Abstract
Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them.
The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.
This work has been partially supported by the European Commission through project FP7-ICT-216026-WOMBAT funded by the 7th framework program. The opinions expressed in this paper are those of the authors and do not necessarily reflect the views of the European Commission. This work was also partly supported by ONR through Grant N00014-07-1-0907 and the NSF through Grant CNS-09-14845. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the ONR or the NSF. The work of Marco Cova was supported by a fellowship made possible by Symantec Research Labs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Microsoft Security Intelligence Report, volume 7. Technical report, Microsoft (2009)
Beliakov, G., Pradera, A., Calvo, T.: Aggregation Functions: A Guide for Practitioners. Springer, Berlin (2007)
Bellovin, S.: A Technique for Counting NATted Hosts. In: Proc. of the Internet Measurement Conference (2002)
Correll, S.P., Corrons, L.: The business of rogueware. Technical Report, PandaLabs (July 2009)
Dacier, M., Pham, V., Thonnard, O.: The WOMBAT Attack Attribution method: some results. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 19–37. Springer, Heidelberg (2009)
Daigle, L.: WHOIS protocol specification. RFC 3912 (September 2004)
Fossi, M., Johnson, E., Turner, D., Mack, T., Blackbird, J., McKinney, D., Low, M.K., Adams, T., Laucht, M.P., Gough, J.: Symantec Report on the Underground Economy. Technical Report, Symantec (2008)
Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Low, M.K., McKinney, D., Dacier, M., Keromytis, A., Leita, C., Cova, M., Overton, J., Thonnard, O.: Symantec report on rogue security software. Whitepaper, Symantec (October 2009)
Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In: Proc. of the ACM Conference on Computer and Communications Security (2007)
Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proc. of the 2009 New Security Paradigms Workshop (NSPW), pp. 133–144. ACM, New York (2009)
Holz, T., Engelberth, M., Freiling, F.: Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In: Proc. of the ACM Conference on Computer and Communications Security (2008)
Krebs, B.: Massive Profits Fueling Rogue Antivirus Market. In: Washington Post (2009)
McGrath, K., Gupta, M.: Behind Phishing: An Examination of Phisher Modi Operandi. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)
Moore, T., Clayton, R.: Examining the Impact of Website Take-down on Phishing. In: Proc. of the APWG eCrime Researchers Summit (2007)
Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A Crawler-based Study of Spyware on the Web. In: Network and Distributed System Security Symposium, pp. 17–33 (2006)
O’Dea, H.: The Modern Rogue — Malware With a Face. In: Proc. of the Virus Bulletin Conference (2009)
Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proc. of the USENIX Security Symposium (2008)
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. of the Internet Measurement Conference (2006)
Rajab, M.A., Ballard, L., Mavrommatis, P., Provos, N., Zhao, X.: The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2010)
Ramachandran, A., Feamster, N., Dagon, D.: Revealing Botnet Membership Using DNSBL Counter-Intelligence. In: Proc. of the Workshop on Steps to Reducing Unwanted Traffic on the Internet, SRUTI (2006)
Shepard, R.N.: Multidimensional scaling, tree fitting, and clustering. Science 210, 390–398 (1980)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proc. of the ACM Conference on Computer and Communications Security (2009)
Thonnard, O.: A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d’Informatique, Télécommunications et Électronique de Paris (March 2010)
Thonnard, O., Mees, W., Dacier, M.: Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making. In: KDD 2009, 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on CyberSecurity and Intelligence Informatics, Paris, France, June 28-July 1 (December 2009)
Thonnard, O., Mees, W., Dacier, M.: Behavioral Analysis of Zombie Armies. In: Czossek, C., Geers, K. (eds.) The Virtual Battlefield: Perspectives on Cyber Warfare. Cryptology and Information Security Series, vol. 3, pp. 191–210. IOS Press, Amsterdam (2009)
Wang, Y.-M., Beck, D., Jiang, X., Roussev, R.: Automated Web Patrol with Strider HoneyMonkeys. Technical Report MSR-TR-2005-72, Microsoft Research (2005)
Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How Dynamic are IP Addresses? In: Proc. of the Conference of the ACM Special Interest Group on Data Communication, SIGCOMM (2007)
Yager, R.: On ordered weighted averaging aggregation operators in multicriteria decision-making. IEEE Trans. Syst. Man Cybern. 18(1), 183–190 (1988)
Zhuang, L., Dunagan, J., Simon, D., Wang, H., Osipkov, I., Hulten, G., Tygar, J.: Characterizing Botnets from Email Spam Records. In: Proc. of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M. (2010). An Analysis of Rogue AV Campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-15512-3_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)