'Malnets' behind two thirds of cyberattacks attacks in 2012

'Whakamole' security, doesn't work, says Blue Coat

A growing army of malware delivery networks - 'malnets' - account for two thirds of all cyberattacks and most current technologies offer an inadequate response to the threat, security firm Blue Coat has argued in a new analysis.

Malnets are networks of compromised servers used to serve malware to PCs users either via tempting them to click on infected links or via drive-by clicks baited through Internet search. The technique is an old one but what is perhaps new is the automation being used to turn them into large, self-sustaining networks.

Most of the names on the company's top five malnet list are so little known compared to botnets that to most people they probably sound like characters from the Skylanders videogame.

'Shnakule',' Tricki', 'Rubol', 'Raskat', and 'Rongdac' are, in order of size, the top five although Schnakule dwarfs the others with between 1,700 and 5,000 concurrent hosts.

In total, the company was now tracking 1,500 individual malnets, three times the number it saw only six months ago, making the phenomenon one of cybercrime's boom areas.

Unlike botnets - built mostly from compromised PCs - malnets seem to possess a devolved and constantly-shifting command and control system that makes them much harder to shut down; Shnakule alone issued changes to its host C&C servers 56,000 times so far in 2012, Blue Coat said.

Botnets, on the other hand, must hardwire a C&C address into the infected machine - if that host or its backup disappears, the botnetted PC is no longer active.

The point of all this is that the prominent botnet shutdowns seen in the last two years offer no long-term respite as long as malware networks exist to build new bots. Malnets, are, therefore, the key support for much contemporary malware.

"When security companies aggressively pursued the Zeus botnet, malnet operators simply shifted their resources to the Aleuron botnet, developing and using it in attacks," said Blue Coat's researchers.

"In just six months, activity from the Aleuron botnet increased 517 percent, surpassing Zeus, and making it the most active botnet in the wild."

Blue Coat's answer sounds like a logical one even if it is part of a commercial marketing strategy - stop devoting resources solely to blocking the malware served by malnets and attempt to block the rogue hosts themselves. The company calls this 'negative day defence', included as a layer in its security systems.

Interestingly, the rise of malnets has also had some unexpected effects, the company claims. In August, Blue Coat reported that simple 'long tail' web searches were still far more important for serving malware than special events such as the London Olympics or breaking news.

Going against the received security view, attackers now preferred to spread their links across a large number of search terms than jump on specific events that might be easier to block.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts