Malnet Detection Techniques

A malware distribution network (MDN) or malnet is comprised of three main components: the landing pages, intermediate redirection servers, and malware exploit distribution servers. As discussed in Chapter 4, a typical infection process begins with a lure that leads the user to a malicious landing page; once there, the user's web browser is induced to download a piece of shellcode. In order to avoid detection, the web browser is redirected through multiple layers of intermediate nodes before getting to the initial exploit code. After the shellcode executes, it downloads the main malware payload from yet another server. Finally, the shellcode launches the malware to compromise the end system completely. More sophisticated shellcode may first fingerprint the user system, followed by the transmission of the collected information to its command and control (C2) server, which will subsequently provide further instructions to the shellcode on the location from where to download a targeted executable suitable for the user's system.

Some landing pages may be manually crafted by the attackers. However, other landing pages are part of legitimate websites. There are numerous known incidents where legitimate websites and web servers were hacked and the attackers planted malicious links to infect visitors. A more pervasive approach is to compromise the third-party content provider, which could result in many non-malicious landing pages to contain third-party ...