In 2011, cybercriminals stepped up their game with the creation of malware networks (malnets)-distributed network infrastructures that exploit popular places on the Internet like search engines and social networking sites to repeatedly launch a variety of malware attacks.
Security firm Blue Coat Systems began tracking malnets this past year. In its 2012 security report, Blue Coat noted that malnet infrastructures give cybercriminals the capability to launch dynamic attacks that traditional anti-virus solutions typically don't detect for days or even months. It pointed to one malware payload that in February 2011 changed its location more than 1,500 times in a single day.
"We track in the order of 500 of these," Sasi Murthy, senior director of product marketing at Blue Coat, told CIO.com. "Some are very small and some are global. Vast parts of these networks may be silent for months. It's a very effective way to evade law enforcement."
The largest malnet identified by Blue Coat is Shnakule, which averages 1,269 hosts. It is distributed across North America, South America, Europe and Asia, and its malicious activity deals in drive-by downloads, fake AV, codecs, Flash and Firefox updates, botnet CnC controls, pornography, gambling and work-at-home scams. Blue Coat said that in July it expanded its traditional activities to include malvertising.
How Malnets Operate
Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload--often using trusted sites as the starting point. Using this infrastructure and trending news- or celebrity-related lures, Blue Coat said cybercriminals can rapidly launch new attacks that attract many potential victims before security technologies can identify and block it.
"A lot of legitimate sites are actually infected," Murthy said. "In some cases, you've got legitimate websites with up to 74 percent malicious content."
Perhaps the most popular way to lure unsuspecting users is search engine poisoning (SEP), which uses search engine optimization (SEO) techniques to seed malware sites high in common search results.
"About 1 in 142 searches or so led to a malicious URL in 2011," Murthy said. "When you look at how important search requests are to all of us, that's pretty scary."
Blue Coat said each attack uses different trusted sites and bait to lure users. Some of the attacks don't even use relay servers. Once the users take the bait they are taken directly to exploit servers that identify the user's system or application vulnerabilities and use that information to serve a malware payload.
"In some cases, as with iFrame injections, users will travel the malnet path unknowingly," Blue Coat said. "The relay and exploit server action takes place in the background and secretly installs malware. In other cases, downloading malware requires the user to click on a link."
While search engines/portals and email remain the most targeted category of content by criminals, social networking sites also surged in popularity in 2011, Murthy said. It should come as no surprise; Blue Coat said malnet operators follow low-investment/high-impact strategies, and search engines, portals and social networking sites offer an abundance of potential victims. But those aren't the only categories that are at risk. Malnet operators like to hide their malicious payloads in plain sight, and online storage sites and software download sites are especially appealing because hosting files are part of their business models. Blue Coat said that in 2011, 74 percent of all new ratings in online storage were malicious.
Best Threat Protection Practices
Given the evolving nature of the threat, how can IT organizations defend themselves and their employees? Blue Coat recommends six best practices:
Know your logs and check them frequently. Reviewing the traffic on your network can help you identify anomalous behavior, like an infected computer attempting to phone home to a command-and-control console. If you see a lot of unrated traffic from a computer on your network, it may be a sign that you have a problem.
Block all executable content from unrated domains. This is a no-brainer. If content that cannot be rated is attempting to download an executable, there's a high probability that it is malicious.
Set policies around dangerous and potentially dangerous categories. When it comes to suspect categories, either block them or at least block executables. High-risk categories include hacking and gambling sites, pornography, placeholder domains and proxy avoidance sites. Other at-risk categories include software downloads, open/mixed content, online storage, web advertisements, non-viewable content and dynamic DNS hosts.
Block all non-SSL traffic that attempts to use port 443. Blue Coat said many bots use a custom encryption over port 443 to avoid detection when phoning home to their command-and-control servers. Organizations can increase their defense by using a proxy device to provide visibility into SSL traffic over port 443 and by blocking all non-SSL traffic attempting to use the port.
Layer anti-virus solutions at the desktop and gateway. By deploying multiple anti-virus engines throughout your network, you can increase the chances that a malicious executable missed by one engine will be blocked by another.
Use granular application and operation controls in addition to web filtering technology to mitigate the risks of social networking. Murthy pointed out that social networking sites have expanded to become an "Internet within the Internet," nearly self-contained environments in which users can do almost everything they would do in the wider Internet. As a result, businesses need detailed analysis and control that extends beyond the social networking sites to include individual web applications and content within those sites. For instance, Murthy noted that some government agencies have implemented a read-only policy and controls for Facebook.
"The biggest thing we're calling out here is the fact that you can block threats before they occur," Murthy said. "You can see the torpedo coming in the water before it hits you."