Malnets lead the cyberattack pack

In politics, the future may belong to green energy and better education, but in the world of cybercrime, it looks like it increasingly belongs to malicious networks, or malnets.

That is the key finding of Blue Coat Security Lab's Mid-Year Malware Report, eleased Tuesday. The company said the number of malnets now stands at more than 1,500, an increase of 300% in the past six months, and it expects they will be, "responsible for two-thirds of all malicious cyberattacks in 2012."

Malnets are distributed infrastructures within the Internet that are built, managed and maintained by cybercriminals for the purpose of launching persistent, extended attacks on computer users. That infrastructure generally includes several thousand unique domains, servers and websites that work together to lure users to a malware payload.

They are increasingly popular, Blue Coat said, because they are so effective. In what it calls a five-stage "vicious cycle," a malnet first drives a user to malware, through any number of means, including drive-by downloads, email from trusted sources or trusted websites.

"Then the user's computer is infected with a Trojan," the report said. "Once the computer is compromised it can be used by the botnet to lure new users into the malnet by using the infected machine to send spam to email contact lists, for example."

"A compromised system can also be used to steal the victim's personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines," the report said.

Tim Van Der Horst, malware researcher at Blue Coat Systems, said this demonstrates what the report calls the "organic ... self perpetuating" nature of malnets, which is one of the things that makes them so difficult to eradicate.

"When users are infected, they become a bot in a botnet," Van Der Horst said. "They communicate with a command-and-control server, and send results to the bad guys."

In short, all the capabilities of the compromised computer are in the criminals' hands. "If the computer can do it, the bad guy can make the computer do it," Van Der Horst said. "It can steal online banking credentials or leverage the machine to launch new attacks, like sending email as you to your contacts, so they're getting it from a trusted source."

[See also: Virtual analysis misses a third of malware]

Malnets are also geographically dispersed, which means that even if they are shut down in one country, they can continue operating in others, and launch simultaneous attacks. Unlike advanced persistent threats (APT), the goal of malnets is, "not to target one million people with a single search term but instead target one million people with one million different search terms," the report said.

It targets them at what Blue Coat calls the "watering holes" of the Internet -- more than a third of the requests for web content go to search engines, but social networking and audio/video clips are also popular categories.

"According to the Cisco Visual Networking Index, by 2016 all types of video will account for 86% of global consumer traffic," the report said. "With the growth of video traffic, tried and true socially engineered attacks like fake video codecs have an opportunity to dupe users into downloading malware."

They also can change host names frequently. Shnakule, the largest malnet in the world, changed the host names of its command-and-control servers more than 56,000 times in the first nine months of the year.

In the face of such attacks, tradition, signature-based defenses are not enough, Blue Coat said, noting that one of the ways enterprises should protect themselves is with better education of their employees.

Among ways to avoid poisoned search engine results are to stay away from any that appear to be hosted in other countries, such as .IN, .RU, .TK, unless the search is related to that country; avoid results with teaser text that reads as if it was constructed by a machine; and if a result looks suspicious, click on one of the other many results that were returned, the report said.

Another simple but too-frequently ignored security practice is to apply patches and other security updates as soon as they are issued. "The availability of a patch doesn't mean that users have applied it," the report said. "The Conficker/Downandup botnet has been alive for nearly four years now, with infected systems still receiving instructions."

Van Der Horst said the most effective way to defend against malnets is not to wait for a new threat to emerge and then block it, but to identify the malnet infrastructure delivering the attacks and block them at the source. This aims to prevent new attacks before they are launched -- what the company calls Negative Day Defense.

It doesn't matter what the specific threat is, since the defense is aimed at blocking the threat delivery mechanism, he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts