An analysis of rogue AV campaigns

Marco Cova, Corrado Leita, Olivier Thonnard, Angelos D. Keromytis, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Citations (Scopus)

Abstract

Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them. The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages442-463
Number of pages22
Volume6307 LNCS
DOIs
Publication statusPublished - 2010
Externally publishedYes
Event13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010 - Ottawa, ON
Duration: 15 Sep 201017 Sep 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6307 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010
CityOttawa, ON
Period15/9/1017/9/10

Fingerprint

Ecosystem
Software Security
Ecosystems
Longitudinal Analysis
Economics
Methodology
Threefolds
Large Data Sets
Correlate
Efficacy
Servers
Server
Infrastructure
Likely
Attack
Roots
Propagation
Software

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Cova, M., Leita, C., Thonnard, O., Keromytis, A. D., & Dacier, M. (2010). An analysis of rogue AV campaigns. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6307 LNCS, pp. 442-463). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6307 LNCS). https://doi.org/10.1007/978-3-642-15512-3_23

An analysis of rogue AV campaigns. / Cova, Marco; Leita, Corrado; Thonnard, Olivier; Keromytis, Angelos D.; Dacier, Marc.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 6307 LNCS 2010. p. 442-463 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6307 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Cova, M, Leita, C, Thonnard, O, Keromytis, AD & Dacier, M 2010, An analysis of rogue AV campaigns. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 6307 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6307 LNCS, pp. 442-463, 13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010, Ottawa, ON, 15/9/10. https://doi.org/10.1007/978-3-642-15512-3_23
Cova M, Leita C, Thonnard O, Keromytis AD, Dacier M. An analysis of rogue AV campaigns. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 6307 LNCS. 2010. p. 442-463. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-15512-3_23
Cova, Marco ; Leita, Corrado ; Thonnard, Olivier ; Keromytis, Angelos D. ; Dacier, Marc. / An analysis of rogue AV campaigns. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 6307 LNCS 2010. pp. 442-463 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{f5bc3cccf54c409896e2e612f159ef9c,
title = "An analysis of rogue AV campaigns",
abstract = "Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them. The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.",
author = "Marco Cova and Corrado Leita and Olivier Thonnard and Keromytis, {Angelos D.} and Marc Dacier",
year = "2010",
doi = "10.1007/978-3-642-15512-3_23",
language = "English",
isbn = "3642155111",
volume = "6307 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "442--463",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - An analysis of rogue AV campaigns

AU - Cova, Marco

AU - Leita, Corrado

AU - Thonnard, Olivier

AU - Keromytis, Angelos D.

AU - Dacier, Marc

PY - 2010

Y1 - 2010

N2 - Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them. The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.

AB - Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them. The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.

UR - http://www.scopus.com/inward/record.url?scp=78249283520&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78249283520&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-15512-3_23

DO - 10.1007/978-3-642-15512-3_23

M3 - Conference contribution

AN - SCOPUS:78249283520

SN - 3642155111

SN - 9783642155116

VL - 6307 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 442

EP - 463

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -