Strategies for Monitoring Fake AV Distribution Networks

Onur Komili ; Kyle Zeeuwen ; Matei Ripeanu ; Konstantin Beznosov

05 October 2011

Abstract: We perform a study of Fake AV networks advertised via search engine optimization. We use a high interaction fetcher to repeatedly evaluate the networks by querying landing pages that redirect to Fake AV distribution sites. We identify several distinct Fake AV distribution networks, and we show that each network exhibits distinct updating behaviours. We propose optimizations for crawlers that explore Fake AV networks to leverage the strong fan-in property of these networks and, where possible, the periodic update behaviour of the network elements. We evaluate these optimizations and show that they can be used to drastically reduce the number of visits to the network, which in turn reduces the likelihood of being blacklisted.

Keyword(s): malware distribution networks ; adversarial blacklisting ; high interaction honeyclient ; scareware ; fake antivirus

Published in: Onur Komili, Kyle Zeeuwen, Matei Ripeanu, and Konstantin Beznosov. Strategies for Monitoring Fake AV Distribution Networks. In Proceedings of the 21st Virus Bulletin Conference, October 5-7, 2011.:

The record appears in these collections:
Unrefereed Conference Papers

 Record created 2011-10-05, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)