1 An analysis of rogue AV campaigns Marco Cova, Corrado Leita, Olivier Thonnard Angelos Keromytis, Marc Dacier Symantec Research Labs, France University of California Santa Barbara, USA (now University of Birmingham, UK) Columbia University, USA Royal Military Academy, Belgium (now Symantec Research Labs, France) RAID Ottawa, Canada

2 What is rogue security software?

Rogue AV software RAID Ottawa, Canada 3 Goal – Request for a payment (sometimes after successful installation) – Facilitate the installation of malware Propagation – Lure the user into installing the software (“scareware”)

Rogue AV software RAID Ottawa, Canada 4

Key question marks We know a lot about specific instances of this threat and their strategies What about the infrastructure used to propagate these threats? 1.What is the big picture? 2.How can we dig into the big picture and infer meaningful lessons? 3.Is there anything different from other threat landscapes (e.g. browser exploits)? RAID Ottawa, Canada 5

Contributions 1.Large scale analysis of the Rogue AV distribution infrastructure 2.Demonstration of the usefulness of attack attribution techniques for mining large security datasets 3.Comparison with other threat landscapes, and insights on the threat economics RAID Ottawa, Canada 6

7 Building the big picture

Feature generation Information enrichment Rogue AV domains Dataset generation RAID Ottawa, Canada 8 HARMUR Public domain feeds  Norton safeweb  malwaredomainlist.com   DNS information Whois information Server availability and version Security status Rogue AV domain features Robtex.com Where is the domain content hosted? Who registered the domain? On which registrar? Is the server up? What version string is it advertising in the HTTP headers? What kind of threats are known to be associated to the domain?

What did we look at? 6,500 distinct domain names 4,305 web servers – 2,677 hosting only rogue AV domains (Rogue AV servers) Specifically setup for hosting this type of threat? – 118 hosting rogue AV domains and domains associated to other threats “Malicious servers”? – 1,510 hosting both rogue AV domains and benign domains Hosting providers? RAID Ottawa, Canada 9

Rogue AV servers: hints of a modus operandi Preference for certain ASes – 37% of the domains are registered on just 10 ASes Preference for certain registrars – 45% of the domain names were registered through only 29 registrars Use of anonymous accounts for the domain registration – 26% of the domains uses anonymous domain registration services – Free providers (gmail, yahoo, …) are very popular Common server configurations – Example: Apache/ (Unix) mod ssl/ OpenSSL/0.9.8i DAV/2 mod auth passthrough/2.1 mod bwlimited/1.4 FrontPage/ Found on 69 different servers RAID Ottawa, Canada 10

RAID Ottawa, Canada 11 ≈ A complex landscape ≈ Only servers associated to 100+ domains are represented

RAID Ottawa, Canada 12 Going deeper: rogue AV campaigns

13 RAID Ottawa, Canada Attack attribution Multi-Criteria Decision Analysis: automatic grouping of elements likely to share the same root causes – 127 separate clusters grouping 4,549 domains – High variance in cluster size 13 Thonnard et al., “Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision making”, KDD 09

PC Antispyware RAID Ottawa, Canada 14 /24 network Domain name Web server Web server/DNS server Registrant

PC security RAID Ottawa, Canada 15 /24 network Domain name Web server Web server/DNS server Registrant

Level of coordination Registration date 16

Level of coordination 17

RAID Ottawa, Canada 18 Threat economics

Are these findings specific to the threat landscape? Experiment: drive by downloads – Analysis of 5304 domains known to be landing pages for Internet Explorer ADODB.Stream Object Installation Weakness (CVE ) – Repeated feature collection and analysis using MCDA Only 21 clusters were found accounting for a total of 201 domains (3.8%) – The domains under analysis do not share a common infrastructure – The infrastructure is not actually owned by the perpetuators of the attacks – Important difference with the Rogue AV scenario How to justify this difference? RAID Ottawa, Canada 19

Rogue AV economics What are the costs/revenues associated to the rogue AV business? Costs (informal survey) – Average monthly cost: 50$ – Annual domain registration costs:3-10$ – Total annual costs:879-2,230$ Revenues – Average price for a rogue AV: 30-50$ – Client volume??? – Total annual revenues:?? RAID Ottawa, Canada 20

Rogue AV servers and Apache mod_status 6 servers (193 domains) were discovered to be offering utilization statistics through the output of Apache mod_status – Continuous sampling of the output over a period of 44 days – Filtered out probing/scanning attempts – Tracked a total of 372,096 distinct IP addresses RAID Ottawa, Canada 21

Behavior evolution RAID Ottawa, Canada 22 Cumulative number of distinct IP addresses for each behavior type Successful scans: 25,447 Unsuccessful scans: 306,248 Hit rate: 7.7% A scan is considered successful if a download is performed by the same IP address within 24 hours

Completing the table What are the costs/revenues associated to the rogue AV business? Costs (informal survey) – Average monthly cost: 50$ – Annual domain registration costs:3-10$ – Total annual costs:879-2,230$ Revenues (pessimistic estimate) – Average price for a rogue AV: 30-50$ – Expected monetization rate for client hit:0.26% (in previous studies on spam) – Client volume over 44 days:331,695 – Total annual revenues:214, ,702$ RAID Ottawa, Canada 23

Conclusion Rogue AV landscape – Complex distribution infrastructures – High level of automation in their deployment – Complexity justified by a large return on investment The methodology is generic – Correlation is possible only by combining multiple perspectives – Threat attribution techniques such as MCDA reduce the task of analyzing large security datasets to the analysis of few groups likely to be associated to the same root cause RAID Ottawa, Canada 24

Thank you! Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. RAID Ottawa, Canada 25 Corrado Leita –