Blue Coat WebPulse defends 75 million users from latest Shnakule malnet attack

Blue Coat has today announced that once again the Blue CoatWebPulse™ collaborative defense has proactively protected its 75 million users in the cloud from the latest attack launched by Shnakule, the largest malware network (malnet) on the internet. Blue Coat Security Labs has been tracking the Shnakule infrastructure, which enabled WebPulse to dynamically identify the new threat. This same technique can proactively block future attacks from Shnakule and other malnets.

In the attack, first reported by Armorize Technologies, MySQL.com, a legitimate Web site, was hacked and serving malicious JavaScript that created an invisible iframe. The iframe enabled a drive-by download attack that was hosted on servers external to the MySQL.com site. Nearly 400,000 people visit MySQL.com per day, which provides cybercriminals with a high profile, potentially lucrative target.

Among the pages targeted by the iframe injection were several pages documenting database administration, so a successfully executed attack could deliver malware designed to locate additional database credentials and locations on the victim’s system. Such information would give the cybercriminal access to a wealth of potentially sensitive information and the ability to compromise additional systems.

The attack utilised new exploit and payload servers on top of sites already known to be part of the Shnakule malnet. The attack host was one of many malicious sites on a server that WebPulse had already categorized and blocked as a malware host, proactively protecting users from the attack that launched three days later. In the five days that the server has been in use, Blue Coat Security Labs has identified 81 different malware sites on this server.

“This attack provides further evidence that cyber criminals do not suddenly appear out of the woodwork to launch high profile attacks,” said Rajeev Mitroo, Managing Director Blue Coat Australia and New Zealand. “The Shnakule infrastructure runs 24/7 and launches new attacks in an effort to infect new victims. WebPulse tracks malnet infrastructures to protect its users independently of the traffic-driving method du jour.”

The Shnakule network averages around 2,000 unique host names per day with as many as 5,708 in a single day. On an average day, the WebPulse service logs more than 21,000 requests into that malnet. Shnakule has traditionally been active with fake anti-virus attacks conducted via search engine poisoning, but has lately expanded into new types of attacks. In July, the malnet launched a malvertising attack. Blue Coat logged 15,000 user requests related to that attack.

The WebPulse collaborative defense provides proactive protection against new malware attacks for 75 million users worldwide. Through WebPulse, Blue Coat Security Labs tracks more than 500 malnets and blocks access to the infrastructure that is used to serve new attacks.

About Blue Coat Systems

Blue Coat Systems is a leading provider of Web security and WAN optimization solutions. Blue Coat offers solutions that provide the visibility, acceleration and security required to optimize and secure the flow of information to any user, on any network, anywhere. This application intelligence enables enterprises to tightly align network investments with business requirements, speed decision making and secure business applications for long-term competitive advantage. Blue Coat also offers service provider solutions for managed security and WAN optimization, as well as carrier-grade caching solutions to save on bandwidth and enhancethe end-user Web experience. For additional information, please visit www.bluecoat.com.

# # #

Blue Coat, WebPulse and the Blue Coat logo are registered trademarks or trademarks of Blue Coat Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.