware, Shua said, citing data from threat intelligence site VirusTotal.

“It’s pretty clear that [Denonia] evil,” he said.

According to Huntress senior threat researcher Greg Ake, the bottom line is that malware is “software with malicious intent.”

“I would think a reasonable jury of peers would find that software installed with the intent to misuse available computer resources — without the owner’s consent, using stolen credentials for personal gain — would be categorized as malicious intent,” said Ake.

no worm

While Denonia is clearly malware, AWS Lambda isn’t necessarily “vulnerable” to it, according to Bogdan Botezatu, director of threat research and reporting at Bitdefender.

The malware was likely planted via stolen credentials, and “it would have been completely different if the Denonia malware could spread itself from one Labmda instance to another — instead of being copied onto instances via stolen credentials,” Botezatu said. . “This would turn it into a worm, which would have devastating consequences.”

And this distinction ultimately seems to have been the real point AWS was trying to make.

VentureBeat reached out to AWS for comment that many security experts disagree that considering Denonia malware is a “distortion of the facts”. The cloud giant responded Friday with a new statement – suggesting that what the company intended to say was that Denonia is not really “Lambda-targeted malware”.

“Calling Denonia a Lambda-targeted malware is a distortion of the facts, as it does not use any vulnerability in the Lambda service,” AWS said in the new statement.

“Denonia is not targeting Lambda using any of the actions included in the accepted definition of malware,” the statement said. “It’s just malicious software configured to run successfully through Lambda, not because of Lambda or at any Lambda-exclusive profit.”

So there you have it. The previous AWS statement is included below.

Screengrab of AWS statement in response to coverage of the “Denonia” investigation, 4/6/22

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.

This post What counts as ‘malware’? AWS clarifies its definition

was original published at “https://venturebeat.com/2022/04/08/what-counts-as-malware-aws-clarifies-its-definition/”