Like any growing business, you need to strengthen the infrastructure to build upon a company’s success and the same holds true for cyber criminals as they are building the infrastructure behind the delivery of botnets, which could lead to stronger hits.
Botnet infections commonly spread though compromised websites seeded with malicious scripts and promoted via black hat SEO tactics such as link farms, according to a new study by web security firm Blue Coat. These malware networks, or malnets, pose a growing threat.
Malnets largely deal in mass market malware and as such are different from advanced persistent threats (APTs) associated with cyber-espionage attacks targeting large corporations and Western governments, Blue Coat said.
Attacks will update and change, but the underlying infrastructure used to lure in users and deliver these attacks ends up reused. The ease with which cyber criminals can launch attacks using malnets creates a vicious cycle, a process where individuals end up lured to malware, infected, and then used to infect others.
First the malnet drives a user to the malware. Then the user’s computer suffers an infection with a Trojan. Then the compromised computer can be an official member of the botnet which can lure new users into the malnet by using the infected machine to send spam to email contact lists. A compromised system can also steal the victim’s personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines.
“Their [malnet] infrastructure is comprised of several thousand unique domains, servers and websites that work together to funnel users to a malware payload,” Tim Van Der Horst, a senior malware researcher at Blue Coat, explained. “This infrastructure of relay and exploit servers allows malnet operators to quickly launch new attacks that can be tailored to attract large groups of potential victims.”
Blue Coat expects malnets to account for more than two-thirds of all malicious cyber attacks in 2012. The company is currently tracking more than 1,500 unique malnets, a 200 percent increase from just six months ago.
The biggest malnet, called Shnakule by Blue Coat, not only communicates frequently but also changes hostnames frequently, as the web filtering firm explains.
Shnakule is a wide ranging malnet that engages in a variety of malfeasant activities, including fake AV, codec, Flash and browser updates, pornography, gambling and work-at-home scams. To scale the infrastructure to accommodate attacks associated with these activities, Shnakule operators bring new domains and servers online. Over the course of six months Shnakule used anywhere from 50 to 5,005 unique domain names per day.