Critical Microsoft update via Amazon EC2?

This past weekend a fairly typical malware campaign started to arrive on our global network of spam traps, using the common technique of disguising itself as an “Important Windows Update”. Its characteristics are mostly what you would expect from spammed out malware:

Varying subject lines:

Sample subjects

Varying, forged “From” addresses:

Sample From addresses

Advises the reader to “Update” via a link in the email:

Sample

An obfuscated link that directs you to malware detected by Sophos as Mal/Encpk-AO:

Link

sav-detection

The emails arrived via an IP that is part of a botnet:

received1
received2

Oh wait.. “compute-1.amazonaws.com”. This host is part of the Amazon Elastic Compute Cloud (Amazon EC2), not your typical botnet. Searching through our traps show that all our recent samples of this campaign have originated from within the Amazon EC2.

Are these spammers targeting the EC2 specifically, hoping this is a trusted/whitelisted network by some receivers? Or is it just yet another set of hosts with bandwidth to burn, that can be exploited?

Will IPs within the Amazon EC2 start to show up in respected IP based DNSBLs (DNS-based block lists)? Or perhaps even the entire cloud?

Send your opinions to sophosblog@sophos.com.