Skip to main content

What counts as ‘malware’? AWS clarifies its definition

Image Credit: Getty Images

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Amazon Web Services had strong words this week about research published on a new strain of malware, which was discovered in its serverless computing service, AWS Lambda.

In a statement (screengrab shared below), the public cloud giant went to some lengths to dispute the findings — and in the process, made an unusual assertion.

Specifically, the AWS statement circulated this week to multiple media outlets including VentureBeat mischaracterized what constitutes “malware,” a number of security experts confirmed.

The statement came in response to research about the “Denonia” cryptocurrency mining software, discovered by Cado Security researchers in a Lambda serverless environment.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

From the AWS statement: “Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself.”

It’s the second line in the above statement — “it is a distortion of facts to even refer to it as malware” — that is not correct, according to security experts.

“Software does not have to gain unauthorized access to a system by itself in order to be considered malware,” said Allan Liska, intelligence analyst at Recorded Future. “In fact, most of the software that we classify as malware does not gain unauthorized access and is instead deployed in a later stage of the attack.”

Malicious intent

Defining the nature of a piece of software is all about the intention of the person using it, according to Ken Westin, director of security strategy at Cybereason.

Simply put: “If their goal is to compromise an asset or information with it, then it’s considered malware,” Westin said.

Some malware variants do have the capability to autonomously gain unauthorized access to systems, said Alexis Dorais-Joncas, security intelligence team lead at ESET. One of the most well-known cases is NotPetya, which massively spread by itself, via the internet, by exploiting a software vulnerability in Windows, Dorais-Joncas noted.

However, “the vast majority of all programs ESET considers malware do not have that capability,” he said.

Thus, in the case of Denonia, the only factor that really matters is that the code was intended to run without authorization, said Stel Valavanis, founder and CEO of OnShore Security.

“That’s malware by intent,” Valavanis said.

Cryptomining software

Denonia appeared to be a customized variant of XMRig, a popular cryptominer, noted Avi Shua, cofounder and CEO at Orca Security.

While XMRig can be used for non-malicious cryptomining, the vast majority of security vendors consider it to be malware, Shua said, citing data from threat intelligence site VirusTotal.

“It’s pretty clear that [Denonia] was malicious,” he said.

The bottom line, according to Huntress senior threat researcher Greg Ake, is that malware is “software with a malicious intent.”

“I would think a reasonable jury of peers would find software that was installed with the intent to abuse available computer resources — without the owner’s consent, using stolen credentials for personal profit and gain — would be categorized as malicious intent,” Ake said.

Not a worm

Still, while Denonia is clearly malware, AWS Lambda is not “vulnerable” to it, per se, according to Bogdan Botezatu, director of threat research and reporting at Bitdefender.

The malware was likely planted through stolen credentials and “things would have been completely different if the Denonia malware would be able to spread itself from one Lambda instance to another — rather than get copied on instances through stolen credentials,” Botezatu said. “This would make it a worm, which would have devastating consequences.”

And this distinction, ultimately, seems to have been the real point that AWS was trying to make.

VentureBeat contacted AWS for comment on the fact that many security experts do not agree that deeming Denonia to be malware is a “distortion of facts.” The cloud giant responded Friday with a new statement — suggesting that what the company meant to say was that Denonia is not really “Lambda-focused malware.”

“Calling Denonia a Lambda-focused malware is a distortion of fact, as it doesn’t use any vulnerability in the Lambda service,” AWS said in the new statement.

“Denonia does not target Lambda using any of the actions included in the accepted definition of malware,” the statement says. “It is simply malicious software configured to successfully execute via Lambda, not because of Lambda or with any Lambda-exclusive gain.”

So there you have it. The earlier AWS statement is included below.

Screengrab of AWS statement responding to coverage of the “Denonia” research, 4/6/22

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.