Malnets differ from the possibly better known and more easily understood botnet. Botnets are largely used to distribute spam and malware outwards to other users; malnets are used to draw users in and infect them. While botnets are often controlled by a single or small number of command servers, malnets use entire fast-changing infrastructures. “The malnet infrastructures enable cybercriminals to launch dynamic attacks that typically are not detected by traditional anti-virus vendors for days or months. In one case in early February 2011, a malware payload changed locations more than 1,500 times in a single day.”
Much of the Blue Coat report is given over to describing how malnets operate and how their dynamic structure makes it difficult for traditional security mechanisms to cope with them. A typical attack could use ‘malvertising’, the use of false advertising to entice users. This will frequently involve three stages and often tries to install fake anti-virus malware. Firstly the criminals will establish legitimate ad servers and run them perfectly legally for several months. This establishes a ‘good reputation’ with the search engines. At a set point, these servers change the nature of the ads they serve – now redirecting users into the malnet proper for infection.
Blue Coat suggests a new approach to defend against malnets. Much of our traditional security is reactive: wait for the attack, analyze it, and try to stop similar attacks in the future. The nature of malnets makes this almost impossible. Instead, Blue Coat advocates an adaptation of Solera’s ‘Negative Day Threat Protection’, a process that allows you to see if you were infected before a patch is released. “Zero Day Threat Detection?” wrote Solera’s CTO Joe Levy back in 2008. “A whole lot of good that does when something happened yesterday…”
Blue Coat advocates taking the concept one step further, into ‘negative day attack prevention.’ “In 2012,” says Blue Coat, “nearly two-thirds of all new attacks will come from known malnets. The best protection against these attacks is a negative day defense that can proactively block attacks before they launch.” This relies on understanding the structure of the malnets and mapping the relationship between existing components in order to recognize new components as soon as they come on line and blocking the source before the attack is launched. The result, claims Blue Coat, is that “it no longer matters whether the payload is a key logger, a worm, a Trojan or some other malware. The traditional tricks that cybercriminals use to obfuscate their attacks no longer matter. The attack type and content don’t matter. Zero-day exploits can’t impact the network. Payload encryption is pointless.”