Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion

Transcription

1 Internet Security Seminar 2013

2 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion

3 An overview of the paper In-depth analysis of fake Antivirus companies operations and detailed stats Management and infrastructure of fake Antivirus campaigns A financial/mathematical model that describes the refund pattern of this business.

4 The malware problems Malware, short for malicious software, is software used by attackers in order to: disrupt computer operation, gather sensitive information, gain access to private computer systems. Malware types include: viruses, spyware, keyloggers, trojan horses, worms, adware, etc

5 The real Antivirus (AV) economy Antivirus is software used to Prevent, detect and remove malware. So a software industry has been built worldwide to provide users with/without cost a promising antivirus software. The rapid development of antivirus software industry was based on The increasing number of viruses the high demand of users for antivirus ready to pay in order to protect their computer & data

6 The raise of an Underground Economy based on fake AV The base of this economy Use scareware to frighten the user Convince the user to pay for a licence of a software which does nothing Making money from fake software licenses Two basic categories of fake AV 1. Malware that harms victim s computer when installed 2. Usually harmless software that wants to steal money from the user via fake licenses. Is it illegal?

8 The case study Three large-scale fake AV companies examined ($130 million dollars revenue). Data presentation and analysis from acquired back-end servers. An analysis of the role of different entities that are involved (i.e. payment processors, credit card networks) The suggestion of a mathematical model which defines these businesses

9 Acquiring the servers ANUBIS was used to analyse Windows binaries via runtime analysis Network signatures associated with these fake AVs observed The hosting providers were informed and took the servers down

10 Defrauding the user The fake AV impersonates an antivirus scanner It displays misleading alerts to exploit user s fear of causing damage to the computer Forces the user to buy a licence for a software that will solve the problem

11 Where and How? All of the 3 business were located in Eastern Europe They use affiliate networks (partnenka) to distribute the software The affiliates receive a commission for landing traffic to the malicious pages, or malware installations

13 Technical Background Technical observations made by acquiring the servers: Infection methods Social Engineering Drive-by-download attacks Botnets Infrastructure General Infrastructure Ways of hiding traces Plethora of domains names as a strategy

14 Infection via Social Engineering Convince the victim to buy a licence JavaScript or Adobe Flash for security alerts Provide links to a fake AV software

15 Infection via drive-by-download attack The malicious page has prepared scripts to exploit vulnerabilities (browser or plug-ins) In a successful exploit the fake AV is installed automatically

16 The role of Blackhat SEO Techniques for higher search rankings in an unethical manner. (i.e. the attacker s site may contain popular keywords that will confuse the search engine) Traffic direction system (TDS): are used as landing pages to direct the traffic to malicious content Time-to-live value defined by TDS are very short which is a constraint for researchers

17 Infection via Botnets Large Botnets (i.e. Koobface, Conficker) distribute fake AV software to machines under their control Probably the most lucrative way of infection

18 The behaviour after installation Advertised as free trials with limited functionality (i.e. only detection) Provide links that connect the users to the webpage where they can buy a licence The licence is sent by and fake alerts are deactivated Some fake AV may lock down system functionality (for victim s own protection) Other fake AV contain backdoor capabilities (enabling DDoS)

19 Security Shield - example

20 General Infrastructure Proxy servers to relay content to back-end servers Separate roles for each proxy Taking down front-end machines doesn t make a big impact

21 Staying in business Hiding traces Multi-tier infrastructure of proxy server to hide the location of the back-end Using many domain names The domain makes the site look legitimate A big number of domains make takedown efforts difficult Some domains will become blacklisted

23 Data collection Collection for each company 3 months for AV 1, 16 months for AV 2, 30 months for AV 3 Web site source code Samples of fake AV malware Databases Documentation for malware installations, fake AV sales, refunds and technical support (!)

24 The Transaction process

25 Sales Factors Aggressiveness of the fake AV s/w Frequency of alerts Type of threats System s performance The price and subscription of the models offered

26 Sales statistics AV1 AV2 AV3 6- month $ % $ % 1- year $ % $ % $ % 2- years $ % Life?me $ % $ % Installa?ons 8,403,008 6,624,508 1,969,953 Sales 189,342 in 3months 137, months 91,305,640 6 months Total vic?m loss $11,303,494 $5,046,508 $116,941,854 Profit/year (extrapolated) $45,000,000 $3,800,000 $48,400,000

27 Payment Processors (PP) PP are necessary for credit card payments. A PP must maintain a degree of legitimacy A PP risk losing the ability to accept credit cards. Fake AV companies use PP, such as Chronopay, which provide legitimate services to large organizations earning reliability. AV1,AV2 and AV3 used Chronopay for their payment services

28 Tricks of dishonest (dpp) Offer high risk merchant accounts (15% for each transaction) A dpp allow an illicit company to create multiple merchant account where Transactions are periodically rotated through each account. Each account is never flagged for fraudulent activities.

29 Chargebacks and Refunds Payment processors Have to provide a level of protection to the consumers Chargebacks as a problem Many chargeback complaints further transactions PP may prohibit They affect the lifetime of the fake AV operation Brand name as a factor that has an impact After 3-7 days, victim complaints were easy to be found in web forums

30 Affiliate Programs Partners earned from commissions 30-80% from sales Top affiliate for AV 1 Top affiliate for AV 3 2 years $1.8 million in 2 months $3.86 million in less than Not all of the affiliates were paid AV 1 : 44/140 AV 2 : 98/167 AV 3 : 541/1107 Many were involved in multiple groups Payment through WebMoney Anonymous and Irreversible transactions Low transaction fee (0.8%) and many places

31 Shell Companies Used for bank accounts and receiving remittances from PP Help in the cashing-out process Minimize the risk of apprehending a ringleader Alternatively money mules are used Accept deposits, withdraw funds, wire the money back

32 The victims Geographic location US 76.9%, UK, Canada and Australia OS and browsers Windows: XP (54.2%), Vista (30.8%), 7 (14,8%) Internet Explorer (65.6%) addresses Yahoo, Gmail, Hotmail, AOL Two fake online systems Problem submission through specific forms Real-time technical support

34 Building a Refund Pattern A simple model of refund requests (as a Poisson random variable) is proposed: Where: rq t = λs t-1 - s denotes the number of sales in a given period. - rq denotes the number of refund requests that result from s (in a period t). - λ captures the expected portion of buyers from period t-1 who will issue a refund request (rq) in period t.

35 Interplay of all the factors Chargebacks are limited due to the interaction with the PP A threshold rf = g(rq, cb) is used If then the credit card network will sever ties with a firm. The firm accepts refund requests to avoid the accumulated cb s reach the threshold

36 The generic pattern of refunds Finally the refunds follow the pattern: Where: rf t = the total refunds given α rq t = a standard number of accepted refund requests (α is a constant) β rq t = a varied number of accepted requests (β is a constant again) if {A}>0 returns 0 else returns 1

37 Detecting Fraudulent Firms The pattern could be observed by the Payment Processors if they know: The number of chargebacks against the firm at a particular time The faced by the company The number of refunds offered by the firm The PP receives commission but faces the risk of losing business with a credit card company The risk of firm being caught affects the PP The PP may be forced to pay all the chargebacks

39 Ethical Considerations A lot of ethical issues because of the sensitive data. Measures for protecting privacy Data encryption Automated program analysis Adopted methods based on literature for Ethical Behaviour in Computer Security Research Approval from Institutional Review Board (UCSB) Information provided to U.S. law enforcement officials

40 Related Work Researchers from Google analysed techniques for driving traffic to malicious site via landing pages leet10.pdf Cova et.al presented an analysis of the fake AV structure and tried to measure the number of victims and profits Techniques to identify drive-by-download attacks monkey-spider.pdf

41 In conclusion A unique research as it was based on real evidence and data This underground economy is described by an economic model The model outlines how these operations have distinct characteristics We can leverage the model to detect such fraudulent firms in the future