The number of detected malicious networks (malnets) has tripled in the last year.
A previous report by Blue Coat found that malnets were responsible for a 240 per cent increase in the number of malicious sites detected in 2011, with 500 detected. However Tim Van Der Horst, senior malware researcher at Blue Coat, said that in terms of the malnets that it was tracking, it knew of 500 in 2011 but there were 1,500 this year.
Van Der Horst said that malnets are becoming more prolific and Blue Coat has become better at detecting and tracking them. “This is based on creating and delivering attacks. This is not an exploit kit, these have tools that you have to build yourself and you build up a domain and ‘stalk' users and get them when they are exposed,” he said.
Van Der Horst confirmed that legitimate websites are often compromised via malvertising and these drive traffic. Once a user is infected, they will be used to send links to friends and other users to expand the malnet.
He said: “With a malnet, it is a tool that does not directly infect users, but the infrastructure is used to exploit the user to attack. With a botnet, you bring it down by bringing down the command and control (C&C) server, you cannot take down a malnet.”
Blue Coat's research found that search engines are the top malnet entry points (35 per cent), as users search for subjects that the attacker has determined them to be interested in through stalking them. However this figure is down roughly five per cent from the beginning of the year, demonstrating a growing awareness among users of potentially infected search engine results.
The most prevalent malnet is named Shnakule and has around 5,000 host points and 1,700 infected users. Asked if there was any way to take down a malnet, Van Der Horst said that there was none at all.
He said: “We've done a lot at our end and we are dealing with the authorities, but there are a lot of different problems to deal with, such as working with dozens of countries around the world.”
Van Der Horst also said that there is no intelligence to give insight into who is behind the malnets, but that by taking over controlled machines they could see the bad guys and figure out who was infected.
“It is less about decompiling the payload and more about the information it is using from customers who are hosting it and where it is coming from,” he said.
“Once we have figured that out, we detect and track the malnet as it moves around and tries to evade detection. The best we can do is identify stuff coming from a malicious infection. It is a very difficult process to try and do it.”