Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Sep 21st):OSSEC Hunting; NSSLabs; Bitcoin DoS; WebAuthn

Latest Diaries

Pre-Pwned AMI Images in Amazon's AWS public instance store

Published: 2018-09-21
Last Updated: 2018-09-21 13:28:05 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

I keep getting reports about AMI images in Amazon's AWS, which come "pre-pwned." These images typically include for the most part crypto coin miners, but the also include backdoors or more subtle malicious modifications.

One reason users fall for these images appears to be that they search for images without considering the "owner" of the image. This way, you may fall for look-alike images that claim include a popular Linux distribution or that even offer fully patched versions of this distribution.

What I am looking for right now is current examples of such malicious images. If you are aware of any, please let me know.

Just like whenever you use an external component, it is important to secure your "supply chain." In this case, you need to stick to images created by reputable sources (for example Amazon itself should be considered reputable). But in a couple of cases, I was told that vendors offer images with their software preinstalled, that are based on backdoored images. This is likely due to the vendor not performing their due diligence.

Again: Right now I am looking for examples, so if you have one, please use our contact form ( to let me know how to find it and more importantly, how you came across it.


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Hunting for Suspicious Processes with OSSEC
Sep 20th 2018
1 day ago by Xme (0 comments)

Certificates Revisited - SSL VPN Certificates 2 Ways
Sep 19th 2018
2 days ago by Rob VandenBrink (1 comment)

Using Certificate Transparency as an Attack / Defense Tool
Sep 18th 2018
3 days ago by Rob VandenBrink (2 comments)

Dissecting Malicious MS Office Docs
Sep 17th 2018
4 days ago by Rob VandenBrink (0 comments)

20/20 malware vision
Sep 16th 2018
4 days ago by DidierStevens (0 comments)

User Agent String "$" ? :-) !
Sep 15th 2018
5 days ago by DidierStevens (3 comments)

Sextortion - Follow the Money Update
Sep 14th 2018
6 days ago by Rick (0 comments)

View All Diaries →

Latest Discussions

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
1 week ago by W60 (0 replies)

SSL Labs vs.
created Sep 7th 2018
1 week ago by Anonymous (0 replies)

SSL Labs vs.
created Sep 7th 2018
1 week ago by Anonymous (0 replies)

Has anyone any ideas what "glirote3" -- malware powershell link.
created Sep 4th 2018
2 weeks ago by W60 (0 replies)

Remote code execution attacks
created Aug 28th 2018
3 weeks ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
9 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)