SophosLabs researcher Onur Komili presented “Strategies for monitoring Fake AV distribution networks”, the paper he researched along with Kyle Zeeuwen, Matei Ripeanu and Konstantin Beznosov at today’s Virus Bulletin conference.
Their paper analyzed the behavior of malware distribution networks that specialize in poisoning search results in order to deliver innocent victims to web pages that install fake anti-virus software.
Onur explained the methodologies used by the criminals behind rogue security software and then explained how they built tools in SophosLabs to look for patterns to identify different distribution networks.
To a degree the bad guys are constantly mutating their files and changing the pages which direct victims to the malware downloads.
The paper shows how to identify different malware distribution networks and determine their particular behaviors.
This allows researchers to optimally monitor these networks to acquire the knowledge necessary to protect their customers.
One of the defensive techniques being used by the malware authors is to blacklist legitimate researchers to prevent them from getting the data necessary to detect the ever changing payload.
Onur showed some of the methods used by the criminals to determine if a connection might be originating from a researcher and proposed several methods for researchers to evade detection.
Onur demonstrated some examples using graphs showing the frequency of change for both the fake security software downloads and the hosts used to serve the files.
Seeing it visually really hit home. By reducing the sea of data to a simple chart it was clear how to identify different approaches the bad guys were using.