Most Internet security software detect malware through digital signatures that detail the source of cyber attacks. But what if cybercriminals employ thousands of servers spread across Internet domains that change a thousand times a day to propagate their malware?
Such malware networks, or malnets, may go undetected by antivirus software for months. They work by routing users to malware, via relay, exploit and malware servers that continually shift to new domains and locations. Some malnet operators have even used trial servers from web hosting service providers to beef up their arsenal.
Malnets propagate malware through a plethora of malicious programs such as fake video codecs and antivirus software. Fake video codecs, in particular, are popular for social networking-related attacks, where users are prompted to click a link to download a fake codec to watch a video.
Other malnets lure users into clicking links that originate from popular search terms related to specific events or personalities like Prince William. These make up a third of malnet attacks, which usually induce users to share personal information or money, according to Blue Coat, a provider of security products.
“There are hundreds of different ways to access a malnet,” says Jon Andresen, Blue Coat’s Asia Pacific vice president of marketing. “Even though the malware look different, they’re actually the part of the same attack. You can block them individually, but you’re not blocking the attack.”
One of the largest malnets is Shnakule, which has between 10 and 3,376 hosts at different times. The dynamic nature of malnets also means security vendors are constantly locked in a cat and mouse game with cybercriminals.
And if a recent Blue Coat report is any indicator, the black hats seem to be winning: in just six months, the number of malnets jumped from 500 to 1,500.
To nip the problem in the bud, Blue Coat runs a research lab to track the origins of malware. ”Days before an attack happens, there would already be things happening on the Internet,” Andresen says.
“So, when a new exploit site goes up on the Internet, we’ll rate it as malware. And if there’s content that links to that exploit site, we’ll block requests to that content. It’s impossible to take malware off the Internet, but you can prevent people from going to it.”
To guard against malnets, organisations should educate employees on the perils on clicking on seemingly harmless websites that could masquerade as malware sites.
In addition, enforce policies that require users to update their browsers, and more importantly, ensure your security infrastructure can block malware networks.