Attacks/Breaches
10/2/2012
09:04 AM
Connect Directly
RSS
E-Mail
50%
50%

Online Criminals' Best Friends: Malnets

The number of large malnets--server-side infrastructure used to infect PCs and sometimes to control botnets--tracked by security firm Blue Coat has tripled this year.

Criminals operating online are doubling down--or to be more accurate, tripling down--on the infrastructure they maintain to infect PCs, control botnets, and launch follow-on attacks and spam campaigns.

That finding comes via hardware proxy appliance manufacturer Blue Coat Systems, which Tuesday released a report titled "The Vicious Cycle of Malnets," which reviews how attackers have employed malicious infrastructure during the first half of 2012.

"Last year we were tracking about 500 malnets, and currently we're up to about 1,500," said Tim Van Der Horst, a senior malware researcher at Blue Coat, via phone. Malnet refers to the server-side infrastructure used to infect PCs and sometimes also to control botnets--groups of infected PCs--via command-and-control (C&C) servers.

[ Protect yourself; learn How Cybercriminals Choose Their Targets. ]

According to Blue Coat, the largest known malnet is Shnakule, which has used up to 5,005 malicious hosts--or servers--at any given time, depending on the capabilities needed at any given moment by its operators. Blue Coat believes that Shnakule is controlled by a single gang, and it's been used to serve up just about every type of known attack, including "fake AV attack, fake code, fake Firefox updates, C&C servers, gambling, work at home stuff, porn," said Van Der Horst. "They've got their fingers in every evil pie out there."

Beyond Shnakule, the other four largest malnets seen in the first half of 2012 were all newcomers, and included Tricki (with 547 maximum hosts used at once), Rubol (476), Raskat (163), and Rongdac (105). All of those malnets are used primarily to poison search engine results or relay spam. Overall, the most prevalent type of attack launched via malnets, comprising 35% of all attacks seen, was to poison search engine results, followed by attacks launched via email (11%), pornography (4%), or Web-delivered exploits (also 4%).

Blue Coat's report also charts recent botnet changes. Interestingly, use of the Alureon botnet increased 517% over the first six months of 2012, which now makes it the world's most active botnet. According to Blue Coat, the increased use of Alureon is a consequence of information security firms recently having targeted Zeus botnets, leading criminal operators to shift their resources elsewhere.

Blue Coat, for its part, tries to fingerprint and track malnets, and then sells that information to businesses--or provides it free to consumers--via its cloud-based threat intelligence service, which Van Der Horst said includes safety ratings for about 95% of known websites on the Internet, with any unknown site encountered by a user being slated for review.

Why track servers that are known to be part of malnets? "Because it's there day in and day out, the only thing that's changing is the attack that they're doing," said Van Der Horst. "So if you're tracking the infrastructure, you care less and less about what it does."

Indeed, a malnet that's used to poison search engine results one week may be used the next week to launch targeted attacks that exploit a zero-day vulnerability. Last year, for example, a single malnet was being used to target MySQL.com with an exploit that could give attackers root-level access to vulnerable servers. But that same day, the same set of malicious servers was also being used to poison search engine results and sneak fake search engine results onto legitimate sites, leaving links that directed users back to exploits served via the very same malicious servers.

As that suggests, another impetus for tracking malnets is that attackers tend to keep reusing the same attack infrastructure, rather than constantly rebuilding it from scratch. "They many change their IP addresses, or the website content a little bit, but it takes a lot of time and effort to get a server up and running smoothly," Van Der Horst said. "So you want to reuse as much of this work as you can, over time."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
10/5/2012 | 12:46:52 PM
re: Online Criminals' Best Friends: Malnets
I got tired of Microsoft viruses, scams and malware so I installed a really cool 3D Linux operating system for only $39.95 that is 100% compatible with all my Windows data and is 10 times faster called Robolinux.
It took me only 5 minutes to install it.

Now I can surf until I am blue in the face and I can't get a virus.

Check it out

http://robolinux.org
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.