Study: Shnakule, four other malnets caused most 2011 attacks

Huge global malnets, such as Shnakule, were responsible for most attacks in 2011, and Blue Coat predicts they will trigger 66% of all attacks in 2012.

Cybercriminal gangs have built network infrastructures consisting of thousands of nodes, according to Blue Coat Systems' 2012 Web Security report (.pdf), which allow them to launch attacks while avoiding detection by traditional network defences.

The cybercriminals are very well structured and very patient. The gangs communicate across the globe, and they usually have English as their common language.

David Albohair,
Blue Coat Systems

These malware networks -- or “malnets”, as Web security vendor Blue Coat has dubbed them -- are different from botnets in the type of servers they use as well as the high volume of continually shifting servers involved. Blue Coat noted the emergence of malnets during 2011, and described them as “the next evolution in the threat landscape.”

While botnets hijack users’ PCs to pump out spam and malware, malnets use servers, such as the exploit servers and some of the relay servers that are owned and operated by the criminal gangs themselves, and supplemented by other servers they may have infected.

By constantly creating new network domains and multiple new subnets within the domains, the criminals are able to mask their activities for a long enough time to mount an attack. The domains may then be taken down and replaced just as quickly by others. This flexible delivery platform allows the criminals to adapt quickly to new vulnerabilities and launch new malware attacks.

The large size of the malware networks allows malware payloads to be moved around to avoid being identified by traditional defences. For example, the report described one case where a malware payload changed locations more than 1,500 times in a single day.

Other significant malware networks

Duqu targeted industrial equipment manufacturers

The Zeus botnet targeted financial institutions

The criminals behind these networks typically exploit popular websites, such as social networking sites and search engines, to lure users to respond. This could be through search engine poisoning, where the criminals set up infected URLs designed to feature in search results, or messages on social networking sites asking users to click on a link.

Once the user has taken the bait, he or she will be routed to malware via a series of relay, exploit and payload servers that continually shift to new domains and locations.

The report, published earlier this year, said Blue Coat Security Labs tracked approximately 500 malnets and found they varied in size from day to day. The largest malnet, which Blue Coat named Shnakule, specialises in drive-by downloads, fake antivirus campaigns and a variety of other scams. It made use of an average of 1,269 network nodes at a time and at one point in 2011 peaked at 3,376 nodes.

While some gangs operate in their local country, others in China, the Middle East and South America cooperate on an international scale to create highly dynamic malware delivery networks.

“The cybercriminals are very well structured and very patient,” said David Albohair, senior product marketing manager for Blue Coat, based in Paris. “The gangs communicate across the globe, including China, the Middle East and South America, and they usually have English as their common language.”

Albohair expects 66% of attacks in 2012 to be delivered though malnets

Albohair said the criminals are constantly refining their methods to achieve the greatest success. For instance, he said search engine poisoning attacks had risen by 300% in the last year.

The best defence against these attacks is for users to be more cautious when clicking on untrusted Web links, Albohair said.

“Criminals use real-world events as bait to trick people – such as the royal wedding last year, or the deaths of Osama bin Laden and Steve Jobs – and launch attacks,” he said. He advised companies to focus more on raising security awareness among users about the dangers of clicking on untrusted links, and also taking a more proactive approach. For instance, he said criminals will probably exploit interest in the London Olympics, so users should be warned in advance to be extra vigilant when clicking on untrusted links related to the Olympics. 

Read more on Hackers and cybercrime prevention

Data Center
Data Management