1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University.

Slides:



Advertisements
Similar presentations
JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Advertisements

3.02H Publishing a Website 3.02 Develop webpages..
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
1 Effective, secure and reliable hosted security and continuity solution.
Symantec Education Skills Assessment SESA 3.0 Feature Showcase
IT Analytics for Symantec Endpoint Protection
‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.
© 2014 Microsoft Corporation. All rights reserved.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Security for Today’s Threat Landscape Kat Pelak 1.
Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.
Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Mobile Devices Carry Hidden Threats With Financial Consequences Hold StillInstalled.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
® IBM Software Group © 2012 IBM Corporation OPTIM Data Studio – Jon Sayles, IBM/Rational November, 2012.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
Conditions and Terms of Use
Symantec Managed Security Services The Power To Protect Duncan Evans Director, Cyber Security Services 1.
Cassio Goldschmidt June 29 th, Introduction 2.
1 Safely Using Shared Computers Amanda Grady December 2013.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
Type presentation name here in slide master © 2007 SDL. Company Confidential. Forward-looking information is based upon multiple assumptions and uncertainties.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
A l a d d i n. c o m eSafe 6 FR2 Product Overview.
Quick Thoughts on PGP Use Cases for KMIP 1 Michael Allen Sr. Technical Director.
The current state of Cybersecurity Targeted and In Your Pocket Dale “Dr. Z” Zabriskie CISSP CCSK Symantec Evangelist.
WLAN Auditing Tools and Techniques Todd Kendall, Principal Security Consultant September 2007.
© 2009 Research In Motion Limited Advanced Java Application Development for the BlackBerry Smartphone Trainer name Date.
Installation of Storage Foundation for Windows High Availability 5.1 SP2 1 Daniel Schnack Principle Technical Support Engineer.
Copy to Tape TOI. 2 Copy to Tape TOI Agenda Overview1 Technical Feature Implementation2 Q&A3.
Shared Engineering Services APJ Ghostdetect ver 1.0 for SPC Donghyun Seo Dec 12, 2008.
VLSC December 2009 Release Release Date: December 7th, 2009.
Optimized Synthetics 1 OpenStorage Optimized Synthetics.
Type presentation name here in slide master © 2007 SDL. Company Confidential. Forward-looking information is based upon multiple assumptions and uncertainties.
Partner Proctored Assessment Registration Process Ajit Jha 1 Partner Assessment.
Cyber Security in the Post-AV Era Amit Mital Chief Technology Officer General Manager, Emerging Endpoints Business Unit.
Boris Ulík Technology Solutions Professional Microsoft Slovakia Microsoft ® System Center 2012: System Center Endpoint Protection 2012.
Editing Tons of Text? RegEx to the Rescue! Eric Cressey Senior UX Content Writer Symantec Corporation.
APIs related to NBU AIR Feature 1 OST APIs Related to NBU AIR Feature.
Maximize Profits Through Stronger Security Brook Chelmo Product Marketing
Planning Engagement Kickoff
BUILD SECURE PRODUCTS AND SERVICES
3.02H Publishing a Website 3.02 Develop webpages..
Office 365 FastTrack Planning Engagement Kickoff
A lustrum of malware network communication: Evolution & insights
Parallelspace PowerPoint Template for ArchiMate® 2.1 version 1.1
Parallelspace PowerPoint Template for ArchiMate® 2.1 version 2.0
11/27/2018 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting @windowspcguy.
Microsoft Virtual Academy
4.02 Develop web pages using various layouts and technologies.
Microsoft Virtual Academy
4.02 Develop web pages using various layouts and technologies.
Microsoft Virtual Academy
Microsoft Virtual Academy
Pass-the-Hash.
In the attack index…what number is your Company?
Microsoft Virtual Academy
Microsoft Virtual Academy
Microsoft Virtual Academy
Microsoft Virtual Academy
Presentation transcript:

1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University of California Santa Barbara, USA (now University of Birmingham, UK) Columbia University, USA Royal Military Academy, Belgium (now Symantec Research Labs, France) RAID Ottawa, Canada

2 What is rogue security software?

Rogue AV software RAID Ottawa, Canada 3 Goal – Request for a payment (sometimes after successful installation) – Facilitate the installation of malware Propagation – Lure the user into installing the software (“scareware”)

Rogue AV software RAID Ottawa, Canada 4

Key question marks We know a lot about specific instances of this threat and their strategies What about the infrastructure used to propagate these threats? 1.What is the big picture? 2.How can we dig into the big picture and infer meaningful lessons? 3.Is there anything different from other threat landscapes (e.g. browser exploits)? RAID Ottawa, Canada 5

Contributions 1.Large scale analysis of the Rogue AV distribution infrastructure 2.Demonstration of the usefulness of attack attribution techniques for mining large security datasets 3.Comparison with other threat landscapes, and insights on the threat economics RAID Ottawa, Canada 6

7 Building the big picture

Feature generation Information enrichment Rogue AV domains Dataset generation RAID Ottawa, Canada 8 HARMUR Public domain feeds  Norton safeweb  malwaredomainlist.com   DNS information Whois information Server availability and version Security status Rogue AV domain features Robtex.com Where is the domain content hosted? Who registered the domain? On which registrar? Is the server up? What version string is it advertising in the HTTP headers? What kind of threats are known to be associated to the domain?

What did we look at? 6,500 distinct domain names 4,305 web servers – 2,677 hosting only rogue AV domains (Rogue AV servers) Specifically setup for hosting this type of threat? – 118 hosting rogue AV domains and domains associated to other threats “Malicious servers”? – 1,510 hosting both rogue AV domains and benign domains Hosting providers? RAID Ottawa, Canada 9

Rogue AV servers: hints of a modus operandi Preference for certain ASes – 37% of the domains are registered on just 10 ASes Preference for certain registrars – 45% of the domain names were registered through only 29 registrars Use of anonymous accounts for the domain registration – 26% of the domains uses anonymous domain registration services – Free providers (gmail, yahoo, …) are very popular Common server configurations – Example: Apache/ (Unix) mod ssl/ OpenSSL/0.9.8i DAV/2 mod auth passthrough/2.1 mod bwlimited/1.4 FrontPage/ Found on 69 different servers RAID Ottawa, Canada 10

RAID Ottawa, Canada 11 ≈ A complex landscape ≈ Only servers associated to 100+ domains are represented

RAID Ottawa, Canada 12 Going deeper: rogue AV campaigns

13 RAID Ottawa, Canada Attack attribution Multi-Criteria Decision Analysis: automatic grouping of elements likely to share the same root causes – 127 separate clusters grouping 4,549 domains – High variance in cluster size 13 Thonnard et al., “Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision making”, KDD 09

PC Antispyware RAID Ottawa, Canada 14 /24 network Domain name Web server Web server/DNS server Registrant

PC security RAID Ottawa, Canada 15 /24 network Domain name Web server Web server/DNS server Registrant

Level of coordination Registration date 16

Level of coordination 17

RAID Ottawa, Canada 18 Threat economics

Are these findings specific to the threat landscape? Experiment: drive by downloads – Analysis of 5304 domains known to be landing pages for Internet Explorer ADODB.Stream Object Installation Weakness (CVE ) – Repeated feature collection and analysis using MCDA Only 21 clusters were found accounting for a total of 201 domains (3.8%) – The domains under analysis do not share a common infrastructure – The infrastructure is not actually owned by the perpetuators of the attacks – Important difference with the Rogue AV scenario How to justify this difference? RAID Ottawa, Canada 19

Rogue AV economics What are the costs/revenues associated to the rogue AV business? Costs (informal survey) – Average monthly cost: 50$ – Annual domain registration costs:3-10$ – Total annual costs:879-2,230$ Revenues – Average price for a rogue AV: 30-50$ – Client volume??? – Total annual revenues:?? RAID Ottawa, Canada 20

Rogue AV servers and Apache mod_status 6 servers (193 domains) were discovered to be offering utilization statistics through the output of Apache mod_status – Continuous sampling of the output over a period of 44 days – Filtered out probing/scanning attempts – Tracked a total of 372,096 distinct IP addresses RAID Ottawa, Canada 21

Behavior evolution RAID Ottawa, Canada 22 Cumulative number of distinct IP addresses for each behavior type Successful scans: 25,447 Unsuccessful scans: 306,248 Hit rate: 7.7% A scan is considered successful if a download is performed by the same IP address within 24 hours

Completing the table What are the costs/revenues associated to the rogue AV business? Costs (informal survey) – Average monthly cost: 50$ – Annual domain registration costs:3-10$ – Total annual costs:879-2,230$ Revenues (pessimistic estimate) – Average price for a rogue AV: 30-50$ – Expected monetization rate for client hit:0.26% (in previous studies on spam) – Client volume over 44 days:331,695 – Total annual revenues:214, ,702$ RAID Ottawa, Canada 23

Conclusion Rogue AV landscape – Complex distribution infrastructures – High level of automation in their deployment – Complexity justified by a large return on investment The methodology is generic – Correlation is possible only by combining multiple perspectives – Threat attribution techniques such as MCDA reduce the task of analyzing large security datasets to the analysis of few groups likely to be associated to the same root cause RAID Ottawa, Canada 24

Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. RAID Ottawa, Canada 25 Corrado Leita –