Malnets a Constant Moving Target

Tuesday, February 21, 2012 @ 02:02 PM gHale

Cybercriminals have gotten to a point where they can build an intricate network infrastructure and use it repeatedly for the distribution of malware, according to a new study.

These malware networks, or malnets, lure targets through trusted websites, then route them to malware through relay, exploit and payload servers to deliver the malware payload, according to the study from network security company Blue Coat Systems.

RELATED STORIES
Inexpensive, Effective Whitelisting
New Software Cuts Costs, Risk
Struggle to Secure Mobile Devices
All Mobile Devices Victimized

While the sophistication level of these malnets keeps increasing, Blue Coat said they are identifiable and the user can block the malware attacks.

The problem is these malnets are constantly on the move, making them hard to pin down, the Blue Coat Systems 2012 Security Report said. In one case, in early February, a malware payload changed locations more than 1,500 times in a single day.

“These guys have become very sophisticated in really laying out these malware delivery networks, this organized set of infrastructure that they then activate, deactivate and can re-purpose depending on what they’re launching,” said Blue Coat’s Sasi Murthy. “They can now use this infrastructure and launch any kind of new attacks with pretty minimal effort.”

Information about these malnets came together through the security vendor’s WebPulse cloud service, which studies the Web traffic of 75 million users worldwide to identify potential malware attacks.

One notable malnet incident of late was the Urchin site-injection attack, which began on Oct. 6, 2011, and lasted for 10 days. Blue Coat, however, started tracking Urchin four months earlier in June as part of the Shnakule malnet, and WebPulse viewed Urchin suspiciously. During the ensuing months, while Urchin lay dormant on the Internet, WebPulse matched the “DNA” of servers believed to be harboring Urchin and was able to block all requests from suspicious servers on the day the attack launched.

“We could see the sharks under the water before the fins were above the surface,” Murthy said.