Just like any business, cybercriminals need to be ready to respond to incidents and events that can be beneficial to their businesses. For cybercriminals utilizing malware as a tool of choice for their dark-sided business, ongoing delivery and spreading of their malicious software is critical to a successful and profitable operation. Malware Delivery Networks are a key component of cybercriminal success, and key component in the the malware supply chain.
Malware delivery networks are typically hosted across multiple sites to help evade detection by reputation analysis, and are responsible for launching dynamic attacks on unsuspecting users, often on trusted and reputable sites.
Managing the infrastructure of malware delivery networks requires time and effort in order to be prepared for a news break or celebrity event that catches our attention, a tactic that user to lure requires a malware network that is ready to attack curious Web users looking for information on a trending topic.
In its recently released 2011 Mid-Year Web Security Report, Blue Coat Systems highlighted the 10 largest malware delivery networks. These ten networks are just fraction of the nearly 400 unique malware delivery networks watched by Blue Coat Security Labs during the first half of this year.
According to Blue Coat, “Shnakule” was the leading malware delivery network, both by size and effectiveness in the first half of 2011. On average during that period, Shnakule had 2,000 unique host names per day with a peak of more than 4,300 per day. It also proved the most effective in terms of luring users in, with an average of more than 21,000 requests and as many as 51,000 requests in a single day. Shnakule is a broad-based malware delivery network whose malicious activities include drive-by downloads, fake anti-virus and codecs, fake flash and Firefox updates, fake warez, and botnet/command and controls. Interrelated activities include pornography, gambling, pharmaceuticals, link farming, and work-at-home scams.
Not only is Shnakule far reaching as a standalone malware delivery network, it also contains many large component malware delivery networks. Ishabor, Kulerib, Rabricote and Albircpana, which all appear on the top 10 list of largest malware delivery networks, are actually components of Shnakule and extend its malicious activities to gambling-themed malware and suspicious link farming.
How does Malware Spread? From what Blue Coat observed, in the first half of 2011, search engine poisoning was the most popular malware vector. With nearly 40 percent of all malware incidents, Search Engines and Portals were the entry point into malware delivery networks during the period.
“Web-based malware has become so dynamic that it is nearly impossible to protect every user from every new attack with traditional defenses,” said Steve Daheb, chief marketing officer and senior vice president at Blue Coat Systems.
Blue Coat’s report examines the interactions of malware ecosystems, including user behavior, malware hosting sites and delivery networks and is available in PDF format here. The data in the report comes from over 75 million users of its WebPulse collaborative cloud defense solution, which rates and analyzes nearly 3 billion real-time URL requests per week.
