The nocebo e ect on the web an analysis of fake anti virus distribution
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution PowerPoint PPT Presentation


  • 104 Views
  • Uploaded on
  • Presentation posted in: General

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis , Niels Provos , Xin Zhao USENIX (August , 2010) Reporter: 鍾怡傑 2013/08/27. News. 新聞 說 美國聯邦法院 以高達 1.63 億美元 的重罰判決一名 販售假防毒軟體 的 女性

Download Presentation

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The nocebo e ect on the web an analysis of fake anti virus distribution

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, NielsProvos, Xin Zhao

USENIX (August, 2010)

Reporter: 鍾怡傑 2013/08/27


The nocebo e ect on the web an analysis of fake anti virus distribution

News

  • 新聞說美國聯邦法院以高達1.63億美元的重罰判決一名販售假防毒軟體的女性

  • 透過社交工程陷阱( Social Engineering),欺騙使用者

  • 該集團誘騙橫跨6個國家破百萬名的消費者購買假防毒軟體。

http://blog.trendmicro.com.tw/?p=113


Outline

Outline

  • Introduction

  • Background

  • Methodology

    • Data Collection

    • Terminology

  • An Empirical Analysis of Fake Avs

  • Conclusion


Introduction

Introduction

  • 240 million web pages.

  • Google’s malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution.

  • Fake AV currently accounts for 15% of all malware we detect on the web.


Google s malware detection infrastructure

Google’s malware detection infrastructure

  • Safe Browsing API, June 2007. See http://code.google.com/apis/safebrowsing/

  • Safe Browsing diagnostic page. See http://www.google.com/safebrowsing/diagnostic?site=yoursite.com


Introduction1

Introduction

  • No need of vulnerability

  • Fake AVs often are bundled with other malware

  • Social Engineering


Background

Background

  • A web page or binaryis considered as Fake AV.

    • Misinforming users about the computer’s security and

    • attempts to deceive them into buying a “solution” to remove malware


Background step

Background - Step

  • Fake AVs offer a free download to scan for malware.

  • Fake AVs pretend to scan computers and claim to find infected files.

  • Paying Registration fee to remove malware.


Background1

Background

  • First Fake AVs employed simple javascriptto display an alert that asked users to download the malware.


Background2

Background


Background3

Background

  • Recent Fake AVs use more complicated javascript to mimic windows environment


The nocebo e ect on the web an analysis of fake anti virus distribution

Continue unprotected

Remove all threats now


Android fake defender

Android Fake Defender

  • See http://www.symantec.com/connect/blogs/fakeav-holds-android-phones-ransom


Methodology

Methodology

  • An un-patched Windows virtual machine run an un-patched version of Internet Explorer.

  • Detection algorithms use signals derived from

    • state changes on the virtual machine

    • network activity

    • scanning results of a group of licenced anti-virus engines

      to decide definitively whether a page is malicious.


Methodology data collection

Methodology - Data Collection

  • Subset from scanned pages between January 1, 2009, to January 31, 2010

  • Reprocessed 240 million pages


Fake av detection rate over time

Fake AV detection rate over time


Fake av detection rate over time1

Fake AV detection rate over time


Fake av detection rate over time2

Fake AV detection rate over time

  • Though it was still possible to detect the domains distributingthe Fake AVs (top)

  • Number of unique binaries increased from 300/day to1462/day (bottom)

  • The dip in August is due to technical problems in the AVsignature update pipeline

  • The dip in December is due to lack of updates from the AVvendors

  • 1-2 weeks out of date signatures can greatly reduce thedetection rate


Methodology terminology

Methodology - Terminology

  • Infection Domains: host malicious content

    • Fake AV Domains: serve content with Fake AVs

    • Exploit Domains: serve content with exploits other than Fake AVs

  • Landing Domains: serve webpages that causes the browser to retrieve content from Infection Domains without any user interaction


An empirical analysis of fake avs

An Empirical Analysis of Fake Avs

  • Studying three high-level themes:

    • (1) The prevalence of Fake AVs over time, both in absolute terms, and relative to other types of malware

    • (2) The network characteristicsof domains that host Fake AV

    • (3) How Fake AV domains target and distribute malware.


New infection domains per week

New infection domains per week


2 network characteristics

(2) Network Characteristics

  • 11,480 Fake AV domains mapped to 2,080 IP addresses and 384 unique Autonomous Systems (ASs).

  • 52% of the ASs hosted more than one Fake AV domain

  • 42% of the IP addresses hosted more than one Fake AV domain


Fake av domains per ip address

Fake AV domains per IP address


Fake av domains increases their lifetime decreases

Fake AV domains increases their lifetime decreases


2 network characteristics domain rotation

(2) Network CharacteristicsDomain rotation

  • A technique to trick domain-based detection tactics.

  • Allows attackers to drive traffic to a fixed number of IP addresses through multiple domains.

  • Typically accomplished by setting up a number of Landing domains, either as dedicated sites or by infecting legitimate sites.


Table 1 distribution of fake av and exploit domains across countries

Table 1: Distribution of Fake AV and Exploit domains across countries.


Fake av domain naming conventions

Fake AV Domain Naming Conventions

  • Fake AV domains commonly use security-related English words

    • e.g., scan, scanner, security, anti-virus, anti-spyware, anti-malware, protect etc.

  • Two purposes:

    • (1) it provides users with a false sense of security, and

    • (2) it provides the Fake AV distributors with a technique to easily generate domains amenable to domain rotation.


3 distributing fake av

(3) Distributing Fake AV

  • How Fake AV distributors try to reach users by studying the different types of Landing domains in our data set.

  • Studying how Landing domains are setup to infect end users.


Average number of landing domains per infection domain

Average number of Landing domains per Infection domain.


Total number of landing domains classi ed by infection domain

Total number of Landing domains classified by Infection domain.


Sources of fake av

Sources of Fake AV


Total unique infection domains encountered via ad networks

Total unique Infection domains encountered via ad networks.


Delivery mechanisms

Delivery Mechanisms

  • Drive-by Download: the Fake AV malware is delivered and/or run using an exploit without any user interaction

  • Social Engineering: user interaction was required to deliver the Fake AV

  • Approximately 14% of Fake AV domains employed both drive-by downloads and social engineering.


Drive by download vs social e ngineering

Drive-by Download vs. Social Engineering


Conclusion

Conclusion

  • 15% of the Internet’s malware is Fake AVs and heavily depends on users interaction


Thank you

Thank You

Any Question?


Reference

Reference

  • http://foivos.zakkak.net/presentations/nocebo.pdf


  • Login