Blue Coat detects fake anti-virus
Malware is distributed through web advertisements
Web security and WAN optimisation provider Blue Coat Systems has announced that its Security Labs' WebPulse service has identified a new variant of a fake anti-virus attack.
The attack uses web advertisements to send users into the largest and most effective malware delivery network on the internet, called the Shnakule network.
This network averages approximately 2,000 unique host names per day with as many as 4,357 in a single day and on an average day, the WebPulse service logs more than 21,000 requests into that network.
With this latest attack, Shnakule uses malvertising to conduct its three-stage strike. Malicious ad servers were set up as independent entities, not directly associated with each other or any existing Shnakule sub-networks, in the first stage, these servers then route users to a new Shnakule subnetwork, which then relays users to the malware. The final stage is the malware payload, which changes frequently in an attempt to avoid detection from anti-virus software.
The malware payload comes from servers that have already been identified by WebPulse as part of the Shnakule malware delivery network.
"Though this attack initially launched in late June, it is still continuing and in a recent check of the payload by Blue Coat Security Labs against 43 anti-virus engines only two of those engines identified the payload as malicious or suspicious," said Nigel Hawthorn, VP EMEA Marketing at Blue Coat Systems. "Web-based malware changes far too quickly these days for traditional single-layer defences like anti-virus to keep pace. The most successful defence against this type of attack is one like WebPulse that can correlate the evidence and automatically identify and block the network responsible, regardless of how the payload is encrypted."
None of the rogue ad servers appear by name in the pages that host its ads, showing that the victimised legitimate sites are not directly using these ad servers.
According to Blue Coat, each of the rogue ad servers has been set up with different registrars at least a month prior to launching the attack.