Cybercriminals Building Intricate, Multiuse Malnets

Cybercriminals have gotten so sophisticated that they can build an intricate network infrastructure and use it repeatedly for the distribution of malware, according to a new study from the network security company Blue Coat Systems. These malware networks, or malnets, lure targets through trusted websites, then route them to malware through relay, exploit and payload servers to deliver the malware payload. While malnets are becoming increasingly sophisticated, Blue Coat says these assets can be identified and the malware attacks blocked.

However, the Blue Coat Systems 2012 Security Report notes that these malnets are constantly on the move, making them hard to pin down. In one case, in early February, a malware payload changed locations more than 1,500 times in a single day.

"These guys have become very sophisticated in really laying out these malware delivery networks, this organized set of infrastructure that they then activate, deactivate and can re-purpose depending on what they're launching," says Blue Coat's Sasi Murthy. "They can now use this infrastructure and launch any kind of new attacks with pretty minimal effort."

Information about these malnets was gathered through the security vendor's WebPulse cloud service, which studies the Web traffic of 75 million users worldwide to identify potential malware attacks.

One notable malnet incident of late was the Urchin site-injection attack, which began on Oct. 6, 2011, and lasted for 10 days. Blue Coat, however, started tracking Urchin four months earlier in June as part of the Shnakule malnet, and WebPulse viewed Urchin suspiciously. During the ensuing months, while Urchin lay dormant on the Internet, WebPulse matched the "DNA" of servers believed to be harboring Urchin and was able to block all requests from suspicious servers on the day the attack launched.

"We could see the sharks under the water before the fins were above the surface," says Murthy.

To be sure, multiple security vendors are offering defenses for malware and other network security threats, and, yet, they still happen. The year 2011 was marked by some high-profile and embarrassing attacks, such as the one against the security firm RSA, where digital certificates issued under false pretenses allowed cybercriminals to access user accounts. And Cisco Systems reported that malware is penetrating enterprise IT systems through spear phishing, where targeted emails to individuals--rather than the mass emails now usually caught by spam filters--have a greater chance of success.

"No security solution is 100% perfect," says Blue Coat's Murthy. "But what we're trying to bring to our customers and to other companies is that this kind of malnet tracking and blocking technique can better protect you from these types of attacks before they happen."

The company is responding to malnets with what it calls the Negative Day Defense. Even though the malware payload moves around globally many times a day, the Negative Day Defense maps the relationships among malnet components to identify and block new components when they come online, says Murthy.

Learn more about Alert: Smarter, Stealthier, Sneakier Malware by subscribing to Network Computing Pro Reports (free, registration required).