Blue Coat takes malware hunt to the node

In the war on malware, it is important not only to recognize the malicious software, but also where it is coming from.

Blue Coat, a web security firm, said that tracking "malnets" through geolocation of their infrastructure nodes is helping it respond more quickly and effectively to attacks that number in the millions every day.

On its website the company provides a graph of the number of daily threats over the previous week. The number of blocked threats reported for Aug. 26 -- a bit lower than the previous six days -- was 17,765,686.

Malnets are just what the name implies, malicious networks or distributed infrastructures within the Internet, built and maintained for the purpose of launching persistent, extended attacks.

"They deploy the stuff you can buy in these underground [malware] markets," said Tim van der Horst, a senior malware researcher at Blue Coat.

The malnets snare users, typically when they are visiting trusted sites, and route them to malware, via relay, exploit and payload servers that continually shift to new domains and locations.

Blue Coat is currently tracking more than 500 unique malnets, van der Horst said, although not all of them are active every day, and the field is dominated by a few giants: Cavka, Glomyn, Cinbric, Naargo and the largest of all, Shankule, which van der Horst said, "has its fingers in every kind of [criminal] pie you can imagine, all over the world."

[See also: Advanced persistent threats can be beaten, says expert]

Tracking malnets does not make it possible to take them down and arrest those who run them. While some of them may have servers in the U.S., their command and control centers tend to be in Russia, China and Eastern European countries where it would be difficult to find them even with government cooperation.

Blue Coat said that nearly every advanced persistent threat (APT) is coming from China, Russia is dominant in pharma scams and more than 90% of porn-related malnets come from Germany.

But van der Horst said tracking the infrastructure of malnets gives those in the security industry "the big picture," and therefore improves identification and defense capability.

"If we see something bad in WebPulse [a Blue Coat web security software product], we start back-tracking from there," van der Horst said. "We know it had to follow some kind of path. We see a lot of stuff on the Net, so we ask if this looks like anything else. We do horizontal mapping to find out if they were they relayed to a particular server."

"We extract the server DNA," he said, so "even though they change their IP address and domain name, we can still recognize it."

"You care less and less about payload," van der Horst said. "It could be something five years old or a brand-new, zero-day exploit. But you know that everything coming from that server network is bad."

There are two ways to thwart cyber criminals, he said. "You can go after legally," but Blue Coat doesn't have good presence with that. "We focus on detecting their [malnet] infrastructure in real time and letting clients know."

"All our known threats go into a database. We have updates every five minutes, and four times a day we do a bigger update," he said.

Even with that, the threats keep getting more frequent and more diverse, van der Horst said. "The bad guys are really diversifying in location and activities. And organized crime has big presence in this space. All of the things they have done for years, all of that applies in cyberspace."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts