The nocebo e ect on the web an analysis of fake anti virus distribution
Sponsored Links
This presentation is the property of its rightful owner.
1 / 41

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis , Niels Provos , Xin Zhao USENIX (August , 2010) Reporter: 鍾怡傑 2013/08/27. News. 新聞 說 美國聯邦法院 以高達 1.63 億美元 的重罰判決一名 販售假防毒軟體 的 女性

Download Presentation

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, NielsProvos, Xin Zhao

USENIX (August, 2010)

Reporter: 鍾怡傑 2013/08/27


  • 新聞說美國聯邦法院以高達1.63億美元的重罰判決一名販售假防毒軟體的女性

  • 透過社交工程陷阱( Social Engineering),欺騙使用者

  • 該集團誘騙橫跨6個國家破百萬名的消費者購買假防毒軟體。


  • Introduction

  • Background

  • Methodology

    • Data Collection

    • Terminology

  • An Empirical Analysis of Fake Avs

  • Conclusion


  • 240 million web pages.

  • Google’s malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution.

  • Fake AV currently accounts for 15% of all malware we detect on the web.

Google’s malware detection infrastructure

  • Safe Browsing API, June 2007. See

  • Safe Browsing diagnostic page. See


  • No need of vulnerability

  • Fake AVs often are bundled with other malware

  • Social Engineering


  • A web page or binaryis considered as Fake AV.

    • Misinforming users about the computer’s security and

    • attempts to deceive them into buying a “solution” to remove malware

Background - Step

  • Fake AVs offer a free download to scan for malware.

  • Fake AVs pretend to scan computers and claim to find infected files.

  • Paying Registration fee to remove malware.


  • First Fake AVs employed simple javascriptto display an alert that asked users to download the malware.



  • Recent Fake AVs use more complicated javascript to mimic windows environment

Continue unprotected

Remove all threats now

Android Fake Defender

  • See


  • An un-patched Windows virtual machine run an un-patched version of Internet Explorer.

  • Detection algorithms use signals derived from

    • state changes on the virtual machine

    • network activity

    • scanning results of a group of licenced anti-virus engines

      to decide definitively whether a page is malicious.

Methodology - Data Collection

  • Subset from scanned pages between January 1, 2009, to January 31, 2010

  • Reprocessed 240 million pages

Fake AV detection rate over time

Fake AV detection rate over time

Fake AV detection rate over time

  • Though it was still possible to detect the domains distributingthe Fake AVs (top)

  • Number of unique binaries increased from 300/day to1462/day (bottom)

  • The dip in August is due to technical problems in the AVsignature update pipeline

  • The dip in December is due to lack of updates from the AVvendors

  • 1-2 weeks out of date signatures can greatly reduce thedetection rate

Methodology - Terminology

  • Infection Domains: host malicious content

    • Fake AV Domains: serve content with Fake AVs

    • Exploit Domains: serve content with exploits other than Fake AVs

  • Landing Domains: serve webpages that causes the browser to retrieve content from Infection Domains without any user interaction

An Empirical Analysis of Fake Avs

  • Studying three high-level themes:

    • (1) The prevalence of Fake AVs over time, both in absolute terms, and relative to other types of malware

    • (2) The network characteristicsof domains that host Fake AV

    • (3) How Fake AV domains target and distribute malware.

New infection domains per week

(2) Network Characteristics

  • 11,480 Fake AV domains mapped to 2,080 IP addresses and 384 unique Autonomous Systems (ASs).

  • 52% of the ASs hosted more than one Fake AV domain

  • 42% of the IP addresses hosted more than one Fake AV domain

Fake AV domains per IP address

Fake AV domains increases their lifetime decreases

(2) Network CharacteristicsDomain rotation

  • A technique to trick domain-based detection tactics.

  • Allows attackers to drive traffic to a fixed number of IP addresses through multiple domains.

  • Typically accomplished by setting up a number of Landing domains, either as dedicated sites or by infecting legitimate sites.

Table 1: Distribution of Fake AV and Exploit domains across countries.

Fake AV Domain Naming Conventions

  • Fake AV domains commonly use security-related English words

    • e.g., scan, scanner, security, anti-virus, anti-spyware, anti-malware, protect etc.

  • Two purposes:

    • (1) it provides users with a false sense of security, and

    • (2) it provides the Fake AV distributors with a technique to easily generate domains amenable to domain rotation.

(3) Distributing Fake AV

  • How Fake AV distributors try to reach users by studying the different types of Landing domains in our data set.

  • Studying how Landing domains are setup to infect end users.

Average number of Landing domains per Infection domain.

Total number of Landing domains classified by Infection domain.

Sources of Fake AV

Total unique Infection domains encountered via ad networks.

Delivery Mechanisms

  • Drive-by Download: the Fake AV malware is delivered and/or run using an exploit without any user interaction

  • Social Engineering: user interaction was required to deliver the Fake AV

  • Approximately 14% of Fake AV domains employed both drive-by downloads and social engineering.

Drive-by Download vs. Social Engineering


  • 15% of the Internet’s malware is Fake AVs and heavily depends on users interaction

Thank You

Any Question?



  • Login