A growing army of malware delivery networks – ‘malnets’ – account for two thirds of all cyberattacks and most current technologies offer an inadequate response to the threat, security firm Blue Coat has argued in a new analysis.
Malnets are networks of compromised servers used to serve malware to PCs users either via tempting them to click on infected links or via drive-by clicks baited through Internet search. The technique is an old one but what is perhaps new is the automation being used to turn them into large, self-sustaining networks.
Most of the names on the company’s top five malnet list are so little known compared to botnets that to most people they probably sound like characters from the Skylanders videogame.
‘Shnakule’,’ Tricki’, ‘Rubol’, ‘Raskat’, and ‘Rongdac’ are, in order of size, the top five although Schnakule dwarfs the others with between 1,700 and 5,000 concurrent hosts.
In total, the company was now tracking 1,500 individual malnets, three times the number it saw only six months ago, making the phenomenon one of cybercrime’s boom areas.
Unlike botnets – built mostly from compromised PCs – malnets seem to possess a devolved and constantly-shifting command and control system that makes them much harder to shut down; Shnakule alone issued changes to its host C&C servers 56,000 times so far in 2012, Blue Coat said.
Botnets, on the other hand, must hardwire a C&C address into the infected machine – if that host or its backup disappears, the botnetted PC is no longer active.
The point of all this is that the prominent botnet shutdowns seen in the last two years offer no long-term respite as long as malware networks exist to build new bots. Malnets, are, therefore, the key support for much contemporary malware.
“When security companies aggressively pursued the Zeus botnet, malnet operators simply shifted their resources to the Aleuron botnet, developing and using it in attacks,” said Blue Coat’s researchers.
“In just six months, activity from the Aleuron botnet increased 517 percent, surpassing Zeus, and making it the most active botnet in the wild.”
Blue Coat’s answer sounds like a logical one even if it is part of a commercial marketing strategy – stop devoting resources solely to blocking the malware served by malnets and attempt to block the rogue hosts themselves. The company calls this ‘negative day defence’, included as a layer in its security systems.
Interestingly, the rise of malnets has also had some unexpected effects, the company claims. In August, Blue Coat reported that simple ‘long tail’ web searches were still far more important for serving malware than special events such as the London Olympics or breaking news.
Going against the received security view, attackers now preferred to spread their links across a large number of search terms than jump on specific events that might be easier to block.