Since 2011, security firm Blue Coat Systems has been tracking malnets: extensive distributed network infrastructures embedded in the Internet and designed to deliver mass-market attacks on a continuous basis. These malnet infrastructures are like the proverbial Lernaean Hydra--chop off one head, like a botnet it has produced, and two more spring up to take its place.
In just six months, the number of malnets tracked by Blue Coat Security Labs has rocketed up 300 percent from 500 to 1,500, according to the recently released Blue Coat 2012 Malware Report. When actively launching attacks, they can use thousands of new host names a day. Blue Coat says Shnakule, far and away the largest of the malnets now in operation, has used anywhere from 50 to 5,005 unique domain names a day over the past six months to scale its infrastructure to accommodate its daily attacks.
Rubol, another large malnet, is a spam ecosystem that operates in bursts. At times, it may have only one active domain name, according to Blue Coat, but when actively launching attacks it will use as many as 476 unique domain names.
"As the bad guys have made their criminal enterprises their day jobs, they've set up a lot of persistent infrastructure to deliver attacks," says Tim Van Der Horst, senior malware researcher at Blue Coat Security Labs. "Malnets are what are used to create botnets in the first place. If you don't take out the malnet, they just spring right back. You've got to stop it at the source."
How Malnets Operate
But that's easier said than done. Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload-often using trusted sites as the starting point. A malnet is comprised of hundreds of servers, each with different responsibilities. Some host malware while others are used for specific types of attacks, from spam and scam to search engine poisoning and pornography. Still other servers make up the malnet's command and control infrastructure. The servers are embedded throughout the Internet in countries around the world.
Malnet operators can quickly and easily change the location of malnet components depending on the types of attacks they're running or who they're targeting. Blue Coat points to Shnakule as an example of a malnet's dynamism in action. In January of 2012, only 3.33 percent of all of Shnakule's spam and scam servers were located in North America and 60 percent were located in Russia. By July, those servers had been shut down and new ones brought up. The percentage of spam and scam servers in North America rose to 39.75 percent, while Western Europe saw an increase from 16.67 percent to 36.44 percent.
Sign up for Computerworld eNewsletters.