An Analysis of Rogue AV Campaigns
Conference paper
Abstract
Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them.
The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.
Keywords
Order Weight Average Levenshtein Distance Order Weight Average Threat Ecosystem Threat Type
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Preview
Unable to display preview. Download preview PDF.
References
- 1.Microsoft Security Intelligence Report, volume 7. Technical report, Microsoft (2009)Google Scholar
- 2.Beliakov, G., Pradera, A., Calvo, T.: Aggregation Functions: A Guide for Practitioners. Springer, Berlin (2007)Google Scholar
- 3.Bellovin, S.: A Technique for Counting NATted Hosts. In: Proc. of the Internet Measurement Conference (2002)Google Scholar
- 4.Correll, S.P., Corrons, L.: The business of rogueware. Technical Report, PandaLabs (July 2009)Google Scholar
- 5.Dacier, M., Pham, V., Thonnard, O.: The WOMBAT Attack Attribution method: some results. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 19–37. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 6.Daigle, L.: WHOIS protocol specification. RFC 3912 (September 2004)Google Scholar
- 7.Fossi, M., Johnson, E., Turner, D., Mack, T., Blackbird, J., McKinney, D., Low, M.K., Adams, T., Laucht, M.P., Gough, J.: Symantec Report on the Underground Economy. Technical Report, Symantec (2008)Google Scholar
- 8.Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Low, M.K., McKinney, D., Dacier, M., Keromytis, A., Leita, C., Cova, M., Overton, J., Thonnard, O.: Symantec report on rogue security software. Whitepaper, Symantec (October 2009)Google Scholar
- 9.Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In: Proc. of the ACM Conference on Computer and Communications Security (2007)Google Scholar
- 10.Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proc. of the 2009 New Security Paradigms Workshop (NSPW), pp. 133–144. ACM, New York (2009)CrossRefGoogle Scholar
- 11.Holz, T., Engelberth, M., Freiling, F.: Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 12.Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)Google Scholar
- 13.Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In: Proc. of the ACM Conference on Computer and Communications Security (2008)Google Scholar
- 14.Krebs, B.: Massive Profits Fueling Rogue Antivirus Market. In: Washington Post (2009)Google Scholar
- 15.McGrath, K., Gupta, M.: Behind Phishing: An Examination of Phisher Modi Operandi. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)Google Scholar
- 16.Moore, T., Clayton, R.: Examining the Impact of Website Take-down on Phishing. In: Proc. of the APWG eCrime Researchers Summit (2007)Google Scholar
- 17.Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A Crawler-based Study of Spyware on the Web. In: Network and Distributed System Security Symposium, pp. 17–33 (2006)Google Scholar
- 18.O’Dea, H.: The Modern Rogue — Malware With a Face. In: Proc. of the Virus Bulletin Conference (2009)Google Scholar
- 19.Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proc. of the USENIX Security Symposium (2008)Google Scholar
- 20.Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. of the Internet Measurement Conference (2006)Google Scholar
- 21.Rajab, M.A., Ballard, L., Mavrommatis, P., Provos, N., Zhao, X.: The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2010)Google Scholar
- 22.Ramachandran, A., Feamster, N., Dagon, D.: Revealing Botnet Membership Using DNSBL Counter-Intelligence. In: Proc. of the Workshop on Steps to Reducing Unwanted Traffic on the Internet, SRUTI (2006)Google Scholar
- 23.Shepard, R.N.: Multidimensional scaling, tree fitting, and clustering. Science 210, 390–398 (1980)CrossRefMathSciNetGoogle Scholar
- 24.Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proc. of the ACM Conference on Computer and Communications Security (2009)Google Scholar
- 25.Thonnard, O.: A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d’Informatique, Télécommunications et Électronique de Paris (March 2010)Google Scholar
- 26.Thonnard, O., Mees, W., Dacier, M.: Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. In: KDD 2009, 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on CyberSecurity and Intelligence Informatics, Paris, France, June 28-July 1 (December 2009)Google Scholar
- 27.Thonnard, O., Mees, W., Dacier, M.: Behavioral Analysis of Zombie Armies. In: Czossek, C., Geers, K. (eds.) The Virtual Battlefield: Perspectives on Cyber Warfare. Cryptology and Information Security Series, vol. 3, pp. 191–210. IOS Press, Amsterdam (2009)Google Scholar
- 28.Wang, Y.-M., Beck, D., Jiang, X., Roussev, R.: Automated Web Patrol with Strider HoneyMonkeys. Technical Report MSR-TR-2005-72, Microsoft Research (2005)Google Scholar
- 29.Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How Dynamic are IP Addresses? In: Proc. of the Conference of the ACM Special Interest Group on Data Communication, SIGCOMM (2007)Google Scholar
- 30.Yager, R.: On ordered weighted averaging aggregation operators in multicriteria decision-making. IEEE Trans. Syst. Man Cybern. 18(1), 183–190 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
- 31.Zhuang, L., Dunagan, J., Simon, D., Wang, H., Osipkov, I., Hulten, G., Tygar, J.: Characterizing Botnets from Email Spam Records. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)Google Scholar
Copyright information
© Springer-Verlag Berlin Heidelberg 2010