How to Defend Against Malnets

Since 2011, security firm Blue Coat Systems has been tracking malnets: extensive distributed network infrastructures embedded in the Internet and designed to deliver mass-market attacks on a continuous basis. These malnet infrastructures are like the proverbial Lernaean Hydra—chop off one head, like a botnet it has produced, and two more spring up to take its place.

In just six months, the number of malnets tracked by Blue Coat Security Labs has rocketed up 300 percent from 500 to 1,500, according to the recently released Blue Coat 2012 Malware Report. When actively launching attacks, they can use thousands of new host names a day. Blue Coat says Shnakule, far and away the largest of the malnets now in operation, has used anywhere from 50 to 5,005 unique domain names a day over the past six months to scale its infrastructure to accommodate its daily attacks.

Rubol, another large malnet, is a spam ecosystem that operates in bursts. At times, it may have only one active domain name, according to Blue Coat, but when actively launching attacks it will use as many as 476 unique domain names.

“As the bad guys have made their criminal enterprises their day jobs, they’ve set up a lot of persistent infrastructure to deliver attacks,” says Tim Van Der Horst, senior malware researcher at Blue Coat Security Labs. “Malnets are what are used to create botnets in the first place. If you don’t take out the malnet, they just spring right back. You’ve got to stop it at the source.”

How Malnets Operate

But that’s easier said than done. Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload-often using trusted sites as the starting point. A malnet is comprised of hundreds of servers, each with different responsibilities. Some host malware while others are used for specific types of attacks, from spam and scam to search engine poisoning and pornography. Still other servers make up the malnet’s command and control infrastructure. The servers are embedded throughout the Internet in countries around the world.

Malnet operators can quickly and easily change the location of malnet components depending on the types of attacks they’re running or who they’re targeting. Blue Coat points to Shnakule as an example of a malnet’s dynamism in action. In January of 2012, only 3.33 percent of all of Shnakule’s spam and scam servers were located in North America and 60 percent were located in Russia. By July, those servers had been shut down and new ones brought up. The percentage of spam and scam servers in North America rose to 39.75 percent, while Western Europe saw an increase from 16.67 percent to 36.44 percent.

Malnets Will Deliver Most Malware Attacks This Year

Using this infrastructure of relay and exploit servers, Blue Coat says cybercriminals can rapidly launch new attacks that attract many potential victims before security technologies can identify and block it. This creates what Van Der Horst characterizes as a vicious cycle of attack and infection. Blue Coat estimates malnets will deliver more than two-thirds of all malware attacks this year, and they will continue to dominate the threat landscape in the future since they are virtually impossible to shut down.

Once the infrastructure is in place, Blue Coat says malnets typically traffic in two types of attacks:

1. Attacks that lure users to click on a link (using social networking, spam, porn attacks and search engine poisoning (SEP)—which uses search engine optimization (SEO) techniques to seed malware sites high in common search results)
2. Attacks that use drive-by downloads to infect computers that do not have up-to-date browser security fixes and patches

Blue Coat said each attack uses different trusted sites and bait to lure users. Some of the attacks don’t even use relay servers. Instead, they send users that have taken the bait directly to exploit servers that can identify system or application vulnerabilities, which are then used to serve a malware payload. Once a user’s computer is compromised, it can then be used by a botnet to lure new users into the malnet.

Malnets Launch Multiple Attacks at a Time

Malnets characteristically launch multiple attacks at a time. In 2011, one malnet was responsible for the high-profile attack on MySQL.com, which left the site for the open source database software serving malware to visitors. The attack, which targeted database administrators (a group of users likely to have access to sensitive company information), was only one of hundreds of attacks launched by that particular malnet that day.

“We took a look at the malnet involved in that,” Van Der Horst says. “We were amazed. It was just a drop in the bucket compared to what else that malnet was doing that day. The bad guys are there 24/7, and they’ve got a lot of resources that they’re using to try to infect users.”

Malnets protect themselves through their dynamism and geographic dispersion. Malnet operators locate their servers in multiple countries so that if one country shuts down a malnet within its borders, it can continue to function and propagate in other countries.

How to Protect Your Organization Against Malnets

Given all this, how can an organization protect itself from the threats posed by malnets? The key, Van Der Horst says, is a proactive cyber defense that goes beyond today’s largely signature-based defenses. A proactive cyber defense identifies the malnets delivering attacks and blocks them at the source, preventing attacks before they’re launched.

“The primary thing that we do is we track their infrastructure,” Van Der Horst says. “Even though they may change the paint or some labels, there’s still underlying core stuff we can track. We call it server DNA. A brand new website may show up today, we do a scan of it and inspect its DNA.”

“Once you start tracking the ecosystem, this infrastructure, you care less and less about the specific payload it’s trying to deliver,” he adds. “It doesn’t matter what the exploit is, you know it’s coming from a bad place.”

Van Der Horst suggests five steps organizations can take to better protect themselves against malware threats:

1. Use a security solution that can block malnet infrastructures and limit employee exposure to botnet-producing Trojans.
2. Ensure your security solution can block communications from infected end-user systems to command and control servers to prevent sensitive, confidential or proprietary information from reaching the cyber-criminals.
3. Ensure that web usage policies are up-to-date and keep network/firewall rules current.
4. Deploy a reporting solution that can help you identify potentially infected end-user systems so you can quarantine and clean them.
5. Set and enforce policies that require employees to update their browsers, OS, Adobe Flash, Adobe Reader, Java and other applications with the latest patches and security updates.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com