February 15, 2012, 11:32 AM —
In 2011, cybercriminals stepped up their game with the creation of malware networks (malnets)-distributed network infrastructures that exploit popular places on the Internet like search engines and social networking sites to repeatedly launch a variety of malware attacks.
Security firm Blue Coat Systems began tracking malnets this past year. In its 2012 security report, Blue Coat noted that malnet infrastructures give cybercriminals the capability to launch dynamic attacks that traditional anti-virus solutions typically don't detect for days or even months. It pointed to one malware payload that in February 2011 changed its location more than 1,500 times in a single day.
"We track in the order of 500 of these," Sasi Murthy, senior director of product marketing at Blue Coat, told CIO.com. "Some are very small and some are global. Vast parts of these networks may be silent for months. It's a very effective way to evade law enforcement."
The largest malnet identified by Blue Coat is Shnakule, which averages 1,269 hosts. It is distributed across North America, South America, Europe and Asia, and its malicious activity deals in drive-by downloads, fake AV, codecs, Flash and Firefox updates, botnet CnC controls, pornography, gambling and work-at-home scams. Blue Coat said that in July it expanded its traditional activities to include malvertising.
How Malnets Operate
Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload--often using trusted sites as the starting point. Using this infrastructure and trending news- or celebrity-related lures, Blue Coat said cybercriminals can rapidly launch new attacks that attract many potential victims before security technologies can identify and block it.
"A lot of legitimate sites are actually infected," Murthy said. "In some cases, you've got legitimate websites with up to 74 percent malicious content."
Perhaps the most popular way to lure unsuspecting users is search engine poisoning (SEP), which uses search engine optimization (SEO) techniques to seed malware sites high in common search results.
"About 1 in 142 searches or so led to a malicious URL in 2011," Murthy said. "When you look at how important search requests are to all of us, that's pretty scary."
Blue Coat said each attack uses different trusted sites and bait to lure users. Some of the attacks don't even use relay servers. Once the users take the bait they are taken directly to exploit servers that identify the user's system or application vulnerabilities and use that information to serve a malware payload.
"In some cases, as with iFrame injections, users will travel the malnet path unknowingly," Blue Coat said. "The relay and exploit server action takes place in the background and secretly installs malware. In other cases, downloading malware requires the user to click on a link."
While search engines/portals and email remain the most targeted category of content by criminals, social networking sites also surged in popularity in 2011, Murthy said. It should come as no surprise; Blue Coat said malnet operators follow low-investment/high-impact strategies, and search engines, portals and social networking sites offer an abundance of potential victims. But those aren't the only categories that are at risk. Malnet operators like to hide their malicious payloads in plain sight, and online storage sites and software download sites are especially appealing because hosting files are part of their business models. Blue Coat said that in 2011, 74 percent of all new ratings in online storage were malicious.
Best Threat Protection Practices
