Related Links

Related Stories

  • Blue Coat to be acquired by Thoma Bravo investment firm
    Blue Coat Systems, a web security and WAN optimization company, is to be acquired by the Thoma Bravo private equity investment firm, the company announced on Friday.
  • Solera research director spots a hybrid spear phishing attack
    Andrew Brandt, The newly-installed director of threat research with Solera Networks, has been analyzing what appears to be a hybrid spear phishing attack against a colleague and revealed the effort that goes into making these targeted attack emails look genuine.
  • Search engine poisoning named biggest threat
    The mid-year 2011 web security report from Blue Coat Systems identifies search engine poisoning as a key threat now facing organisations.
  • Blue Coat embraces the cloud with new services
    Blue Coat is the latest IT security vendor to offer its security technology as a cloud-delivered facility. The new offering, known as the Blue Coat Service, will see the firm move to an opex-based subscription business model.
  • Malware lifespan continues to shorten, says Blue Coat
    Malware adaptation rates are getting faster, according to a report from Blue Coat Systems. The average lifespan of malware dropped to two hours last year, from up to seven hours in 2007, it said, adding that this has had a significant effect on the effectiveness of software patches.

Top 5 Stories


The rise – and defense – of malnets

13 February 2012

Blue Coat Systems 2012 Security Report maps the rise and describes the persistence of the modern malnet, and offers a solution.

Malnets differ from the possibly better known and more easily understood botnet. Botnets are largely used to distribute spam and malware outwards to other users; malnets are used to draw users in and infect them. While botnets are often controlled by a single or small number of command servers, malnets use entire fast-changing infrastructures. “The malnet infrastructures enable cybercriminals to launch dynamic attacks that typically are not detected by traditional anti-virus vendors for days or months. In one case in early February 2011, a malware payload changed locations more than 1,500 times in a single day.”

Much of the Blue Coat report is given over to describing how malnets operate and how their dynamic structure makes it difficult for traditional security mechanisms to cope with them. A typical attack could use ‘malvertising’, the use of false advertising to entice users. This will frequently involve three stages and often tries to install fake anti-virus malware. Firstly the criminals will establish legitimate ad servers and run them perfectly legally for several months. This establishes a ‘good reputation’ with the search engines. At a set point, these servers change the nature of the ads they serve – now redirecting users into the malnet proper for infection.

Blue Coat suggests a new approach to defend against malnets. Much of our traditional security is reactive: wait for the attack, analyze it, and try to stop similar attacks in the future. The nature of malnets makes this almost impossible. Instead, Blue Coat advocates an adaptation of Solera’s ‘Negative Day Threat Protection’, a process that allows you to see if you were infected before a patch is released. “Zero Day Threat Detection?” wrote Solera’s CTO Joe Levy back in 2008. “A whole lot of good that does when something happened yesterday…”

Blue Coat advocates taking the concept one step further, into ‘negative day attack prevention.’ “In 2012,” says Blue Coat, “nearly two-thirds of all new attacks will come from known malnets. The best protection against these attacks is a negative day defense that can proactively block attacks before they launch.” This relies on understanding the structure of the malnets and mapping the relationship between existing components in order to recognize new components as soon as they come on line and blocking the source before the attack is launched. The result, claims Blue Coat, is that “it no longer matters whether the payload is a key logger, a worm, a Trojan or some other malware. The traditional tricks that cybercriminals use to obfuscate their attacks no longer matter. The attack type and content don’t matter. Zero-day exploits can’t impact the network. Payload encryption is pointless.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×