Connect with us

Hi, what are you looking for?


What counts as ‘malware’? AWS clarifies its definition


We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Amazon Web Services had strong words this week about research published on a new strain of malware, which was discovered in its serverless computing service, AWS Lambda.

In a statement (screengrab shared below), the public cloud giant went to some lengths to dispute the findings — and in the process, made an unusual assertion.

Specifically, the AWS statement circulated this week to multiple media outlets including VentureBeat mischaracterized what constitutes “malware,” a number of security experts confirmed.

The statement came in response to research about the “Denonia” cryptocurrency mining software, discovered by Cado Security researchers in a Lambda serverless environment.

From the AWS statement: “Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself.”

It’s the second line in the above statement — “it is a distortion of facts to even refer to it as malware” — that is not correct, according to security experts.

Advertisement. Scroll to continue reading.

“Software does not have to gain unauthorized access to a system by itself in order to be considered malware,” said Allan Liska, intelligence analyst at Recorded Future. “In fact, most of the software that we classify as malware does not gain unauthorized access and is instead deployed in a later stage of the attack.”

Malicious intent

Defining the nature of a piece of software is all about the intention of the person using it, according to Ken Westin, director of security strategy at Cybereason.

Simply put: “If their goal is to compromise an asset or information with it, then it’s considered malware,” Westin said.

Some malware variants do have the capability to autonomously gain unauthorized access to systems, said Alexis Dorais-Joncas, security intelligence team lead at ESET. One of the most well-known cases is NotPetya, which massively spread by itself, via the internet, by exploiting a software vulnerability in Windows, Dorais-Joncas noted.

However, “the vast majority of all programs ESET considers malware do not have that capability,” he said.

Thus, in the case of Denonia, the only factor that really matters is that the code was intended to run without authorization, said Stel Valavanis, founder and CEO of OnShore Security.

“That’s malware by intent,” Valavanis said.

Cryptomining software

Denonia appeared to be a customized variant of XMRig, a popular cryptominer, noted Avi Shua, cofounder and CEO at Orca Security.

While XMRig can be used for non-malicious cryptomining, the vast majority of security vendors consider it to be malware, Shua said, citing data from threat intelligence site VirusTotal.

Advertisement. Scroll to continue reading.

“It’s pretty clear that [Denonia] was malicious,” he said.

The bottom line, according to Huntress senior threat researcher Greg Ake, is that malware is “software with a malicious intent.”

“I would think a reasonable jury of peers would find software that was installed with the intent to abuse available computer resources — without the owner’s consent, using stolen credentials for personal profit and gain — would be categorized as malicious intent,” Ake said.

Not a worm

Still, while Denonia is clearly malware, AWS Lambda is not “vulnerable” to it, per se, according to Bogdan Botezatu, director of threat research and reporting at Bitdefender.

The malware was likely planted through stolen credentials and “things would have been completely different if the Denonia malware would be able to spread itself from one Labmda instance to another — rather than get copied on instances through stolen credentials,” Botezatu said. “This would make it a worm, which would have devastating consequences.”

And this distinction, ultimately, seems to have been the real point that AWS was trying to make.

VentureBeat contacted AWS for comment on the fact that many security experts do not agree that deeming Denonia to be malware is a “distortion of facts.” The cloud giant responded Friday with a new statement — suggesting that what the company meant to say was that Denonia is not really “Lambda-focused malware.”

“Calling Denonia a Lambda-focused malware is a distortion of fact, as it doesn’t use any vulnerability in the Lambda service,” AWS said in the new statement.

“Denonia does not target Lambda using any of the actions included in the accepted definition of malware,” the statement says. “It is simply malicious software configured to successfully execute via Lambda, not because of Lambda or with any Lambda-exclusive gain.”

Advertisement. Scroll to continue reading.

So there you have it. The earlier AWS statement is included below.

Screengrab of AWS statement responding to coverage of the “Denonia” research, 4/6/22
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Click to comment

Leave a Reply


Top Stories

Asia-based genomics firm Genetica and Web3 data management firm Oasis Labs have partnered to tokenize genomics profiles with the aim to enhance genomics-based precision...

Online Business Success

Sapphire Partner Annalise Dragic Sapphire While women are still underrepresented in leadership roles in venture capital firms, there are signs of progress. Last December,...


Apple TV+ has held a second premiere for Prehistoric Planet, its “highly anticipated natural history event series” that will be narrated by Sir David...

Top Stories

The crypto job market shows few signs of slowing down despite high profile cases of staff layoffs and hiring freezes across big tech companies. ...

Online Business Success

A representative image. KARACHI: With the uncertainty over the revival of the International Monetary Fund (IMF) loan programme amid increasing political pressure on the...

Top Stories

The Ethereum ecosystem is set for a “huge testing milestone” with the Ropsten testnet Merge set to be conducted on June 8. According to...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...