Nigel Hawthorn, VP EMEA Marketing at Blue Coat Systems
Blue Coat Systems, a leading provider of Web security and WAN optimization solutions, today announced that the Blue Coat WebPulse collaborative defense proactively protected its 75 million users from the latest attack launched by Shnakule, the largest malware network (malnet) on the Internet. Blue Coat Security Labs has been tracking the Shnakule infrastructure, which enabled WebPulse to dynamically identify the new threat. This same technique can proactively block future attacks from Shnakule and other malnets.
The attack utilized not only sites that are known to be part of the Shnakule malnet but new exploit and payload servers as well. The attack host was one of many malicious sites on a server that WebPulse had already categorized and blocked as a malware host, proactively protecting users from the attack that launched three days later. In the five days that the server has been in use, Blue Coat Security Labs has identified 81 different malware sites on this server.
“As noteworthy as this attack was, it is simply another traffic driver for a well-established malnet, providing further evidence that cyber criminals do not suddenly appear out of the woodwork to launch high profile attacks,” said Nigel Hawthorn, VP EMEA Marketing at Blue Coat Systems. “The Shnakule infrastructure runs 24/7 and launches new attacks in an effort to infect new victims. WebPulse tracks malnet infrastructures to protect its users independently of the traffic-driving method du jour.”
Nearly 400,000 people visit MySQL.com per day, which provides cybercriminals with a high profile, potentially lucrative target. Among the pages targeted by the iframe injection were several pages documenting database administration, so a successfully executed attack could deliver malware designed to locate additional database credentials and locations on the victim’s system. Such information would give the cybercriminal access to a wealth of potentially sensitive information and the ability to compromise additional systems.
The Shnakule network averages around 2,000 unique host names per day with as many as 5,708 in a single day. On an average day, the WebPulse service logs more than 21,000 requests into that malnet. Shnakule has traditionally been active with fake anti-virus attacks conducted via search engine poisoning, but has lately expanded into new types of attacks. In July, the malnet launched a malvertising attack. Blue Coat logged 15,000 user requests related to that attack.
The WebPulse collaborative defense provides proactive protection against new malware attacks for 75 million users worldwide. Through WebPulse, Blue Coat Security Labs tracks more than 500 malnets and blocks access to the infrastructure that is used to serve new attacks.