Blue Coat takes malware hunt to the node

In the war on malware, it is important not only to recognize the malicious software, but also where it is coming from.

Blue Coat, a web security firm, said that tracking “malnets” through geolocation of their infrastructure nodes is helping it respond more quickly and effectively to attacks that number in the millions every day.

On its website the company provides a graph of the number of daily threats over the previous week. The number of blocked threats reported for Aug. 26 — a bit lower than the previous six days — was 17,765,686.

Malnets are just what the name implies, malicious networks or distributed infrastructures within the Internet, built and maintained for the purpose of launching persistent, extended attacks.

“They deploy the stuff you can buy in these underground [malware] markets,” said Tim van der Horst, a senior malware researcher at Blue Coat.

The malnets snare users, typically when they are visiting trusted sites, and route them to malware, via relay, exploit and payload servers that continually shift to new domains and locations.

Blue Coat is currently tracking more than 500 unique malnets, van der Horst said, although not all of them are active every day, and the field is dominated by a few giants: Cavka, Glomyn, Cinbric, Naargo and the largest of all, Shankule, which van der Horst said, “has its fingers in every kind of [criminal] pie you can imagine, all over the world.”

[See also: Advanced persistent threats can be beaten, says expert]

Tracking malnets does not make it possible to take them down and arrest those who run them. While some of them may have servers in the U.S., their command and control centers tend to be in Russia, China and Eastern European countries where it would be difficult to find them even with government cooperation.

Blue Coat said that nearly every advanced persistent threat (APT) is coming from China, Russia is dominant in pharma scams and more than 90% of porn-related malnets come from Germany.

But van der Horst said tracking the infrastructure of malnets gives those in the security industry “the big picture,” and therefore improves identification and defense capability.

“If we see something bad in WebPulse [a Blue Coat web security software product], we start back-tracking from there,” van der Horst said. “We know it had to follow some kind of path. We see a lot of stuff on the Net, so we ask if this looks like anything else. We do horizontal mapping to find out if they were they relayed to a particular server.”

“We extract the server DNA,” he said, so “even though they change their IP address and domain name, we can still recognize it.”

“You care less and less about payload,” van der Horst said. “It could be something five years old or a brand-new, zero-day exploit. But you know that everything coming from that server network is bad.”

There are two ways to thwart cyber criminals, he said. “You can go after legally,” but Blue Coat doesn’t have good presence with that. “We focus on detecting their [malnet] infrastructure in real time and letting clients know.”

“All our known threats go into a database. We have updates every five minutes, and four times a day we do a bigger update,” he said.

Even with that, the threats keep getting more frequent and more diverse, van der Horst said. “The bad guys are really diversifying in location and activities. And organized crime has big presence in this space. All of the things they have done for years, all of that applies in cyberspace.”