Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Security woes: How to defend against malnets

Malnets are extensive distributed network infrastructures embedded in the Internet, but there is something you can do

Article comments

Since 2011, security firm Blue Coat Systems has been tracking malnets: extensive distributed network infrastructures embedded in the Internet and designed to deliver mass-market attacks on a continuous basis. These malnet infrastructures are like the proverbial Lernaean Hydra - chop off one head, like a botnet it has produced, and two more spring up to take its place.

In just six months, the number of malnets tracked by Blue Coat Security Labs has rocketed up 300 percent from 500 to 1,500, according to the recently released Blue Coat 2012 Malware Report. When actively launching attacks, they can use thousands of new host names a day. Blue Coat says Shnakule, far and away the largest of the malnets now in operation, has used anywhere from 50 to 5,005 unique domain names a day over the past six months to scale its infrastructure to accommodate its daily attacks.

Rubol, another large malnet, is a spam ecosystem that operates in bursts. At times, it may have only one active domain name, according to Blue Coat, but when actively launching attacks it will use as many as 476 unique domain names.

"As the bad guys have made their criminal enterprises their day jobs, they've set up a lot of persistent infrastructure to deliver attacks," says Tim Van Der Horst, senior malware researcher at Blue Coat Security Labs. "Malnets are what are used to create botnets in the first place. If you don't take out the malnet, they just spring right back. You've got to stop it at the source."

How malnets operate

But that's easier said than done. Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload-often using trusted sites as the starting point. A malnet is comprised of hundreds of servers, each with different responsibilities. Some host malware while others are used for specific types of attacks, from spam and scam to search engine poisoning and pornography. Still other servers make up the malnet's command and control infrastructure. The servers are embedded throughout the Internet in countries around the world.

Malnet operators can quickly and easily change the location of malnet components depending on the types of attacks they're running or who they're targeting. Blue Coat points to Shnakule as an example of a malnet's dynamism in action. In January of 2012, only 3.33 percent of all of Shnakule's spam and scam servers were located in North America and 60 percent were located in Russia. By July, those servers had been shut down and new ones brought up. The percentage of spam and scam servers in North America rose to 39.75 percent, while Western Europe saw an increase from 16.67 percent to 36.44 percent.

Malnets will deliver most malware attacks this year

Using this infrastructure of relay and exploit servers, Blue Coat says cybercriminals can rapidly launch new attacks that attract many potential victims before security technologies can identify and block it. This creates what Van Der Horst characterises as a vicious cycle of attack and infection. Blue Coat estimates malnets will deliver more than two-thirds of all malware attacks this year, and they will continue to dominate the threat landscape in the future since they are virtually impossible to shut down.

Once the infrastructure is in place, Blue Coat says malnets typically traffic in two types of attacks:

Attacks that lure users to click on a link (using social networking, spam, porn attacks and search engine poisoning (SEP) -which uses search engine optimisation (SEO) techniques to seed malware sites high in common search results)

Attacks that use drive-by downloads to infect computers that do not have up-to-date browser security fixes and patches

Blue Coat said each attack uses different trusted sites and bait to lure users. Some of the attacks don't even use relay servers. Instead, they send users that have taken the bait directly to exploit servers that can identify system or application vulnerabilities, which are then used to serve a malware payload. Once a user's computer is compromised, it can then be used by a botnet to lure new users into the malnet.

Malnets launch multiple attacks at a time

Malnets characteristically launch multiple attacks at a time. In 2011, one malnet was responsible for the high-profile attack on MySQL.com, which left the site for the open source database software serving malware to visitors. The attack, which targeted database administrators (a group of users likely to have access to sensitive company information), was only one of hundreds of attacks launched by that particular malnet that day.

"We took a look at the malnet involved in that," Van Der Horst says. "We were amazed. It was just a drop in the bucket compared to what else that malnet was doing that day. The bad guys are there 24/7, and they've got a lot of resources that they're using to try to infect users."

Malnets protect themselves through their dynamism and geographic dispersion. Malnet operators locate their servers in multiple countries so that if one country shuts down a malnet within its borders, it can continue to function and propagate in other countries.

How to protect your organisation against malnets

Given all this, how can an organisation protect itself from the threats posed by malnets? The key, Van Der Horst says, is a proactive cyber defense that goes beyond today's largely signature-based defenses. A proactive cyber defense identifies the malnets delivering attacks and blocks them at the source, preventing attacks before they're launched.

"The primary thing that we do is we track their infrastructure," Van Der Horst says. "Even though they may change the paint or some labels, there's still underlying core stuff we can track. We call it server DNA. A brand new website may show up today, we do a scan of it and inspect its DNA."

"Once you start tracking the ecosystem, this infrastructure, you care less and less about the specific payload it's trying to deliver," he adds. "It doesn't matter what the exploit is, you know it's coming from a bad place."

Van Der Horst suggests five steps organisations can take to better protect themselves against malware threats:

1. Use a security solution that can block malnet infrastructures and limit employee exposure to botnet-producing Trojans.

2. Ensure your security solution can block communications from infected end-user systems to command and control servers to prevent sensitive, confidential or proprietary information from reaching the cyber-criminals.

3. Ensure that web usage policies are up-to-date and keep network/firewall rules current.

4. Deploy a reporting solution that can help you identify potentially infected end-user systems so you can quarantine and clean them.

5. Set and enforce policies that require employees to update their browsers, OS, Adobe Flash, Adobe Reader, Java and other applications with the latest patches and security updates.


Share:

More from Techworld

More relevant IT news

Comments

Gaurav Sharma said: Hello ThorIt is really an interesting article you have done quite a work here I also have to say that your site is full of useful content and articles which helps me to raise my blog from ashesAlso visit my blogClick bombing save yourself from it



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *