In just six months, the number of malnets tracked by Blue Coat Security Labs has rocketed up 300 percent from 500 to 1,500, according to the recently released . When actively launching attacks, they can use thousands of new host names a day. Blue Coat says Shnakule, far and away the largest of the malnets now in operation, has used anywhere from 50 to 5,005 unique domain names a day over the past six months to scale its infrastructure to accommodate its daily attacks.

Rubol, another large malnet, is a spam ecosystem that operates in bursts. At times, it may have only one active domain name, according to Blue Coat, but when actively launching attacks it will use as many as 476 unique domain names.

"As the bad guys have made their criminal enterprises their day jobs, they've set up a lot of persistent infrastructure to deliver attacks," says Tim Van Der Horst, senior malware researcher at Blue Coat Security Labs. "Malnets are what are used to create botnets in the first place. If you don't take out the malnet, they just spring right back. You've got to stop it at the source."

How Malnets Operate

But that's easier said than done. Malnets are a collection of several thousand unique domains, servers and websites designed to work together to funnel victims to a malware payload-often using trusted sites as the starting point. A malnet is comprised of hundreds of servers, each with different responsibilities. Some host malware while others are used for specific types of attacks, from spam and scam to search engine poisoning and pornography. Still other servers make up the malnet's command and control infrastructure. The servers are embedded throughout the Internet in countries around the world.