The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, Niels Provos, Xin Zhao.

Slides:



Advertisements
Similar presentations
Grass Valley Learning Center Surf the Net Safely Roger Thornburn.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
By Hiranmayi Pai Neeraj Jain
Understanding and Detecting Malicious Web Advertising
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Free Software Alternatives: Avast! Anti-virus
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
 Meaning of spyware Spyware is a program that can be installed on computers, and which collects small pieces of information about users without their.
1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.
Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
A Crawler-based Study of Spyware in the Web Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy.
All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.
A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
OPSWAT Presentation for XXX Month Date, Year. OPSWAT & ____________ Agenda  Overview of OPSWAT  Multi-scanning with Metascan  Controlling Data Workflow.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.
SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Return to the PC Security web page Lesson 5: Dealing with Malware.
Web Attacks— Offense… The Whole Story Yuri & The Cheeseheads Mark Glubisz, Jason Kemble, Yuri Serdyuk, Kandyce Giordano.
Windows Defender. What is Windows Defender? Windows Defender is a free program that helps protect your computer against pop- ups, slow performance, and.
All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.
Security Insights: Spyware. Spyware Challenges Bombard you with ads Change system settings Collect personal information Slow down or crash computers Invade.
MIS Week 6 Site:
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Malicious Software.
Sky Advanced Threat Prevention
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.
Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu – Google First Workshop on Hot Topics in Understanding Botnets (HotBots.
Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Which is better Avast Free Edition or Avast Pro Version?
Advanced Endpoint Security Data Connectors-Charlotte January 2016
    Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.
Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.
A lustrum of malware network communication: Evolution & insights
Are these Ads Safe: Detecting Hidden A4acks through Mobile App-Web Interfaces Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley.
Jon Peppler, Menlo Security Channels
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Presentation transcript:

The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, Niels Provos, Xin Zhao USENIX (August, 2010) Reporter: 鍾怡傑 2013/08/27

News 新聞說美國聯邦法院以高達 1.63 億美元的重 罰判決一名販售假防毒軟體的女性 透過社交工程陷阱 ( Social Engineering) ,欺 騙使用者 該集團誘騙橫跨 6 個國家破百萬名的消費者 購買假防毒軟體。

Outline Introduction Background Methodology – Data Collection – Terminology An Empirical Analysis of Fake Avs Conclusion

Introduction 240 million web pages. Google’s malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution. Fake AV currently accounts for 15% of all malware we detect on the web.

Google’s malware detection infrastructure Safe Browsing API, June See Safe Browsing diagnostic page. See stic?site=yoursite.com stic?site

Introduction No need of vulnerability Fake AVs often are bundled with other malware Social Engineering

Background A web page or binary is considered as Fake AV. – Misinforming users about the computer’s security and – attempts to deceive them into buying a “solution” to remove malware

Background - Step 1.Fake AVs offer a free download to scan for malware. 2.Fake AVs pretend to scan computers and claim to find infected files. 3.Paying Registration fee to remove malware.

Background First Fake AVs employed simple javascript to display an alert that asked users to download the malware.

Background

Recent Fake AVs use more complicated javascript to mimic windows environment

Remove all threats now Continue unprotected

Android Fake Defender See eav-holds-android-phones-ransom eav-holds-android-phones-ransom

Methodology An un-patched Windows virtual machine run an un-patched version of Internet Explorer. Detection algorithms use signals derived from – state changes on the virtual machine – network activity – scanning results of a group of licenced anti-virus engines to decide definitively whether a page is malicious.

Methodology - Data Collection Subset from scanned pages between January 1, 2009, to January 31, 2010 Reprocessed 240 million pages

Fake AV detection rate over time

Though it was still possible to detect the domains distributing the Fake AVs (top) Number of unique binaries increased from 300/day to 1462/day (bottom) The dip in August is due to technical problems in the AV signature update pipeline The dip in December is due to lack of updates from the AV vendors 1-2 weeks out of date signatures can greatly reduce the detection rate

Methodology - Terminology Infection Domains: host malicious content – Fake AV Domains: serve content with Fake AVs – Exploit Domains: serve content with exploits other than Fake AVs Landing Domains: serve webpages that causes the browser to retrieve content from Infection Domains without any user interaction

An Empirical Analysis of Fake Avs Studying three high-level themes: – (1) The prevalence of Fake AVs over time, both in absolute terms, and relative to other types of malware – (2) The network characteristics of domains that host Fake AV – (3) How Fake AV domains target and distribute malware.

New infection domains per week

(2) Network Characteristics 11,480 Fake AV domains mapped to 2,080 IP addresses and 384 unique Autonomous Systems (ASs). 52% of the ASs hosted more than one Fake AV domain 42% of the IP addresses hosted more than one Fake AV domain

Fake AV domains per IP address

Fake AV domains increases their lifetime decreases

(2) Network Characteristics Domain rotation A technique to trick domain-based detection tactics. Allows attackers to drive traffic to a fixed number of IP addresses through multiple domains. Typically accomplished by setting up a number of Landing domains, either as dedicated sites or by infecting legitimate sites.

Table 1: Distribution of Fake AV and Exploit domains across countries.

Fake AV Domain Naming Conventions Fake AV domains commonly use security-related English words – e.g., scan, scanner, security, anti-virus, anti-spyware, anti-malware, protect etc. Two purposes: – (1) it provides users with a false sense of security, and – (2) it provides the Fake AV distributors with a technique to easily generate domains amenable to domain rotation.

(3) Distributing Fake AV How Fake AV distributors try to reach users by studying the different types of Landing domains in our data set. Studying how Landing domains are setup to infect end users.

Average number of Landing domains per Infection domain.

Total number of Landing domains classified by Infection domain.

Sources of Fake AV

Total unique Infection domains encountered via ad networks.

Delivery Mechanisms Drive-by Download: the Fake AV malware is delivered and/or run using an exploit without any user interaction Social Engineering: user interaction was required to deliver the Fake AV Approximately 14% of Fake AV domains employed both drive-by downloads and social engineering.

Drive-by Download vs. Social Engineering

Conclusion 15% of the Internet’s malware is Fake AVs and heavily depends on users interaction

Thank You Any Question?

Reference o.pdf o.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.