A shadowy web of malicious networks, or “malnets” will be the source of two thirds of online attacks in 2012, according to a report from the security firm Blue Coat.
Despite the continued industry focus on specific families and samples of malicious software, Blue Coat researchers say that identifying the common components of a handful of underlying infection infrastructures, which they are referring to as ‘malnets,’ is a more promising approach to stopping further infections.
The company’s 2011 State of the Threat Landscape report identifies five principle malnets: Shnakule, Glomyn, Cavka, Naargo, and Cinbric. Blue Coat describes Malnets as distributed network infrastructures designed to sweep up victims while they browse trusted Web sites and route them through the malnets: forwarding them along from a legitimate (but compromised) Web site through relay servers and on to exploit and payload servers. Blue Coat believes that nearly two-thirds of all attacks in 2012 will originate from these and other known malnets. The company’s researchers hope to exploit these networks by identifying common components within them and then using that information to mitigate threats before they become active.
Analysis of the malnets has revealed them to be complex, with complex links between an infected site using a search engine optimized attack, such as those linked to the death of Steve Jobs. Behind that site lies a complicated, interconnected network that allows online criminals to stay one step ahead of black lists and other security measures by launching the same attack on another site seamlessly directing users to it, according to Chris Larsen, Senior Malware Researcher at Blue Coat.
Malnets make tools like blacklists and signature based threat detection less effective, Larsen said. However, they do give vendors the opportunity to more thoroughly detect threats at an earlier stage – in some cases even before attacks have been launched.
Blue Coat said it is looking at ways to block attacks by determining variables that are reasonably constant across the malnet such as domain name similarities.
Larsen said that his company’s data shows that organized crime groups and malicious hackers are sticking with what works when launching online attacks. Despite an overall decline in e-mail use, attacks via e-mail increased by nearly five per cent from the first half of the year and continue to be a large problem. Attacks launched from search-engine optimized Web sites were the most common entry point for malicious code. Search engine poisoning accounts for some 40 per cent of infection, Blue Coat found. At the same time, Social networking is moving up as a mlaware entry point. Now accounting for almost 6.5 per cent of infections, the report said.
Larson believes that the continued prevalence and success of search engine poisoning as a method of infection is evidence that we are doing a poor job of communicating the dangers of search. Too often, he said, users will trust a link just because it popped up as a top search result. Instead, users need to inspect urls and make sure they are safe before following links.