Malnets lead the cyberattack pack

In politics, the future may belong to green energy and better education, but in the world of cybercrime, it looks like it increasingly belongs to malicious networks, or malnets.

That is the key finding of Blue Coat Security Lab’s Mid-Year Malware Report,  eleased Tuesday. The company said the number of malnets now stands at more than 1,500, an increase of 300% in the past six months, and it expects they will be, “responsible for two-thirds of all malicious cyberattacks in 2012.”

Malnets are distributed infrastructures within the Internet that are built, managed and maintained by cybercriminals for the purpose of launching persistent, extended attacks on computer users. That infrastructure generally includes several thousand unique domains, servers and websites that work together to lure users to a malware payload.

They are increasingly popular, Blue Coat said, because they are so effective. In what it calls a five-stage “vicious cycle,” a malnet first drives a user to malware, through any number of means, including drive-by downloads, email from trusted sources or trusted websites.

“Then the user’s computer is infected with a Trojan,” the report said. “Once the computer is compromised it can be used by the botnet to lure new users into the malnet by using the infected machine to send spam to email contact lists, for example.”

“A compromised system can also be used to steal the victim’s personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines,” the report said.

Tim Van Der Horst, malware researcher at Blue Coat Systems, said this demonstrates what the report calls the “organic … self perpetuating” nature of malnets, which is one of the things that makes them so difficult to eradicate.

“When users are infected, they become a bot in a botnet,” Van Der Horst said. “They communicate with a command-and-control server, and send results to the bad guys.”

In short, all the capabilities of the compromised computer are in the criminals’ hands. “If the computer can do it, the bad guy can make the computer do it,” Van Der Horst said. “It can steal online banking credentials or leverage the machine to launch new attacks, like sending email as you to your contacts, so they’re getting it from a trusted source.”

[See also: Virtual analysis misses a third of malware]

Malnets are also geographically dispersed, which means that even if they are shut down in one country, they can continue operating in others, and launch simultaneous attacks. Unlike advanced persistent threats (APT), the goal of malnets is, “not to target one million people with a single search term but instead target one million people with one million different search terms,” the report said.

It targets them at what Blue Coat calls the “watering holes” of the Internet — more than a third of the requests for web content go to search engines, but social networking and audio/video clips are also popular categories.

“According to the Cisco Visual Networking Index, by 2016 all types of video will account for 86% of global consumer traffic,” the report said. “With the growth of video traffic, tried and true socially engineered attacks like fake video codecs have an opportunity to dupe users into downloading malware.”

They also can change host names frequently. Shnakule, the largest malnet in the world, changed the host names of its command-and-control servers more than 56,000 times in the first nine months of the year.

In the face of such attacks, tradition, signature-based defenses are not enough, Blue Coat said, noting that one of the ways enterprises should protect themselves is with better education of their employees.

Among ways to avoid poisoned search engine results are to stay away from any that appear to be hosted in other countries, such as .IN, .RU, .TK, unless the search is related to that country; avoid results with teaser text that reads as if it was constructed by a machine; and if a result looks suspicious, click on one of the other many results that were returned, the report said.

Another simple but too-frequently ignored security practice is to apply patches and other security updates as soon as they are issued. “The availability of a patch doesn’t mean that users have applied it,” the report said. “The Conficker/Downandup botnet has been alive for nearly four years now, with infected systems still receiving instructions.”

Van Der Horst said the most effective way to defend against malnets is not to wait for a new threat to emerge and then block it, but to identify the malnet infrastructure delivering the attacks and block them at the source. This aims to prevent new attacks before they are launched — what the company calls Negative Day Defense.

It doesn’t matter what the specific threat is, since the defense is aimed at blocking the threat delivery mechanism, he said.