Unlimited Profit Acclaimed Via Malvertising Attacks

According to the revelation by Security Vendor Blue Coat Systems, the Shnakule network that has been carrying out the fake antivirus attacks through search engine poisoning has started to tap on malvertising, reports a news published in the ZDNet on August 8, 2011.

The modus operandi of this attack is carried out in three stages as explained by the firm. Firstly ad servers were implanted to run independent entitles that would route users to the malware. Shnakule, a subnetwork was used in the subsequent stage to relay users to malware. In the last stage, activation of the malware payload was enabled with the capacity to change itself frequently to ensure avoidance of detection from antivirus software.

The Shnakule network had the capacity to provide 2,000 unique host names with an aggregate of 4375 names in a single day. The WebPulse service is also enabled to log more than 21,000 requests into the network on an average day. Till now, the Blue Coat WebPulse service has recognized more than 15,000 user requests concerned with the latest form of the attack.

However, Blue Coat denoted that the rogue ad severs did not included any of the names in their pages hosting the ads during these attacks. This act is an indication that the legitimate sites that were victimized were not using these ad servers directly.

Also all the servers had been installed with various registrars a month prior to the attack, which is a long time for convincing Web advertising companies that they were serving genuine ads.

As per Chris Larsen, Senior malware Researcher at Blue Coat Systems, even though the online attack was launched initially during late June 2011, the attack still pervades and during a latest check of the payload by Blue Coat Security Labs, against 43 anti-virus engines, only two of them were identified to contain malevolent or suspicious, reports a news published in MarketWatch on August 08, 2011.

For conventional single-layer defenses, such as anti-virus, web-based malware changes too frequently to keep at par the pace. However, the most thriving defense against this kind of attack is similar to that of the WebPulse that can relate the evidence and mechanically make out and obstruct the responsible network regardless of the ways in which the payload is coded.

» SPAMfighter News - 8/18/2011