Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University.

Published byJerome Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University."— Presentation transcript:

1 1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University of California Santa Barbara, USA (now University of Birmingham, UK) Columbia University, USA Royal Military Academy, Belgium (now Symantec Research Labs, France) RAID 2010 - Ottawa, Canada

2 2 What is rogue security software?

3 Rogue AV software RAID 2010 - Ottawa, Canada 3 Goal – Request for a payment (sometimes after successful installation) – Facilitate the installation of malware Propagation – Lure the user into installing the software (“scareware”)

4 Rogue AV software RAID 2010 - Ottawa, Canada 4

5 Key question marks We know a lot about specific instances of this threat and their strategies What about the infrastructure used to propagate these threats? 1.What is the big picture? 2.How can we dig into the big picture and infer meaningful lessons? 3.Is there anything different from other threat landscapes (e.g. browser exploits)? RAID 2010 - Ottawa, Canada 5

6 Contributions 1.Large scale analysis of the Rogue AV distribution infrastructure 2.Demonstration of the usefulness of attack attribution techniques for mining large security datasets 3.Comparison with other threat landscapes, and insights on the threat economics RAID 2010 - Ottawa, Canada 6

7 7 Building the big picture

8 Feature generation Information enrichment Rogue AV domains Dataset generation RAID 2010 - Ottawa, Canada 8 HARMUR Public domain feeds  Norton safeweb  malwaredomainlist.com  www.malwareurl.com  www.hosts-file.com DNS information Whois information Server availability and version Security status Rogue AV domain features Robtex.com Where is the domain content hosted? Who registered the domain? On which registrar? Is the server up? What version string is it advertising in the HTTP headers? What kind of threats are known to be associated to the domain?

9 What did we look at? 6,500 distinct domain names 4,305 web servers – 2,677 hosting only rogue AV domains (Rogue AV servers) Specifically setup for hosting this type of threat? – 118 hosting rogue AV domains and domains associated to other threats “Malicious servers”? – 1,510 hosting both rogue AV domains and benign domains Hosting providers? RAID 2010 - Ottawa, Canada 9

10 Rogue AV servers: hints of a modus operandi Preference for certain ASes – 37% of the domains are registered on just 10 ASes Preference for certain registrars – 45% of the domain names were registered through only 29 registrars Use of anonymous accounts for the domain registration – 26% of the domains uses anonymous domain registration services – Free email providers (gmail, yahoo, …) are very popular Common server configurations – Example: Apache/2.2.11 (Unix) mod ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod auth passthrough/2.1 mod bwlimited/1.4 FrontPage/5.0.2.2635 Found on 69 different servers RAID 2010 - Ottawa, Canada 10

11 RAID 2010 - Ottawa, Canada 11 ≈ A complex landscape ≈ Only servers associated to 100+ domains are represented

12 RAID 2010 - Ottawa, Canada 12 Going deeper: rogue AV campaigns

13 13 RAID 2010 - Ottawa, Canada Attack attribution Multi-Criteria Decision Analysis: automatic grouping of elements likely to share the same root causes – 127 separate clusters grouping 4,549 domains – High variance in cluster size 13 Thonnard et al., “Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision making”, KDD 09

14 PC Antispyware RAID 2010 - Ottawa, Canada 14 /24 network Domain name Web server Web server/DNS server Registrant email

15 PC security RAID 2010 - Ottawa, Canada 15 /24 network Domain name Web server Web server/DNS server Registrant email

16 Level of coordination Registration date 16

17 Level of coordination 17

18 RAID 2010 - Ottawa, Canada 18 Threat economics

19 Are these findings specific to the threat landscape? Experiment: drive by downloads – Analysis of 5304 domains known to be landing pages for Internet Explorer ADODB.Stream Object Installation Weakness (CVE-2006-003) – Repeated feature collection and analysis using MCDA Only 21 clusters were found accounting for a total of 201 domains (3.8%) – The domains under analysis do not share a common infrastructure – The infrastructure is not actually owned by the perpetuators of the attacks – Important difference with the Rogue AV scenario How to justify this difference? RAID 2010 - Ottawa, Canada 19

20 Rogue AV economics What are the costs/revenues associated to the rogue AV business? Costs (informal survey) – Average monthly cost: 50$ – Annual domain registration costs:3-10$ – Total annual costs:879-2,230$ Revenues – Average price for a rogue AV: 30-50$ – Client volume??? – Total annual revenues:?? RAID 2010 - Ottawa, Canada 20

21 Rogue AV servers and Apache mod_status 6 servers (193 domains) were discovered to be offering utilization statistics through the output of Apache mod_status – Continuous sampling of the output over a period of 44 days – Filtered out probing/scanning attempts – Tracked a total of 372,096 distinct IP addresses RAID 2010 - Ottawa, Canada 21

22 Behavior evolution RAID 2010 - Ottawa, Canada 22 Cumulative number of distinct IP addresses for each behavior type Successful scans: 25,447 Unsuccessful scans: 306,248 Hit rate: 7.7% A scan is considered successful if a download is performed by the same IP address within 24 hours

23 Completing the table What are the costs/revenues associated to the rogue AV business? Costs (informal survey) – Average monthly cost: 50$ – Annual domain registration costs:3-10$ – Total annual costs:879-2,230$ Revenues (pessimistic estimate) – Average price for a rogue AV: 30-50$ – Expected monetization rate for client hit:0.26% (in previous studies on spam) – Client volume over 44 days:331,695 – Total annual revenues:214,621-357,702$ RAID 2010 - Ottawa, Canada 23

24 Conclusion Rogue AV landscape – Complex distribution infrastructures – High level of automation in their deployment – Complexity justified by a large return on investment The methodology is generic – Correlation is possible only by combining multiple perspectives – Threat attribution techniques such as MCDA reduce the task of analyzing large security datasets to the analysis of few groups likely to be associated to the same root cause RAID 2010 - Ottawa, Canada 24

25 Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. RAID 2010 - Ottawa, Canada 25 Corrado Leita – corrado_leita@symantec.com

Download ppt "1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University."

Similar presentations

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
3.02H Publishing a Website 3.02 Develop webpages..

3.02H Publishing a Website 3.02 Develop webpages..
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
Symantec Education Skills Assessment SESA 3.0 Feature Showcase

Symantec Education Skills Assessment SESA 3.0 Feature Showcase
IT Analytics for Symantec Endpoint Protection

IT Analytics for Symantec Endpoint Protection
‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, 2012 1 Industry and the fight against cybercrime.

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.

Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.
Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore

Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google