internet security seminar 2013 - university of birminghamtpc/isecsem/talks/pg.pdf · internet...

Internet Security Seminar 2013

  Introduction  The Case Study  Technical Background  The Underground Economy  The Economic Model  Discussion

An overview of the paper

  In-depth analysis of fake Antivirus companies’ operations and detailed stats

 Management and infrastructure of fake Antivirus campaigns

 A financial/mathematical model that describes the refund pattern of this business.

The malware problems

 Malware, short for malicious software, is software used by attackers in order to:   disrupt computer operation,   gather sensitive information,   gain access to private computer systems.

 Malware types include:   viruses, spyware, keyloggers, trojan horses,

worms, adware, etc

The real Antivirus (AV) economy  Antivirus is software used to

  Prevent, detect and remove malware.  So a software industry has been built

worldwide to provide users with/without cost a promising antivirus software.

 The rapid development of antivirus software industry was based on   The increasing number of viruses   the high demand of users for antivirus ready to

pay in order to protect their computer & data

The raise of an Underground Economy based on fake AV  The base of this economy

  Use scareware to frighten the user   Convince the user to pay for a licence of a

software which does nothing   Making money from fake software licenses

 Two basic categories of fake AV 1.  Malware that harms victim’s computer when

installed 2.  Usually harmless software that wants to steal

money from the user via fake licenses. ○  Is it illegal ?

The case study

 Three large-scale fake AV “companies” examined ($130 million dollars revenue).

 Data presentation and analysis from acquired back-end servers.

 An analysis of the role of different entities that are involved (i.e. payment processors, credit card networks)

 The suggestion of a mathematical model which defines these businesses

Acquiring the servers

 ANUBIS was used to analyse Windows binaries via runtime analysis

 Network signatures associated with these fake AVs observed

 The hosting providers were informed and took the servers down

Defrauding the user

 The fake AV impersonates an antivirus scanner

  It displays misleading alerts to exploit user’s fear of causing damage to the computer

 Forces the user to buy a licence for a software that will solve the problem

Where and How ?

 All of the 3 business were located in Eastern Europe

 They use affiliate networks (partnenka) to distribute the software

 The affiliates receive a commission for landing traffic to the malicious pages, or malware installations

Technical Background

 Technical observations made by acquiring the servers:   Infection methods ○  Social Engineering ○  Drive-by-download attacks ○  Botnets

  Infrastructure ○  General Infrastructure ○  Ways of hiding traces ○  Plethora of domains names as a strategy

Infection via Social Engineering

 Convince the victim to buy a licence   JavaScript or Adobe Flash for security alerts   Provide links to a fake AV software

Infection via drive-by-download attack  The malicious page has prepared scripts

to exploit vulnerabilities (browser or plug-ins)

  In a successful exploit the fake AV is installed automatically

The role of Blackhat SEO

 Techniques for higher search rankings in an unethical manner.   (i.e. the attacker’s site may contain popular

keywords that will confuse the search engine)   Traffic direction system (TDS): are used as

landing pages to direct the traffic to malicious content

  Time-to-live value defined by TDS are very short which is a constraint for researchers

Infection via Botnets

  Large Botnets (i.e. Koobface, Conficker) distribute fake AV software to machines under their control

 Probably the most lucrative way of infection

The behaviour after installation   Advertised as free trials with limited

functionality (i.e. only detection)   Provide links that connect the users to the

webpage where they can buy a licence   The licence is sent by e-mail and fake

alerts are deactivated   Some fake AV may lock down system

functionality (for victim’s own protection)   Other fake AV contain backdoor capabilities

(enabling DDoS)

Security Shield - example

General Infrastructure   Proxy servers to relay content to back-end servers   Separate roles for each proxy   Taking down front-end machines doesn’t make a

big impact

Staying in business

 Hiding traces   Multi-tier infrastructure of proxy server to hide

the location of the back-end

 Using many domain names   The domain makes the site look legitimate   A big number of domains make takedown efforts

difficult   Some domains will become blacklisted

Data collection

 Collection for each company   3 months for AV1, 16 months for AV2, 30 months

for AV3

  Web site source code   Samples of fake AV malware  Databases ○  Documentation for malware installations, fake AV

sales, refunds and technical support (!)

The Transaction process

Sales

 Factors   Aggressiveness of the fake AV s/w ○  Frequency of alerts ○  Type of threats ○  System’s performance

  The price and subscription of the models offered

Sales’ statistics

AV1 AV2 AV3

6-‐month $49.95 34.8% $49.95 61.9%

1-‐year $59.95 32.9% $69.95 13.5% $79.90 83.2%

2-‐years $69.95 32.3%

Life?me $89.95 24.6% $99.90 16.8%

Installa?ons 8,403,008 6,624,508 1,969,953

Sales 189,342 in 3months 137,219 16 months 91,305,640 6 months

Total vic?m loss $11,303,494 $5,046,508 $116,941,854

Profit/year (extrapolated) $45,000,000 $3,800,000 $48,400,000

Payment Processors (PP)   PP are necessary for credit card payments.   A PP must maintain a degree of legitimacy   A PP risk losing the ability to accept credit

cards.   Fake AV companies use PP, such as

Chronopay, which provide legitimate services to large organizations earning reliability.

  AV1,AV2 and AV3 used Chronopay for their payment services

Tricks of dishonest (dPP)

 Offer high risk merchant accounts (15% for each transaction)

 A dPP allow an illicit company to create multiple merchant account where   Transactions are periodically rotated through

each account.   Each account is never flagged for fraudulent

activities.

Chargebacks and Refunds   Payment processors

  Have to provide a level of protection to the consumers

  Chargebacks as a problem   Many chargeback complaints PP may prohibit

further transactions   They affect the lifetime of the fake AV operation

  Brand name as a factor that has an impact   After 3-7 days, victim complaints were easy to

be found in web forums

Affiliate Programs

 Partners earned from commissions 30-80% from sales   Top affiliate for AV1 $1.8 million in 2 months   Top affiliate for AV3 $3.86 million in less than

2 years

 Not all of the affiliates were paid   AV1: 44/140 | AV2: 98/167 | AV3: 541/1107

 Many were involved in multiple groups  Payment through WebMoney

  Anonymous and Irreversible transactions   Low transaction fee (0.8%) and many places

Shell Companies

 Used for bank accounts and receiving remittances from PP

 Help in the cashing-out process  Minimize the risk of apprehending a

ringleader  Alternatively money mules are used

  Accept deposits, withdraw funds, wire the money back

The victims

 Geographic location   US 76.9%,   UK, Canada and Australia

 OS and browsers   Windows: XP (54.2%), Vista (30.8%), 7 (14,8%)   Internet Explorer (65.6%)

 E-mail addresses   Yahoo, Gmail, Hotmail, AOL

 Two fake online systems   Problem submission through specific forms   Real-time technical support

Building a Refund Pattern

 A simple model of refund requests (as a Poisson random variable) is proposed:

rqt = λst-1

Where: -  s denotes the number of sales in a given period.

-  rq denotes the number of refund requests that result from s (in a period t).

-  λ captures the expected portion of buyers from period t-1 who will issue a refund request (rq) in period t.

Interplay of all the factors

 Chargebacks are limited due to the interaction with the PP   A threshold is used

  rf = g(rq, cb)

  If then the credit card network will sever ties with a firm.

 The firm accepts refund requests to avoid the accumulated cbs reach the threshold

The generic pattern of refunds

 Finally the refunds follow the pattern:

Where:   rft = the total refunds given   α·rqt = a standard number of accepted refund

requests (α is a constant)   β·rqt = a varied number of accepted requests (β

is a constant again)   if {A}>0 returns 0 else returns 1

Detecting Fraudulent Firms   The pattern could be observed by the Payment

Processors if they know:   The number of chargebacks against the firm at a

particular time   The faced by the company   The number of refunds offered by the firm

  The PP receives commission but faces the risk of losing business with a credit card company

  The risk of firm being caught affects the PP   The PP may be forced to pay all the

chargebacks

Ethical Considerations

 A lot of ethical issues because of the sensitive data.

 Measures for protecting privacy   Data encryption   Automated program analysis   Adopted methods based on literature for Ethical

Behaviour in Computer Security Research   Approval from Institutional Review Board

(UCSB)   Information provided to U.S. law enforcement

officials

Related Work   Researchers from Google analysed techniques for

driving traffic to malicious site via landing pages   http://krebsonsecurity.com/wp-content/uploads/2010/04/

leet10.pdf

  Cova et.al presented an analysis of the fake AV structure and tried to measure the number of victims and profits   http://www.cs.columbia.edu/~angelos/Papers/2010/rogueAV.pdf

  Techniques to identify drive-by-download attacks   http://pi1.informatik.uni-mannheim.de/filepool/publications/

monkey-spider.pdf

In conclusion

 A unique research as it was based on real evidence and data

 This underground economy is described by an economic model

 The model outlines how these operations have distinct characteristics

 We can leverage the model to detect such fraudulent firms in the future

internet security seminar 2013 - university of birminghamtpc/isecsem/talks/pg.pdf · internet...

Documents