Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 9th, 2012 in Web Threats by Simply Security | Be the first to comment | Tags: web threats

Cybercriminals are reinforcing botnet infrastructure as they expand operations.

In many ways, cybercrime and network protection are two sides of the same coin. The experts dedicated to each activity are always looking for ways to strengthen the base of their operations and detect loopholes and liabilities before their counterparts do. So as technical components and analytics capabilities continue to evolve in the commercial market, it makes sense that hackers would incorporate these innovations into their own operations as well. The only surprising part, according to the latest report from Blue Coat Systems, is how quickly these malicious programmers are working to bolster the infrastructure that supports their cybercrime campaigns.

Blue Coat Internet security researchers have been tracking the evolution of some of the world's largest malware networks, or malnets, for more than a year. Aside from the impressive maturation of these systems, there has also been a significant jump in volume. Blue Coat Security Labs are currently monitoring more than 1,500 unique malnets, representing a 200 percent increase from just six months earlier.

As a result, analysts anticipate that two-thirds of all 2012 web attacks will be traced back to these crimeware networks.

Anatomy of an attack

By analyzing these malnets, instead of immediately attempting to intervene, Blue Coat experts hope to gain a better blueprint of how attacks are triggered. So far, the team has already been able to impart several granular insights on Internet security pros.

According to the report, cybercriminals must first focus on building out their malevolent infrastructure. This typically includes amassing thousands of unique domain names, servers and websites to help draw users into the crosshairs. In an interview with InformationWeek, Blue Coat's Tim van der Horst suggested that the largest malnet currently under observation, Shnakule, boasts as many as 5,000 malicious hosts when operating at maximum capacity.

Once they are confident that they have a solid foundation in place, cybercriminals begin performing reconnaissance missions to help pinpoint the behaviors of potential targets. According to the report, hackers tend to stalk users frequenting digital "watering holes" such as search engines and social media sites. And not unlike brand ambassadors and marketing managers, they are turning to advanced analytics applications to monitor activity on these platforms and informing their engagement strategies. The only difference, of course, is that hackers are hoping users will click on a far more dubious payload.

Most often, cybercriminals will exploit the vulnerabilities uncovered during reconnaissance campaigns to infiltrate machines and plant Trojans that report back to a commanding botnet. According to the report, it is not uncommon for each malnet to store the seeds of several different botnets and disseminate each version at random. In the InformationWeek interview, van der Horst also noted that this concept of variety extends to the style of traps hackers lay. Shnakule tricks users with everything from fake antivirus and browser updates to banner ads posted on adult websites.

Once users bite on the bait and their devices fall under the command of malicious programmers, the drone machines then work at the malnet's bidding to effectively make it a self-perpetuating entity.

"This vicious cycle makes it impossible to eliminate the botnet threat if you haven't first solved the malnet problem," van der Horst explained. "Breaking the malnet cycle should be the primary focus of the security industry, yet most security solutions are still focused solely on identifying the malware payload rather than the infrastructure that is delivering it."

Selecting a treatment strategy

To stand tall in the face of these emerging threats, corporate IT teams can purchase malnet intelligence from specialists such as Blue Coat that can reveal the distinguishing factors and possible traps companies should be looking out for. But for companies that have little room for niche consulting projects in their technology budgets, effective employee education initiatives are at least a step in the right direction. From keeping end users abreast of the latest social engineering attacks that could turn up in their inboxes to implementing policies that restrict the trafficking of mission-critical information across public platforms, there are several easy and affordable ways to limit risk.

So while industry authorities may have to be the ones conducting the heavy lifting required to identify and address the cause, every company can work on treating the symptoms and establishing the conditions for a healthy network environment.

Security News from SimplySecurity.com by Trend Micro