Internet Security Seminar 2013 - University of Birminghamtpc/isecsem/talks/PG.pdf · Internet...
Transcript of Internet Security Seminar 2013 - University of Birminghamtpc/isecsem/talks/PG.pdf · Internet...
Internet Security Seminar 2013
Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
An overview of the paper
In-depth analysis of fake Antivirus companies’ operations and detailed stats
Management and infrastructure of fake Antivirus campaigns
A financial/mathematical model that describes the refund pattern of this business.
The malware problems
Malware, short for malicious software, is software used by attackers in order to: disrupt computer operation, gather sensitive information, gain access to private computer systems.
Malware types include: viruses, spyware, keyloggers, trojan horses,
worms, adware, etc
The real Antivirus (AV) economy Antivirus is software used to
Prevent, detect and remove malware. So a software industry has been built
worldwide to provide users with/without cost a promising antivirus software.
The rapid development of antivirus software industry was based on The increasing number of viruses the high demand of users for antivirus ready to
pay in order to protect their computer & data
The raise of an Underground Economy based on fake AV The base of this economy
Use scareware to frighten the user Convince the user to pay for a licence of a
software which does nothing Making money from fake software licenses
Two basic categories of fake AV 1. Malware that harms victim’s computer when
installed 2. Usually harmless software that wants to steal
money from the user via fake licenses. ○ Is it illegal ?
Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
The case study
Three large-scale fake AV “companies” examined ($130 million dollars revenue).
Data presentation and analysis from acquired back-end servers.
An analysis of the role of different entities that are involved (i.e. payment processors, credit card networks)
The suggestion of a mathematical model which defines these businesses
Acquiring the servers
ANUBIS was used to analyse Windows binaries via runtime analysis
Network signatures associated with these fake AVs observed
The hosting providers were informed and took the servers down
Defrauding the user
The fake AV impersonates an antivirus scanner
It displays misleading alerts to exploit user’s fear of causing damage to the computer
Forces the user to buy a licence for a software that will solve the problem
Where and How ?
All of the 3 business were located in Eastern Europe
They use affiliate networks (partnenka) to distribute the software
The affiliates receive a commission for landing traffic to the malicious pages, or malware installations
Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Technical Background
Technical observations made by acquiring the servers: Infection methods ○ Social Engineering ○ Drive-by-download attacks ○ Botnets
Infrastructure ○ General Infrastructure ○ Ways of hiding traces ○ Plethora of domains names as a strategy
Infection via Social Engineering
Convince the victim to buy a licence JavaScript or Adobe Flash for security alerts Provide links to a fake AV software
Infection via drive-by-download attack The malicious page has prepared scripts
to exploit vulnerabilities (browser or plug-ins)
In a successful exploit the fake AV is installed automatically
The role of Blackhat SEO
Techniques for higher search rankings in an unethical manner. (i.e. the attacker’s site may contain popular
keywords that will confuse the search engine) Traffic direction system (TDS): are used as
landing pages to direct the traffic to malicious content
Time-to-live value defined by TDS are very short which is a constraint for researchers
Infection via Botnets
Large Botnets (i.e. Koobface, Conficker) distribute fake AV software to machines under their control
Probably the most lucrative way of infection
The behaviour after installation Advertised as free trials with limited
functionality (i.e. only detection) Provide links that connect the users to the
webpage where they can buy a licence The licence is sent by e-mail and fake
alerts are deactivated Some fake AV may lock down system
functionality (for victim’s own protection) Other fake AV contain backdoor capabilities
(enabling DDoS)
Security Shield - example
General Infrastructure Proxy servers to relay content to back-end servers Separate roles for each proxy Taking down front-end machines doesn’t make a
big impact
Staying in business
Hiding traces Multi-tier infrastructure of proxy server to hide
the location of the back-end
Using many domain names The domain makes the site look legitimate A big number of domains make takedown efforts
difficult Some domains will become blacklisted
Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Data collection
Collection for each company 3 months for AV1, 16 months for AV2, 30 months
for AV3
Web site source code Samples of fake AV malware Databases ○ Documentation for malware installations, fake AV
sales, refunds and technical support (!)
The Transaction process
Sales
Factors Aggressiveness of the fake AV s/w ○ Frequency of alerts ○ Type of threats ○ System’s performance
The price and subscription of the models offered
Sales’ statistics
AV1 AV2 AV3
6-‐month $49.95 34.8% $49.95 61.9%
1-‐year $59.95 32.9% $69.95 13.5% $79.90 83.2%
2-‐years $69.95 32.3%
Life?me $89.95 24.6% $99.90 16.8%
Installa?ons 8,403,008 6,624,508 1,969,953
Sales 189,342 in 3months 137,219 16 months 91,305,640 6 months
Total vic?m loss $11,303,494 $5,046,508 $116,941,854
Profit/year (extrapolated) $45,000,000 $3,800,000 $48,400,000
Payment Processors (PP) PP are necessary for credit card payments. A PP must maintain a degree of legitimacy A PP risk losing the ability to accept credit
cards. Fake AV companies use PP, such as
Chronopay, which provide legitimate services to large organizations earning reliability.
AV1,AV2 and AV3 used Chronopay for their payment services
Tricks of dishonest (dPP)
Offer high risk merchant accounts (15% for each transaction)
A dPP allow an illicit company to create multiple merchant account where Transactions are periodically rotated through
each account. Each account is never flagged for fraudulent
activities.
Chargebacks and Refunds Payment processors
Have to provide a level of protection to the consumers
Chargebacks as a problem Many chargeback complaints PP may prohibit
further transactions They affect the lifetime of the fake AV operation
Brand name as a factor that has an impact After 3-7 days, victim complaints were easy to
be found in web forums
Affiliate Programs
Partners earned from commissions 30-80% from sales Top affiliate for AV1 $1.8 million in 2 months Top affiliate for AV3 $3.86 million in less than
2 years
Not all of the affiliates were paid AV1: 44/140 | AV2: 98/167 | AV3: 541/1107
Many were involved in multiple groups Payment through WebMoney
Anonymous and Irreversible transactions Low transaction fee (0.8%) and many places
Shell Companies
Used for bank accounts and receiving remittances from PP
Help in the cashing-out process Minimize the risk of apprehending a
ringleader Alternatively money mules are used
Accept deposits, withdraw funds, wire the money back
The victims
Geographic location US 76.9%, UK, Canada and Australia
OS and browsers Windows: XP (54.2%), Vista (30.8%), 7 (14,8%) Internet Explorer (65.6%)
E-mail addresses Yahoo, Gmail, Hotmail, AOL
Two fake online systems Problem submission through specific forms Real-time technical support
Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Building a Refund Pattern
A simple model of refund requests (as a Poisson random variable) is proposed:
rqt = λst-1
Where: - s denotes the number of sales in a given period.
- rq denotes the number of refund requests that result from s (in a period t).
- λ captures the expected portion of buyers from period t-1 who will issue a refund request (rq) in period t.
Interplay of all the factors
Chargebacks are limited due to the interaction with the PP A threshold is used
rf = g(rq, cb)
If then the credit card network will sever ties with a firm.
The firm accepts refund requests to avoid the accumulated cbs reach the threshold
The generic pattern of refunds
Finally the refunds follow the pattern:
Where: rft = the total refunds given α·rqt = a standard number of accepted refund
requests (α is a constant) β·rqt = a varied number of accepted requests (β
is a constant again) if {A}>0 returns 0 else returns 1
Detecting Fraudulent Firms The pattern could be observed by the Payment
Processors if they know: The number of chargebacks against the firm at a
particular time The faced by the company The number of refunds offered by the firm
The PP receives commission but faces the risk of losing business with a credit card company
The risk of firm being caught affects the PP The PP may be forced to pay all the
chargebacks
Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Ethical Considerations
A lot of ethical issues because of the sensitive data.
Measures for protecting privacy Data encryption Automated program analysis Adopted methods based on literature for Ethical
Behaviour in Computer Security Research Approval from Institutional Review Board
(UCSB) Information provided to U.S. law enforcement
officials
Related Work Researchers from Google analysed techniques for
driving traffic to malicious site via landing pages http://krebsonsecurity.com/wp-content/uploads/2010/04/
leet10.pdf
Cova et.al presented an analysis of the fake AV structure and tried to measure the number of victims and profits http://www.cs.columbia.edu/~angelos/Papers/2010/rogueAV.pdf
Techniques to identify drive-by-download attacks http://pi1.informatik.uni-mannheim.de/filepool/publications/
monkey-spider.pdf
In conclusion
A unique research as it was based on real evidence and data
This underground economy is described by an economic model
The model outlines how these operations have distinct characteristics
We can leverage the model to detect such fraudulent firms in the future