What counts as ‘malware’? AWS clarifies its definition

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Amazon Web Services had strong words about the research published this week on the new strain of malware, which was found in its serverless computing service, AWS Lambda.

In a statement (screenshare shared below), the public went to some extent to dispute the cloud giant’s findings – and in the process, made an unusual statement.

Notably, the AWS statement circulating this week at multiple media outlets, including VentureBeat, misrepresenting that it constitutes “malware”, a number of security experts have confirmed.

The statement came in response to research on “Denonia” cryptocurrency mining software, discovered by Cado Security researchers in a Lambda serverless environment.

From the AWS statement: “Because the software relies entirely on fraudulently obtained account credentials, even referring to it as malware is a distortion of the facts as it lacks the ability to automatically gain unauthorized access to any system.”

That second line in the above statement – “even referring to it as malware is a distortion of facts” – is not correct, according to security experts.

“Software does not have to gain unauthorized access to the system itself to be considered malware,” said Alan Liska, an intelligence analyst at Recorded Futures. “In fact, most of the software that we classify as malware does not gain unauthorized access and is instead deployed in the later stages of the attack.”

Malicious intent

Defining the nature of the piece of software is about the purpose of the person using it Ken Westin, Director of Security Strategy at Cybersecurity.

Simply put: “If their goal is to tamper with their property or information, it is considered malware,” Westin said.

Alexis Dorais-Jonkas, lead of the security intelligence team at ESET, said some malware variants have the ability to gain unauthorized access to the system automatically. One of the most well-known cases, Dotris-Jonkas noted, is the notepad, which spreads itself largely through the Internet, using software vulnerabilities in Windows.

However, “the vast majority of all ESET programs believe that malware does not have that capability,” he said.

Thus, in the case of Denonia, the only factor that really matters is whether the code was intended to operate without authorization, said Stal Walawanis, founder and CEO of Onshore Security.

“It’s malware by intent,” Valavanis said.

Cryptomining software

Avi Shua, co-founder and CEO of Orca Security, noted that Denonia XMRig was found to be a customized variant of a popular cryptocurrency.

While XMRig can be used for non-malicious cryptomining, most security vendors consider it malware, Shua said, citing data from the threat intelligence site Virstottle.

“It simply came to our notice then [Denonia] Was malicious, “he said.

The bottom line is that malware is “software with malicious intent,” according to Greg Ake, a senior threat researcher at Huntress.

“I think a fair jury of peers will be able to find software installed with the intent to misuse available computer resources – without the owner’s consent, using stolen credentials for personal gain and benefit – to be classified as malicious,” AK said.

Not a worm

However, while Denonia is clearly malware, AWS Lambda is not “sensitive” to it, according to Bogdan Botezatu, director of threat research and reporting at Bitdefender.

The malware was probably planted by stolen credentials and “things would have been completely different if Denonia had been able to spread itself from one lambda instance to another instead of copying patterns through malware stolen credentials,” Botezatu said. “This will make him a worm, with disastrous consequences.”

And this difference, after all, seems to be Real Was trying to create AWS.

VentureBeat contacted AWS to comment on the fact that many security experts do not agree that treating Denonia as malware is a “distortion of facts.” Cloud Giant responded with a new statement on Friday – indicating what the company is Meant to say Isn’t Denonia really “lambda-centric malware”?

“Calling Denonia lambda-centric malware is a distortion of the fact that it does not use any vulnerabilities in the lambda service,” AWS said in a new statement.

“Denonia does not target Lambda using any of the actions contained in the accepted definition of malware,” the statement said. “It’s just malicious software designed to be successfully executed by Lambda, not because of Lambda or with any Lambda-specific benefits.”

So you have it. The previous AWS statement is included below.

Screenshot of AWS statement responding to “Denonia” research coverage, 4/6/22

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.