Using this infrastructure of relay and exploit servers, Blue Coat says cybercriminals can rapidly launch new attacks that attract many potential victims before security technologies can identify and block it. This creates what Van Der Horst characterizes as a vicious cycle of attack and infection. Blue Coat estimates malnets will deliver more than two-thirds of all malware attacks this year, and they will continue to dominate the threat landscape in the future since they are virtually impossible to shut down.
Once the infrastructure is in place, Blue Coat says malnets typically traffic in two types of attacks:
Attacks that lure users to click on a link (using social networking, spam, porn attacks and search engine poisoning (SEP)--which uses search engine optimization (SEO) techniques to seed malware sites high in common search results)
Attacks that use drive-by downloads to infect computers that do not have up-to-date browser security fixes and patches
Blue Coat said each attack uses different trusted sites and bait to lure users. Some of the attacks don't even use relay servers. Instead, they send users that have taken the bait directly to exploit servers that can identify system or application vulnerabilities, which are then used to serve a malware payload. Once a user's computer is compromised, it can then be used by a botnet to lure new users into the malnet.
Malnets Launch Multiple Attacks at a Time
Malnets characteristically launch multiple attacks at a time. In 2011, one malnet was responsible for the high-profile attack on MySQL.com, which left the site for the open source database software serving malware to visitors. The attack, which targeted database administrators (a group of users likely to have access to sensitive company information), was only one of hundreds of attacks launched by that particular malnet that day.
"We took a look at the malnet involved in that," Van Der Horst says. "We were amazed. It was just a drop in the bucket compared to what else that malnet was doing that day. The bad guys are there 24/7, and they've got a lot of resources that they're using to try to infect users."
Malnets protect themselves through their dynamism and geographic dispersion. Malnet operators locate their servers in multiple countries so that if one country shuts down a malnet within its borders, it can continue to function and propagate in other countries.
How to Protect Your Organization Against Malnets