Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

500 Malware Networks Available To Launch Attacks

Many online attacks this year will come from malware delivery networks that can be rented and set to infect PCs, says security vendor Blue Coat Systems.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Roughly two-thirds of online attacks that use some form of bait--spam emails, phishing attacks, fake downloadable movies--will this year originate from about 500 known malware delivery networks.

That prediction comes from a new report from security vendor Blue Coat Systems, which builds hardware proxy devices.

According to Blue Coat, the question of how many "infrastructures that last beyond any one attack"--a.k.a. "malnets"--is pertinent because reusable attack infrastructure can be targeted and shut down. "It takes infrastructure for the bad guys to run an attack, and that creates an attack infrastructure for the good guys to go after," said Chris Larsen, a senior malware researcher at Blue Coat, via phone.

[ Can phishing be stopped? See Google, Microsoft Say DMARC Spec Stops Phishing. ]

Malnet operators typically make money by selling a pay-per-install service, whereby customers pay them to infect PCs with malware. "Malnet is not the same as a botnet," said Larsen. "We measure a malnet in terms of how many hosts, servers, and sites participated in getting the user down from the bait down to the payload. Then once you're infected, you're no longer part of the malnet, but the botnet."

Accordingly, the trick for security researchers is to find ways to identify as much of that malnet infrastructure as possible and either shut it down or block it before PCs get hacked and added to botnets (for which there's also a thriving rental market). "It takes a lot of infrastructure to run a large-scale spam attack, or poison search engines and get results in the top page, to coordinate hacked sites that are hosting parts of your attack," said Larsen.

Unfortunately, spotting malnets remains difficult, given the speed with which malnet operators can--just for starters--vary malware payloads and websites used, to fool some types of security tools. Furthermore, many types of low-cost but high-impact infection techniques rely on social engineering attacks, which remain quite difficult to stop. In 2011, for example, Blue Coat found that the principle ways that attackers lured users to malnets was via search engine results (40%), spam or phishing emails (12%), social networking attacks (6%), and pornography (4%), the last by way of disguising malware as an adult movie made available free for download.

Larsen said the prevalence of search engine poisoning--tricking search engines into including links to sites that host phishing attacks, advertisements for off-brand pharmaceuticals, or drive-by downloads of malware--surprised him, and he's seen the incidence climb higher still so far in 2012. "I'd thought that search engine poisoning was a dying art," he said. But although Google and Bing are relatively good at blocking such attacks, he said other search engines--especially outside the United States--are lagging.

What's the best way to proactively block malware distribution networks from corporate PCs? As the infection vectors suggest, watch which search engines employees use, and educate users. "People need reminding, " said Larsen. "I've yet to meet a user who understands that going to Google or Bing and searching for anything can be dangerous," he said, citing a 10% probability that one of the top 10 or 20 search engine results will in fact lead to malware.

Beyond education, the Blue Coat report recommends keeping a close eye on logs. Also, block access to known bad websites--and especially any executable files that might be downloaded from those sites--as well as to proxy websites or services, because employees can use them to bypass security policies and thus some corporate defenses. In fact, "proxy avoidance," according to the Blue Coat report, "is a regular search topic for victims of search engine poisoning malware."

Another recommendation: block all non-SSL traffic that attempts to communicate via port 443. "To avoid detection, many bots use a custom encryption over port 443 for their phone home communications to command and control (C&C) servers," according to the report.

Hacks of Comodo and DigiNotar exposed weakness in the Secure Sockets Layer protocol. The new Dark Reading supplement shows you what's being done to fix it. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17452
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
CVE-2020-17451
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
CVE-2020-17447
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
CVE-2020-16248
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.