Strategies for monitoring fake anti-virus distribution networks

Filed Under: Featured, Malware, SophosLabs

Onur Komili presenting at Virus Bulletin 2011SophosLabs researcher Onur Komili presented "Strategies for monitoring Fake AV distribution networks", the paper he researched along with Kyle Zeeuwen, Matei Ripeanu and Konstantin Beznosov at today's Virus Bulletin conference.

Their paper analyzed the behavior of malware distribution networks that specialize in poisoning search results in order to deliver innocent victims to web pages that install fake anti-virus software.

Onur explained the methodologies used by the criminals behind rogue security software and then explained how they built tools in SophosLabs to look for patterns to identify different distribution networks.

To a degree the bad guys are constantly mutating their files and changing the pages which direct victims to the malware downloads.

The paper shows how to identify different malware distribution networks and determine their particular behaviors.

This allows researchers to optimally monitor these networks to acquire the knowledge necessary to protect their customers.

One of the defensive techniques being used by the malware authors is to blacklist legitimate researchers to prevent them from getting the data necessary to detect the ever changing payload.

Onur showed some of the methods used by the criminals to determine if a connection might be originating from a researcher and proposed several methods for researchers to evade detection.

Onur demonstrated some examples using graphs showing the frequency of change for both the fake security software downloads and the hosts used to serve the files.

Seeing it visually really hit home. By reducing the sea of data to a simple chart it was clear how to identify different approaches the bad guys were using.

Thanks you to Virus Bulletin for permission to share the slides and paper with our readers.

, , , , , ,

You might like

3 Responses to Strategies for monitoring fake anti-virus distribution networks

  1. blog · 1465 days ago

    Better to post the Videos, oh wait? it was probably not recorded.


  2. Eric · 1465 days ago

    Please post that paper soon because I'd really love to see these patterns. What a great idea! ;D

  3. Pete · 1396 days ago

    The crooks are now using new tactics. Here is a phone # form California (private line - 415-CENSORED). A person with heavy Indian accent call me yesterday to provide "important" information about my computer. A-bla-bla. Your computer is infected, please visit this website to download antivirus program to kill the virus.
    Naked Security bulletins are extremely helpful, thank you!
    Pete, Sarasota, Fl

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at