1. The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, Niels Provos, Xin Zhao USENIX (August, 2010) Reporter: 鍾怡傑 2013/08/27

2. News 新聞說美國聯邦法院以高達 1.63 億美元的重 罰判決一名販售假防毒軟體的女性 透過社交工程陷阱 ( Social Engineering) ，欺 騙使用者 該集團誘騙橫跨 6 個國家破百萬名的消費者 購買假防毒軟體。 http://blog.trendmicro.com.tw/?p=113

3. Outline Introduction Background Methodology – Data Collection – Terminology An Empirical Analysis of Fake Avs Conclusion

4. Introduction 240 million web pages. Google’s malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution. Fake AV currently accounts for 15% of all malware we detect on the web.

5. Google’s malware detection infrastructure Safe Browsing API, June 2007. See http://code.google.com/apis/safebrowsing/ http://code.google.com/apis/safebrowsing/ Safe Browsing diagnostic page. See http://www.google.com/safebrowsing/diagno stic?site=yoursite.com http://www.google.com/safebrowsing/diagno stic?site

6. Introduction No need of vulnerability Fake AVs often are bundled with other malware Social Engineering

7. Background A web page or binary is considered as Fake AV. – Misinforming users about the computer’s security and – attempts to deceive them into buying a “solution” to remove malware

8. Background - Step 1.Fake AVs offer a free download to scan for malware. 2.Fake AVs pretend to scan computers and claim to find infected files. 3.Paying Registration fee to remove malware.

9. Background First Fake AVs employed simple javascript to display an alert that asked users to download the malware.

10. Background

11. Recent Fake AVs use more complicated javascript to mimic windows environment

14. Remove all threats now Continue unprotected

17. Android Fake Defender See http://www.symantec.com/connect/blogs/fak eav-holds-android-phones-ransom http://www.symantec.com/connect/blogs/fak eav-holds-android-phones-ransom

18. Methodology An un-patched Windows virtual machine run an un-patched version of Internet Explorer. Detection algorithms use signals derived from – state changes on the virtual machine – network activity – scanning results of a group of licenced anti-virus engines to decide definitively whether a page is malicious.

19. Methodology - Data Collection Subset from scanned pages between January 1, 2009, to January 31, 2010 Reprocessed 240 million pages

20. Fake AV detection rate over time

22. Though it was still possible to detect the domains distributing the Fake AVs (top) Number of unique binaries increased from 300/day to 1462/day (bottom) The dip in August is due to technical problems in the AV signature update pipeline The dip in December is due to lack of updates from the AV vendors 1-2 weeks out of date signatures can greatly reduce the detection rate

23. Methodology - Terminology Infection Domains: host malicious content – Fake AV Domains: serve content with Fake AVs – Exploit Domains: serve content with exploits other than Fake AVs Landing Domains: serve webpages that causes the browser to retrieve content from Infection Domains without any user interaction

24. An Empirical Analysis of Fake Avs Studying three high-level themes: – (1) The prevalence of Fake AVs over time, both in absolute terms, and relative to other types of malware – (2) The network characteristics of domains that host Fake AV – (3) How Fake AV domains target and distribute malware.

25. New infection domains per week

26. (2) Network Characteristics 11,480 Fake AV domains mapped to 2,080 IP addresses and 384 unique Autonomous Systems (ASs). 52% of the ASs hosted more than one Fake AV domain 42% of the IP addresses hosted more than one Fake AV domain

27. Fake AV domains per IP address

28. Fake AV domains increases their lifetime decreases

29. (2) Network Characteristics Domain rotation A technique to trick domain-based detection tactics. Allows attackers to drive traffic to a fixed number of IP addresses through multiple domains. Typically accomplished by setting up a number of Landing domains, either as dedicated sites or by infecting legitimate sites.

30. Table 1: Distribution of Fake AV and Exploit domains across countries.

31. Fake AV Domain Naming Conventions Fake AV domains commonly use security-related English words – e.g., scan, scanner, security, anti-virus, anti-spyware, anti-malware, protect etc. Two purposes: – (1) it provides users with a false sense of security, and – (2) it provides the Fake AV distributors with a technique to easily generate domains amenable to domain rotation.

32. (3) Distributing Fake AV How Fake AV distributors try to reach users by studying the different types of Landing domains in our data set. Studying how Landing domains are setup to infect end users.

33. Average number of Landing domains per Infection domain.

34. Total number of Landing domains classified by Infection domain.

35. Sources of Fake AV

36. Total unique Infection domains encountered via ad networks.

37. Delivery Mechanisms Drive-by Download: the Fake AV malware is delivered and/or run using an exploit without any user interaction Social Engineering: user interaction was required to deliver the Fake AV Approximately 14% of Fake AV domains employed both drive-by downloads and social engineering.

38. Drive-by Download vs. Social Engineering

39. Conclusion 15% of the Internet’s malware is Fake AVs and heavily depends on users interaction

40. Thank You Any Question?

41. Reference http://foivos.zakkak.net/presentations/noceb o.pdf http://foivos.zakkak.net/presentations/noceb o.pdf