Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Adverts Lead To Malware Delivery Network

Blue Coat Systems : 09 August, 2011  (New Product)
New malware payload automatically blocked using the WebPulse service from Blue Coat
Adverts Lead To Malware Delivery Network
Blue Coat Security Labs has identified a new variant of a fake anti-virus attack that uses Web advertisements to relay users into the Shnakule network, which is currently the largest and most effective Malware Delivery Network on the Internet.  The Blue Coat WebPulse service identified the fake anti-virus payloads as malware and automatically blocked them, protecting 75 million customers worldwide.

The Shnakule network has averaged around 2,000 unique host names per day with as many as 4,357 in a single day.  On an average day, the WebPulse service logs more than 21,000 requests into that network.  Shnakule has been very active with fake anti-virus attacks typically conducted via search engine poisoning. With this latest attack, it is now using malvertising to conduct its attacks.  To date, the Blue Coat WebPulse service has identified more than 15,000 user requests related to the latest form of the attack.

The latest Shnakule attack is a three-staged attack that utilises malicious Web advertisements.  In the first stage, malicious ad servers were set up as independent entities, not directly associated with each other or any existing Shnakule sub-networks, to route users to malware.  In the second stage, a new Shnakule subnetwork relays users to the malware. The final stage is the malware payload, which changes frequently in an attempt to avoid detection from anti-virus software.  The malware payload comes from servers that have already been identified by WebPulse as part of the Shnakule Malware Delivery Network.  Because of its visibility into the Shnakule network, the Blue Coat WebPulse service was already blocking the malware payload before the attack was launched.

“Though this attack initially launched in late June, it is still continuing, and in a recent check of the payload by Blue Coat Security Labs against 43 anti-virus engines only two of those engines identified the payload as malicious or suspicious,” said Chris Larsen, senior malware researcher for Blue Coat Systems.  “Web-based malware changes far too quickly these days for traditional single-layer defences like anti-virus to keep pace.  The most successful defence against this type of attack is one like WebPulse that can correlate the evidence and automatically identify and block the network responsible, regardless of how the payload is encrypted.”

In the current attack, none of the rogue ad servers appears by name in the pages that host its ads, indicating that the victimised legitimate sites are not directly using these ad servers.  Each of the rogue ad servers had been set up with different registrars at least a month prior to launching the attack, which was long enough to successfully convince Web advertising companies that they were serving legitimate ads.

The Blue Coat WebPulse service is a collaborative defence that provides proactive threat protection for 75 million users worldwide.  With more than three billion requests per week, WebPulse has a comprehensive view of user activity on the Web.  By correlating dynamic lures with relays and malware payloads, Blue Coat can identify and block Malware Delivery Networks and the future attacks they launch. 
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo