What counts as ‘malware’? AWS clarifies its definition

We’re excited to bring back Transform 2022 in person on July 19 and virtually July 20-28. Join AI and data leaders for insightful talks and exciting networking opportunities. Sign up today!


Amazon Web Services had strong words this week about published research into a new strain of malware, which was discovered in its serverless computing service, AWS Lambda.

In a statement (screenshot shared below), the public cloud giant went to great lengths to dispute the findings, and in the process made an unusual claim.

Specifically, the AWS statement circulated this week to various media outlets, including VentureBeat, mischaracterized what constitutes “malware,” multiple security experts confirmed.

The statement came in response to the investigation into “Denonia” cryptocurrency mining software, discovered by Cado Security researchers in a Lambda serverless environment.

From the AWS statement: “Because the software relies entirely on fraudulently obtained account credentials, it is a misrepresentation of the facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system on its own.” same”.

It is the second line of the above statement: “it is a distortion of the facts to even refer to it as malware”, which is not correct, according to security experts.

“Software doesn’t have to gain unauthorized access to a system by itself to be considered malware,” said Allan Liska, an intelligence analyst at Recorded Future. “In fact, most of the software we classify as malware does not gain unauthorized access and is instead deployed at a later stage of the attack.”

Bad intentions

Defining the nature of a piece of software has to do with the intent of the person using it, as Ken Westin, director of security strategy at Cybereason.

Bottom line: “If your goal is to compromise an asset or information with it, then it’s considered malware,” Westin said.

Some malware variants have the ability to gain unauthorized access to systems autonomously, said Alexis Dorais-Joncas, ESET security intelligence team leader. One of the best-known cases is NotPetya, which spread itself massively over the Internet by exploiting a software vulnerability in Windows, Dorais-Joncas said.

However, “the vast majority of all programs that ESET considers malware do not have that capability,” he said.

So in Denonia’s case, the only factor that really matters is that the code was intended to be executed without authorization, said Stel Valavanis, founder and CEO of OnShore Security.

“That’s malware by intent,” Valavanis said.

crypto mining software

Denonia appeared to be a custom variant of XMRig, a popular crypto miner, noted Avi Shua, co-founder and CEO of Orca Security.

While XMRig can be used for non-malicious cryptomining, the vast majority of security vendors consider it malware, Shua said, citing data from threat intelligence site VirusTotal.

“It is quite clear that [Denonia] it was malicious,” he said.

The bottom line, according to Huntress Senior Threat Researcher Greg Ake, is that the malware is “software with malicious intent.”

“I think a reasonable jury of peers would find that software that was installed with the intent to abuse available computing resources, without the owner’s consent, using stolen credentials for personal profit and gain, would be classified as malicious intent,” Ake said. .

it’s not a worm

Still, while Denonia is clearly malware, AWS Lambda is not “vulnerable” to it, per se, according to Bogdan Botezatu, director of threat research and reporting at Bitdefender.

The malware was likely planted via stolen credentials, and “things would have been completely different if the Denonia malware could spread from one Labmda instance to another, instead of copying itself to instances via stolen credentials,” Botezatu said. “This would turn it into a worm, which would have devastating consequences.”

And this distinction ultimately seems to have been the real point AWS was trying to make.

VentureBeat contacted AWS to comment on the fact that many security experts disagree that calling Denonia malware is a “distortion of the facts.” The cloud giant responded Friday with a new statement, suggesting that what the company I meant was that Denonia is not really “Lambda-focused malware.”

“Calling Denonia a Lambda-focused malware is a distortion of the facts, as it does not use any vulnerability in the Lambda service,” AWS said in the new statement.

“Denonia does not target Lambda using any of the actions included in the accepted definition of malware,” the statement says. “It is simply malicious software configured to run successfully through Lambda, not because of Lambda or for any gain unique to Lambda.”

So there you have it. The above statement from AWS is included below.

Screenshot of AWS statement in response to coverage of the “Denonia” investigation, 4/6/22

The VentureBeat Mission is to be a digital public square for technical decision makers to learn about transformative business technology and transact. Learn more about membership.

Leave a Comment