The nocebo e ect on the web an analysis of fake anti virus distribution
1 / 41

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution - PowerPoint PPT Presentation

  • Uploaded on

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis , Niels Provos , Xin Zhao USENIX (August , 2010) Reporter: 鍾怡傑 2013/08/27. News. 新聞 說 美國聯邦法院 以高達 1.63 億美元 的重罰判決一名 販售假防毒軟體 的 女性

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution' - moya

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The nocebo e ect on the web an analysis of fake anti virus distribution

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, NielsProvos, Xin Zhao

USENIX (August, 2010)

Reporter: 鍾怡傑 2013/08/27


  • 新聞說美國聯邦法院以高達1.63億美元的重罰判決一名販售假防毒軟體的女性

  • 透過社交工程陷阱( Social Engineering),欺騙使用者

  • 該集團誘騙橫跨6個國家破百萬名的消費者購買假防毒軟體。


  • Introduction

  • Background

  • Methodology

    • Data Collection

    • Terminology

  • An Empirical Analysis of Fake Avs

  • Conclusion


  • 240 million web pages.

  • Google’s malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution.

  • Fake AV currently accounts for 15% of all malware we detect on the web.

Google s malware detection infrastructure
Google’s malware detection infrastructure

  • Safe Browsing API, June 2007. See

  • Safe Browsing diagnostic page. See


  • No need of vulnerability

  • Fake AVs often are bundled with other malware

  • Social Engineering


  • A web page or binaryis considered as Fake AV.

    • Misinforming users about the computer’s security and

    • attempts to deceive them into buying a “solution” to remove malware

Background step
Background - Step

  • Fake AVs offer a free download to scan for malware.

  • Fake AVs pretend to scan computers and claim to find infected files.

  • Paying Registration fee to remove malware.


  • First Fake AVs employed simple javascriptto display an alert that asked users to download the malware.


  • Recent Fake AVs use more complicated javascript to mimic windows environment

Continue unprotected

Remove all threats now

Android fake defender
Android Fake Defender

  • See


  • An un-patched Windows virtual machine run an un-patched version of Internet Explorer.

  • Detection algorithms use signals derived from

    • state changes on the virtual machine

    • network activity

    • scanning results of a group of licenced anti-virus engines

      to decide definitively whether a page is malicious.

Methodology data collection
Methodology - Data Collection

  • Subset from scanned pages between January 1, 2009, to January 31, 2010

  • Reprocessed 240 million pages

Fake av detection rate over time2
Fake AV detection rate over time

  • Though it was still possible to detect the domains distributingthe Fake AVs (top)

  • Number of unique binaries increased from 300/day to1462/day (bottom)

  • The dip in August is due to technical problems in the AVsignature update pipeline

  • The dip in December is due to lack of updates from the AVvendors

  • 1-2 weeks out of date signatures can greatly reduce thedetection rate

Methodology terminology
Methodology - Terminology

  • Infection Domains: host malicious content

    • Fake AV Domains: serve content with Fake AVs

    • Exploit Domains: serve content with exploits other than Fake AVs

  • Landing Domains: serve webpages that causes the browser to retrieve content from Infection Domains without any user interaction

An empirical analysis of fake avs
An Empirical Analysis of Fake Avs

  • Studying three high-level themes:

    • (1) The prevalence of Fake AVs over time, both in absolute terms, and relative to other types of malware

    • (2) The network characteristicsof domains that host Fake AV

    • (3) How Fake AV domains target and distribute malware.

2 network characteristics
(2) Network Characteristics

  • 11,480 Fake AV domains mapped to 2,080 IP addresses and 384 unique Autonomous Systems (ASs).

  • 52% of the ASs hosted more than one Fake AV domain

  • 42% of the IP addresses hosted more than one Fake AV domain

Fake av domains increases their lifetime decreases
Fake AV domains increases their lifetime decreases

2 network characteristics domain rotation
(2) Network CharacteristicsDomain rotation

  • A technique to trick domain-based detection tactics.

  • Allows attackers to drive traffic to a fixed number of IP addresses through multiple domains.

  • Typically accomplished by setting up a number of Landing domains, either as dedicated sites or by infecting legitimate sites.

Fake av domain naming conventions
Fake AV Domain Naming Conventions

  • Fake AV domains commonly use security-related English words

    • e.g., scan, scanner, security, anti-virus, anti-spyware, anti-malware, protect etc.

  • Two purposes:

    • (1) it provides users with a false sense of security, and

    • (2) it provides the Fake AV distributors with a technique to easily generate domains amenable to domain rotation.

3 distributing fake av
(3) Distributing Fake AV

  • How Fake AV distributors try to reach users by studying the different types of Landing domains in our data set.

  • Studying how Landing domains are setup to infect end users.

Average number of landing domains per infection domain
Average number of Landing domains per Infection domain.

Delivery mechanisms
Delivery Mechanisms

  • Drive-by Download: the Fake AV malware is delivered and/or run using an exploit without any user interaction

  • Social Engineering: user interaction was required to deliver the Fake AV

  • Approximately 14% of Fake AV domains employed both drive-by downloads and social engineering.

Drive by download vs social e ngineering
Drive-by Download vs. Social Engineering


  • 15% of the Internet’s malware is Fake AVs and heavily depends on users interaction

Thank you
Thank You

Any Question?