1 / 0

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis , Niels Provos , Xin Zhao USENIX (August , 2010) Reporter: 鍾怡傑 2013/08/27. News. 新聞 說 美國聯邦法院 以高達 1.63 億美元 的重罰判決一名 販售假防毒軟體 的 女性

moya
Download Presentation

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution

    Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, NielsProvos, Xin Zhao USENIX (August, 2010) Reporter: 鍾怡傑 2013/08/27
  2. News 新聞說美國聯邦法院以高達1.63億美元的重罰判決一名販售假防毒軟體的女性 透過社交工程陷阱( Social Engineering),欺騙使用者 該集團誘騙橫跨6個國家破百萬名的消費者購買假防毒軟體。 http://blog.trendmicro.com.tw/?p=113
  3. Outline Introduction Background Methodology Data Collection Terminology An Empirical Analysis of Fake Avs Conclusion
  4. Introduction 240 million web pages. Google’s malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution. Fake AV currently accounts for 15% of all malware we detect on the web.
  5. Google’s malware detection infrastructure Safe Browsing API, June 2007. See http://code.google.com/apis/safebrowsing/ Safe Browsing diagnostic page. See http://www.google.com/safebrowsing/diagnostic?site=yoursite.com
  6. Introduction No need of vulnerability Fake AVs often are bundled with other malware Social Engineering
  7. Background A web page or binaryis considered as Fake AV. Misinforming users about the computer’s security and attempts to deceive them into buying a “solution” to remove malware
  8. Background - Step Fake AVs offer a free download to scan for malware. Fake AVs pretend to scan computers and claim to find infected files. Paying Registration fee to remove malware.
  9. Background First Fake AVs employed simple javascriptto display an alert that asked users to download the malware.
  10. Background
  11. Background Recent Fake AVs use more complicated javascript to mimic windows environment
  12. Continue unprotected Remove all threats now
  13. Android Fake Defender See http://www.symantec.com/connect/blogs/fakeav-holds-android-phones-ransom
  14. Methodology An un-patched Windows virtual machine run an un-patched version of Internet Explorer. Detection algorithms use signals derived from state changes on the virtual machine network activity scanning results of a group of licenced anti-virus engines to decide definitively whether a page is malicious.
  15. Methodology - Data Collection Subset from scanned pages between January 1, 2009, to January 31, 2010 Reprocessed 240 million pages
  16. Fake AV detection rate over time
  17. Fake AV detection rate over time
  18. Fake AV detection rate over time Though it was still possible to detect the domains distributingthe Fake AVs (top) Number of unique binaries increased from 300/day to1462/day (bottom) The dip in August is due to technical problems in the AVsignature update pipeline The dip in December is due to lack of updates from the AVvendors 1-2 weeks out of date signatures can greatly reduce thedetection rate
  19. Methodology - Terminology Infection Domains: host malicious content Fake AV Domains: serve content with Fake AVs Exploit Domains: serve content with exploits other than Fake AVs Landing Domains: serve webpages that causes the browser to retrieve content from Infection Domains without any user interaction
  20. An Empirical Analysis of Fake Avs Studying three high-level themes: (1) The prevalence of Fake AVs over time, both in absolute terms, and relative to other types of malware (2) The network characteristicsof domains that host Fake AV (3) How Fake AV domains target and distribute malware.
  21. New infection domains per week
  22. (2) Network Characteristics 11,480 Fake AV domains mapped to 2,080 IP addresses and 384 unique Autonomous Systems (ASs). 52% of the ASs hosted more than one Fake AV domain 42% of the IP addresses hosted more than one Fake AV domain
  23. Fake AV domains per IP address
  24. Fake AV domains increases their lifetime decreases
  25. (2) Network CharacteristicsDomain rotation A technique to trick domain-based detection tactics. Allows attackers to drive traffic to a fixed number of IP addresses through multiple domains. Typically accomplished by setting up a number of Landing domains, either as dedicated sites or by infecting legitimate sites.
  26. Table 1: Distribution of Fake AV and Exploit domains across countries.
  27. Fake AV Domain Naming Conventions Fake AV domains commonly use security-related English words e.g., scan, scanner, security, anti-virus, anti-spyware, anti-malware, protect etc. Two purposes: (1) it provides users with a false sense of security, and (2) it provides the Fake AV distributors with a technique to easily generate domains amenable to domain rotation.
  28. (3) Distributing Fake AV How Fake AV distributors try to reach users by studying the different types of Landing domains in our data set. Studying how Landing domains are setup to infect end users.
  29. Average number of Landing domains per Infection domain.
  30. Total number of Landing domains classified by Infection domain.
  31. Sources of Fake AV
  32. Total unique Infection domains encountered via ad networks.
  33. Delivery Mechanisms Drive-by Download: the Fake AV malware is delivered and/or run using an exploit without any user interaction Social Engineering: user interaction was required to deliver the Fake AV Approximately 14% of Fake AV domains employed both drive-by downloads and social engineering.
  34. Drive-by Download vs. Social Engineering
  35. Conclusion 15% of the Internet’s malware is Fake AVs and heavily depends on users interaction
  36. Thank You Any Question?
  37. Reference http://foivos.zakkak.net/presentations/nocebo.pdf
More Related