Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

A Look at the Ten Largest Malware Delivery Networks

Just like any business, cybercriminals need to be ready to respond to incidents and events that can be beneficial to their businesses. For cybercriminals utilizing malware as a tool of choice for their dark-sided business, ongoing delivery and spreading of their malicious software is critical to a successful and profitable operation. Malware Delivery Networks are a key component of cybercriminal success, and key component in the the malware supply chain.

Just like any business, cybercriminals need to be ready to respond to incidents and events that can be beneficial to their businesses. For cybercriminals utilizing malware as a tool of choice for their dark-sided business, ongoing delivery and spreading of their malicious software is critical to a successful and profitable operation. Malware Delivery Networks are a key component of cybercriminal success, and key component in the the malware supply chain.

Malware delivery networks are typically hosted across multiple sites to help evade detection by reputation analysis, and are responsible for launching dynamic attacks on unsuspecting users, often on trusted and reputable sites.

Managing the infrastructure of malware delivery networks requires time and effort in order to be prepared for a news break or celebrity event that catches our attention, a tactic that user to lure requires a malware network that is ready to attack curious Web users looking for information on a trending topic.

In its recently released 2011 Mid-Year Web Security Report, Blue Coat Systems highlighted the 10 largest malware delivery networks. These ten networks are just fraction of the nearly 400 unique malware delivery networks watched by Blue Coat Security Labs during the first half of this year.

Top Malware Delivery Networks

According to Blue Coat, “Shnakule” was the leading malware delivery network, both by size and effectiveness in the first half of 2011. On average during that period, Shnakule had 2,000 unique host names per day with a peak of more than 4,300 per day. It also proved the most effective in terms of luring users in, with an average of more than 21,000 requests and as many as 51,000 requests in a single day. Shnakule is a broad-based malware delivery network whose malicious activities include drive-by downloads, fake anti-virus and codecs, fake flash and Firefox updates, fake warez, and botnet/command and controls. Interrelated activities include pornography, gambling, pharmaceuticals, link farming, and work-at-home scams.

Not only is Shnakule far reaching as a standalone malware delivery network, it also contains many large component malware delivery networks. Ishabor, Kulerib, Rabricote and Albircpana, which all appear on the top 10 list of largest malware delivery networks, are actually components of Shnakule and extend its malicious activities to gambling-themed malware and suspicious link farming.

Malware Delivery Network

How does Malware Spread? From what Blue Coat observed, in the first half of 2011, search engine poisoning was the most popular malware vector.  With nearly 40 percent of all malware incidents, Search Engines and Portals were the entry point into malware delivery networks during the period. 

“Web-based malware has become so dynamic that it is nearly impossible to protect every user from every new attack with traditional defenses,” said Steve Daheb, chief marketing officer and senior vice president at Blue Coat Systems.

Blue Coat’s report examines the interactions of malware ecosystems, including user behavior, malware hosting sites and delivery networks and is available in PDF format here. The data in the report comes from over 75 million users of its WebPulse collaborative cloud defense solution, which rates and analyzes nearly 3 billion real-time URL requests per week. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.