December 12, 2009

Security researchers recently reported a Zeus botnet controller running on an Amazon EC2 instance. There have been numerous reports of this finding as well as speculation as to what this means to EC2 security. Reports have stated that this software was run after a website in EC2 was compromised. While isolating the abusive instance, we found no evidence of a compromised website. Others have discussed the opportunity that cloud based infrastructure will provide for Internet abuse. In this post, we will discuss both of these concerns.

First, we were able to locate a Zeus botnet controller and promptly shut it down. We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down. Our terms of usage are clear and we continually monitor and work to make sure the services aren’t used for illegal activity. It’s important to note that we take the privacy of our customers very seriously, and don’t inspect the contents of instances. This is part of the reason that legitimate customers of all types are comfortable running production applications on Amazon EC2. However, when abuse is detected, we are able to act swiftly to isolate the abusive behavior.

Some articles include a discussion of how this software became active in EC2. We have found no evidence of a compromised website. In general, users of Amazon EC2 use the same precautions to secure and protect their websites as they do with traditional hosting solutions. It is no easier for would-be abusers to compromise EC2 based websites than other publicly available websites.

Finally, many articles have asserted that services like Amazon EC2 will be useful tools for would-be abusers. Abusers who choose to run their software in an environment like Amazon EC2, make it easier for us to access and disable their software. This is a significant improvement over the Internet as a whole where abusive hosts can be inaccessible and run unabated for long periods of time. We will continue to improve our abuse detection and response. We also encourage our community to report suspected misuse of Amazon EC2 to ec2-abuse@amazon.com.