Malware network gains from new malvertising attack

A malware delivery network said to be the world's largest has tapped on Web advertisements as its latest modus operandi for fake antivirus attacks, according to Blue Coat Systems.

The Shnakule network, which has been carrying out the fake antivirus attacks via search engine poisoning, has begun tapping on "malvertising", the security vendor revealed Monday.

Shnakule averages around 2,000 unique host names per day, with as many as 4,357 in a single day, Blue Coat said in its statement.

The latest attack is carried out in three stages, it explained. First, ad servers were set up as independent entities to rout users to malware. Next, a new Shnakule subnetwork would relay users to the malware. The last stage sees the activation of the malware payload, which changes frequently to avoid detection from antivirus software.

Blue Coat noted that in these attacks, none of the rogue ad servers appeared by name in the pages that host the ads, indicating that legitimate sites that were known to be victimized were not directly using these ad servers.

Also, all the servers had been set up with different registrars at least a month before the attack, a period long time to convince Web advertising companies they were serving legitimate ads.

To date, the vendor said its WebPulse service has identified more than 15,000 user requests related to the latest form of the attack.

Chris Larsen, Blue Coat's senior malware researcher, said the malvertising spate was discovered in late June but are still taking place."In a recent check of the payload by Blue Coat Security Labs against 43 antivirus engines, only two of those engines identified the payload as malicious or suspicious," he reported.

He noted that the rapid speed at which Web-based malware is changing has made it difficult for single-layer defenses such as an antivirus solution to keep pace.