Cyber-Criminals Using Established Malicious Networks to Deliver Payloads
Cyber-criminals are increasingly relying on a web of malicious networks, or "malnets," to launch their attacks, according to security firm Blue Coat.
Instead of worrying about specific malware families or samples, security vendors should focus on identifying the common components within malicious infrastructure, said Sasi Murthy, global technology director and general manager of Blue Coat Systems. Once the common components, such as servers, infection vectors, exploits used, have been identified, vendors could mitigate threats before they affect users, said Murthy.
In Blue Coat's 2011 State of the Threat Landscape report released Feb. 13, researchers identified five major malnets, including Shnakule, Glomyn, Cavka, Naargo and Cinbric. Researchers said nearly two-thirds of all attacks in 2012 will originate from malnets.
"Businesses need a proactive defense that can stop attacks before they launch by identifying and blocking the source," according to Blue Coat researchers.
Malnets are distributed network infrastructures designed to trap users surfing online and route them through relay servers to malicious portals and servers, according to Blue Coat. Users are usually caught in a malnet through search optimized pages or links posted on social networking sites. Attackers often rent access to these networks for a few thousand dollars to launch their campaigns, and then shut down before being detected, according to the report.
Cyber-criminals are building out the malicious network infrastructure in order to launch a variety of attacks against unsuspecting users over an extended period of time. With the infrastructure in place, "attacks can be tailored to exploit trending news- or celebrity-related lure that quickly attract many potential victims," the report found.
Malnets exploit popular places on the Internet and are very dynamic. In one case examined by Blue Coat researchers, a malware payload changed locations more than 1,500 times in a single day.
"The entrenched nature of these malnets and, in some cases, their geographic diversity, makes it nearly impossible to shut them down," the researchers wrote.
Malnets make blacklists and signature-based detection tools less effective because they are too dynamic. However, the fact that criminals have invested in infrastructure means security vendors have something to target. Blue Coat is working on ways to block malnets by identifying common variables, such as similiarities across domain names, said Murthy.
"These new infrastructures demand a new type of security to protect against corporate data loss, financial or identity theft, and other costly consequences," according to Blue Coat.
The actual size of malnets vary from day to day. Cyber-crooks add new subnets and exploit servers depending on the latest campaign. Of the 500 unique malnets and subnets being tracked by Blue Coat Security Labs, Shnakule is the largest, with about 1,269 active hosts. There have been days when it had only 10 active hosts, and other days when it had more than 3,000.
Shnakule dominated malicious activity on the Internet in 2011, and even absorbed several smaller malnets throughout the year, said Murthy.
Shnakule relies on malvertising, search engine poisoning, spam and adult content sites to spread its malicious payload. It has been associated with drive-by-downloads, fake antivirus and codecs, fake Flash and Firefox updates, adult content, gambling and work-at-home scams.