The Malnet concept, absent for now in Wikipedia, is the name and / or concept that some companies give to social networks and infrastructures organized by cybercriminals in order to achieve massive attacks on the market and affect the largest number of users.
by Osvaldo Callegari*
It is expected that by mid-2013 network infrastructures will have more than two-thirds of cyberattacks. The modality that information criminals use is the generation of a continuous process by which people are victims of a deception, are infected with malware and then used as a bridge to infect others forming a kind of social network.
This process is called vicious circle and is established in five (5) stages according to the company Bluecoat.
The Malnet brings the malware closer to the user then infects the computer with a Trojan, this computer now has a botnet, which attracts new users to the Malnet with the sending of spam from this computer that is now infected to all the mail contacts that user has in his address book. When a system is infected, it steals confidential information or money from the victim, in some cases it also works as a starting point for attacks on nearby computers on that network.
The expansion of malnets is done organically with a process of self-perpetuation and they are perfected as this vicious circle progresses. It is very beneficial to these processes the behavior of users while playing on the Internet for example, generate attacks that take advantage of their trust. The tricks to extract information are multiple.
Stages in the concretion of a malnet:
Stage 1: Build the infrastructure
Currently, Blue Coat Security Labs tracks over 1500 exclusive malnets, representing a 200% increase in the last six months alone. The goal of most of these attacks is to induce users to share sensitive or financial information, or even money.
Like any business, malnets take advantage of the vast reach of the Internet and global connectivity to direct users to their sites by various means. They do this through an infrastructure made up of several thousand domains, servers and special websites, which work together to funnel users up to a malware payload.
This infrastructure of relay and exploit servers allows malnet operators to quickly launch new attacks that can be adapted to attract potential victims before security technologies can identify and block them.
Malnets usually transit in two types of attacks. The first type requires users to click on a link, such as poisoned search engine attacks, social media, spam, and pornography.
The second type of attack uses hidden downloads to infect computers whose browsers do not have updated patches or security patches. In this case, which is common in malvertising (malware advertising) attacks, it is not necessary for the user to click somewhere for the infection to occur.
Each attack uses different decoys and trusted sites to deceive users, in certain processes the threats do not occur from the transmission servers but the victim is forced to connect to an exploitation server which can detect the vulnerabilities of the system and or applications. When this happens the Malware payload is disseminated.
Stage 2: Deceiving users
Clicking on a link is the starting point to achieve your success, the larger the group of people the more effective the purpose. Generally the places where many people with varied interests attend are more predisposed to enter these false links. This modality facilitates malnet attacks.
Whether they're researching using a search engine or following recommendations from friends on social networking sites, that predisposition makes them vulnerable to malnet attacks. In the case of companies, understanding the behavior of employees when they browse on their computer will help them internalize the behaviors that make them more vulnerable.
In this way, they will be in a position to establish policies that mitigate those risks. Malnets (malware networks) are infrastructures distributed within the Internet, which cyber criminals create, manage and maintain in order to launch permanent attacks against unsuspecting users for prolonged periods.
Search engines continue to dominate Internet requests, as users employ them as their primary method of locating content on the Internet and accessing it. Being the most visited content category, they have great value for malnets.
In fact, many malnets are especially dedicated to search engine poisoning attacks. It is not feasible to block search engines; therefore, companies should take an educational approach with their employees.
Requests from social media sites declined nearly two percentage points over the past six months. This could reflect a greater tendency to access these sites through mobile apps, rather than through the Web. Still, social media represents a fairly crowded spot on the internet and a place where users can be easily attacked.
Requests for audio/video clips nearly doubled over the past six months. This growth is a reflection of the strong trend towards rich multimedia content. Video continues to consume more and more Internet bandwidth.
With the increase in video traffic, proven social engineering attacks, such as fake video codecs, are more likely to trick users into downloading malware.
The continued increase in non-visible requests is a clear indication that it is increasingly common to track user behaviors on the Internet. This category of content represents: web analytics, visitor tracking, and reporting sites. In six months, the percentage of applications nearly doubled.
The increase in analysis and monitoring of legitimate users represents a privacy problem that should concern both Internet users and those responsible for its protection. Tracking behavior on the Internet not only gives more information about users to advertising agencies, but also provides detailed information to cyber criminals so that they can attack those same users. It is important to note that cyber criminals do not obtain data from legitimate analysis and tracking sites, but through their own tools.
Stage 3: Launch attacks
Malnet operators use the infrastructure of relay and exploit servers, as well as knowledge about user behaviors, to quickly launch new attacks that deliver dynamic malware payloads.
Launching an attack starts with the threat vector, the entry point into the malnet. These entry points generally exhibit one of two characteristics: they are applications that are easy to breach, as is the case with email; or, they are places that many people visit, such as search engines.
Search engines and the subsequent poisoning of search engines remain the main entry point to malnets that direct users to malware (more than 35% of the time). This is down nearly five percent since the beginning of the year, showing that users are more aware that search engine results may be infected.
To infect them, cyber criminals are not targeting breaking news or big events. Instead, they are ruthlessly attacking random search terms that can best be described as the "long tail" of the Internet. The goal of these attacks is not to target a million people with a single search term, but to target a million people with a million different search terms.
The recent 2012 Olympic Games proved that cyber criminals are not having
success when they point to big events. Of the more than 28,000 successful search engine poisoning attacks that occurred in the weeks leading up to the Olympics and even in the 13 days that the event lasted, only 52 (0.18%) of search engine poisoning attacks were related to this event.
Mostly, it was harmless terms, such as "horses retired from the Greyville race in the gold cup" or "buying gold online" that convinced users to click on the malicious link, and sent them up to the malware. As a threat vector, email and pornography continue to have almost the same percentage of malnet attacks; just over 11% and 4%, respectively, as they have done to search engine unranked content 10.9% 35.3%
Main entry points for malnets
1) Avoid results that appear to be hosted in other countries, for example: . IN, .RU, .TK, unless your search is related to that country.
2) Avoid results that include mysterious text, which appears to be written by a machine.
3) If you suspect a link, click on any of the other results obtained that are known to you.
The biggest change seen in the last eight months was the decline in social media (from 6.48% of all attacks to just over 1%). The exact reason for this decline is not known, but it is attributed in part to increased awareness among social media users and a strong grip on malicious content by the companies providing the social media itself.
One of the features that make malnets a major security challenge is that they are specially structured to launch multiple attacks at any given time. While a large search engine poisoning attack targets millions of terms from different topics, a spam attack could send millions of emails.
Each attack will use different decoys and trusted sites to trick users. It is possible that we are facing the greatest of threats, the one that brings together the massive attacks of millions of users on social networks.
Thanks to Bluecoat for their documentation in this case study. The brands and names mentioned are trademarks and registered names of their own companies.
*If you wish, you can write to the author of this article for queries or concerns to [email protected]
Leave your comment