a close look at rogue antivirus programs
play

A Close Look at Rogue Antivirus Programs Alain Zidouemba About the - PowerPoint PPT Presentation

Aug 07, 2023 •346 likes •873 views

A Close Look at Rogue Antivirus Programs Alain Zidouemba About the VRT Mission: Provide intelligence and protection to allow our customers to focus on their core business Responsibilities Threat Intelligence and monitoring

  1. A Close Look at Rogue Antivirus Programs Alain Zidouemba

  2. About the VRT ● Mission: Provide intelligence and protection to allow our customers to focus on their core business ● Responsibilities ▸ Threat Intelligence and monitoring ▸ Protection profiles for Sourcefire, Snort, ClamAV, Immunet, Razorback ● Approx. 20 members ▸ Headquarters in Columbia, MD ▸ Seattle, WA, Germany, Italy, Poland 2

  3. Rogue anti-malware 101 ● Software that misleads users into paying for non-existent anti- malware services ● It’s ROGUE not ROUGE! ● Reliance on social engineering to beat OS security ● Usually comes as payload to Trojan ▸ Browser plug-in ▸ Email attachment ▸ Fake codec ● Some exploit vulnerabilities => no or little human interaction needed ▸ drive-by downloads ▸ PDFs ● Heavy on scareware 3

  4. Data for this study ● Data going back to April 2010 ● Virtually all samples were .exe files ● 9,052 URLs mapping to 1996 distinct IP addresses ● Daily (partially) cleaned-up IP, DNS, URL information at http://labs.snort.org/iplists/ 4

  5. Top-level domain for rogue URLs ▸ 60.6% .com ▸ 0.2% .us ▸ 7.8% .cn ▸ 0.09% .uk ▸ 7.0% .net ▸ 0.02% .name ▸ 5.7% .cc ▸ 0.02% .cm ▸ 5.3% .info ▸ 0.00% .fr: 0 ▸ 3.6% .in ▸ 0.00% .gov .edu .mil ▸ 1.9% .org ▸ 1.3 % .tk ▸ 0.6% .ru ▸ 0.5% .pl ▸ 0.4% .biz 5

  6. Domains ▸ 20.1 % scan (and/or scanner) ▸ 3.6% security ▸ 16.4% anti ▸ 3.3% online ▸ 14.4% 2000-2011 ▸ 2.7% free ▸ 14.4% vir (and/or virus/virys) ▸ 2.3% defense (and/or defence/ defender) ▸ 10.1 % pro (and/or protect/protection) ▸ 2.2% best ▸ 6.8% spy ▸ 1.9% web ▸ 5.8% xp ▸ 1.6% system ▸ 5.1% pc ▸ 1.3% remove ▸ 4.8% av ▸ 1.2% malware ▸ 4.3% win (and/or windows) ▸ 0.6% clean ▸ 3.7% soft ▸ 0.6% doctor (and/or docktor) 6

  7. Trusted AV (as opposed to rogue) ● Looked at 62 software solutions from over 50 vendors ● Virtually no occurrence of those words in domains 7

  8. IP addresses used by rogue antimalware ● 9,052 URLs mapping to 1996 distinct IP addresses ● > 4 “antimalware” domain per IP address ● Sites hosted all over the world ● In contrast, Trusted AV typically have a one-to- one mapping between domain and IP 8

  9. Mac OS X no longer not immune ● Rogue anti-malware no longer just a Windows problem ● Rogue AV took Mac community by surprise in May 2011 ▸ First full-blown rogue anti-malware campaign on OS X ● Uses Windows proven techniques ▸ SEO ▸ scareware ▸ social engineering 9

  10. MacProtector installation 10

  11. Scareware tactics 11

  12. Really? 12

  13. Mac Protector phones home 13

  14. Detect MacProtector calling home, UA string ● alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”MacProtector contact to server attempt”; flow:to_server,established; content:”MacProtector”; nocase; http_header; classtype:trojan-activity; sid:1234;) 14

  15. Detect MacProtector calling home, URI ● alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”MacProtector contact to server attempt”; flow:to_server,established; content:”/i|2E|php| 3F|”; nocase; http_uri; pcre:’’/\x2Fi\x2Ephp \x3Fv\x3D\d{4}\x26affid\x3d\d{5}\x26data\x3D/ Ui”; classtype:trojan-activity; sid:4321;) 15

  16. Should I register? 16

  17. Purchase MacProtector: network traffic 17

  18. Detect MacProtector purchase page, URI ● alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”MacProtector contact to server attempt”; flow:to_server,established; content:”/mac|2E| php|3F|”; nocase; http_uri; pcre:’’/\x2Fmac \x2Ephp\x3Fv\x3D\d{4}\x26affid\x3d\d {5}\x26data\x3D/Ui” classtype:trojan-activity; sid:5678;) 18

  19. Purchase MacProtector … or MacDefender? 19

  20. Files created by MacProtector on your computer ● Information stored in these files may be sent out to server ● proc.txt: output of ps –ax with some formatting (list of all processes running) ● dmem.txt: output of df (path to each disk) ● hwuuid.txt: unique ID of your Mac ● Entry in cookies.plist for 91.213.217.30 with string “pf_visit” 20

  21. Entering serial number 21

  22. OK I am registered, now what? 22

  23. Money trail 23

  24. Mac-defence.com registrant details Contact Id 12656237 Name Ivan Ivanov Email Address fc@mail-eye.com Company Name Crusader Inc Address1 Volgogradskaya st.1 Address2 Address3 Tel No. +007.678478912 Fax No. City Volgograd State/Region/Province Volgogradskaya oblast Country Russia Zip 126453 24

  25. Email address related to ChronoPay ● Largest Russian payment processor ● ChronoPay security breach in 2010 lead to leak of documents ● Documents show that ChronoPay owns mail- eye.com ● Documents also show that fc@mail-eye.com belong to ChronoPay’s comptroller ( f inancial c ontroller) 25

  26. ChronoPay, registrant for rogue-related domains 26

  27. A notice related to “MacDefender scam” Sunday, 29 May 2011 ChronoPay completely and totally disavows the most recent blog postings and publications alleging a connection between ChronoPay and MacDefender and assures our customers that our company is not involved with MacDefender in anyway, not are we involved with any virus production as has been alleged. http://www.chronopay.com/en/content/view/249/121/ 27

  28. Options purchased ● ~61%: 1-year license ● ~25%: lifetime license ● ~14%: 2-year license 28

  29. Conversion rate ● Typically around 2% ● Fake AV 1 generated $11,303,494 ▸ 8,403,008 installations in 3 months ▸ 189,342 sales ● Fake AV 2 generated $5,046,508 ▸ 6,624,508 installations over 16 months ▸ 137,219 sales ● Fake AV 3 generated $116,94,854 ▸ 91,305,640 installations for Mar 2008 to Aug 2010 ▸ 1,969,953 sales B. Stone-Gross, R.Abman, R. Kemmerer, C. Kruegel, D. Steigerwald and G. Vigna The Underground Economy of Fake Antivirus Software, WEIS 2011 29

  30. Sale.log from MacProtector C&C server 2011-03-30 07:18:59 Sale debug_id=24845864 oaffid=28604 [phone] => +1-800-417-5679 naffid=28604 notfake=true req Array [serial] => WNDS-6W954-FX65B-41VDF-8G4JI ( [salesite] => www.yoursoftmagazine.com [aff] => 286 [supportsite] => http://systemtoolonline.com [sa] => 4 ) [key] => 147368 [country] => FR salesites=Array [id] => 39139551 ( ) [004559-0001-0001] => www.interactivesoftwareshop.com res=Array [004561-0001-0001] => www.bestsoftsolutions.com ( [004563-0001-0001] => www.yourbestapplications.com [status] => Accept [004572-0001-0001] => www.marketingsoftsolutions.net [name] => berrod alain [004581-0001-0001] => www.saleapps.net [opid] => 353421 [004584-0001-0001] => www.software4sale.net [email] => a.b.repro@free.fr [004588-0001-0001] => www.softwareprotector.net [transId] => 39139551 [004589-0001-0001] => www.interactivesoftwareshop.com [product_id] => 004595-0001-0001 [005769-0001-0001] => www.yourbestapplications.com ) [005772-0001-0001] => www.marketingsoftwaresolutions.net mail=Array [004595-0001-0001] => www.yoursoftmagazine.com ( [004596-0001-0001] => www.bestsoftsolutions.com [NAME] => berrod alain ) [EMAIL] => a.b.repro@free.fr [OPID] => 353421 [TID] => 39139551 30 Source: 94.48.119.211/logs/sale.log

  31. Victims location ● 1,523 entries spanning 2 days in sale.log ▸ 75.6% from US ▸ 8.1% from AU ▸ 4.9 % from UK ▸ 3.8% from CA ▸ 2.0 % from NZ ▸ 1.6% from FR 31

  32. Breakdown by email ● 1,523 entries ▸ 27.0 % registered with @yahoo ▸ 16.6% registered with @hotmail ▸ 10.7% registered with @gmail ▸ 8.4% registered with @aol ▸ 3.1% registered with @comcast ▸ 0.1% registered with @mac ▸ 1.6% registered with .fr ▸ 1.6% registered with .edu ▸ 0.7% registered with @free.fr 32

  33. Your information is worth something, but next to nothing SELL CCV2,tracks+ ATM PIN,FULLZ, BANK LOGIN, BANK TRANSFER..Skimmers , Msr , Blank Plastic Cards, Cvv2/Fullz , … ATM Skimmer Wincor Nixdorf … Chip …… . 1 Visa card ……… .3$ 1 Fresh Fullz ……… .20$ 80K==========80$ ● ● 1 master card ……… .2$ 1 Dead Fullz ……… .15$ 1 BALANCE IN BOA ……… . ● ● ● 75K TO 1 amex card ……… .4$ 1 Eu ……… . 15$ 450K==========300$ ● ● 1 Dicover card ……… .4$ 1 Paypal vefified without 1 BALANCE IN CREDIT ● ● ● balance==30$ UNION ……… .ANY 1 Company card ……… .8$ AMOUNT=========300$ ● 1 Paypal verified with 1000$ ● 1 Uk Card Nornal balance ==50$ 1 BALANCE IN ● ● CC ……… .5$ HALIFAX ……… .ANY 1 BALANCE IN CHASE AMOUNT=========300$ ● 1 Uk Card With DOB ……… .70K TO 155K ● ……… .20$ ========160$ 1 BALANCE IN ● COMPASS ……… .ANY 1 Track 1& 2 CC ……… .30$ 1 BALANCE IN AMOUNT=========300$ ● ● WASHOVIA ……… .24K TO CONTACT ME :: baby_cris47 EMAIL ADDRESS ::baby_cris47@yahoo.com ICQ NUMBER ::610077819 33

  34. MacProtector, MacDefender, MacShield, MacGuard, Winwebsec: one happy family 34

  35. MacProtector, Winwebsec traffic ● Winwebsec ▸ http://a.b.c.d/i.php?affid=foo&data=foo1&v=foo2 ▸ http://a.b.c.d/buy.php?affid=foo&data=foo1&v=foo2 ● MacProtector ▸ http://e.f.g.h/i.php?v=foo3&affid=foo4&data=foo5 ▸ http://e.f.g.h/mac.php?v=foo3&affid=foo4&data=foo5 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bargaining Failure: Aggression by Rogue States Class 7 What is a rogue state? What is a rogue

Bargaining Failure: Aggression by Rogue States Class 7 What is a rogue state? What is a rogue

Bargaining Failure: Aggression by Rogue States Class 7 What is a rogue state? What is a rogue state? State behaving contrary to conventional norms of international community. Typically, small, insulated and not very influential,

413 views • 30 slides
AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer Science at Uniba Three years of experience in web development Cybersecurity and Linux appassionate Mail: saracinoarcangelo@gmail.com Outline

363 views • 18 slides
Rogue Waves Thama Duba, Colin Please, Graeme Hocking, Kendall Born, Meghan Kennealy 18 January

Rogue Waves Thama Duba, Colin Please, Graeme Hocking, Kendall Born, Meghan Kennealy 18 January

Rogue Waves Thama Duba, Colin Please, Graeme Hocking, Kendall Born, Meghan Kennealy 18 January 2019 1/25 What is a rogue wave Mechanisms causing rogue waves Where rogue waves have been reported Modelling of oceanic rogue waves

568 views • 25 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides
1 Northwest SEED is a non-profit that has completed solar and DHP group purchase programs in the

1 Northwest SEED is a non-profit that has completed solar and DHP group purchase programs in the

1 Northwest SEED is a non-profit that has completed solar and DHP group purchase programs in the past. They can provide more information on the program and DHPs. Rogue Climate is the local outreach partner that is organizing volunteers and

1.07k views • 31 slides
Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15

Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15

GrAVity: A Massively Parallel Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15 September 2010 Overview Increase the processing throughput of virus scanning applications, using the Graphics

563 views • 28 slides
Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy

Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy

Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy hylax laxis) is) Drug dis istr tributions an and re remote te con onsulta tation jus just t before th the ou outb tbreak Isao

669 views • 7 slides
Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram

Using Mimikatz driver to unhook antivirus on Windows Supervisor: Cedric van Bockhaven Bram Blaauwendraad & Thomas Ouddeken Mimikatz Post exploitation tool created by Benjamin Delpy Administrative privileges required Used to extract

355 views • 20 slides
How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber,

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber,

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger, Andreas Wittmann, Philipp Roskosch, Daniel Magin 1 Who are we Stephan Siegfried Mobile

751 views • 50 slides
AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research Institute) Joint with Aziz Mohaisen (VeriSign Labs) Overview Introduction to problem Evaluation metrics Dataset gathering and use

651 views • 22 slides
The Dwarf Planets Trans Neptunian Objects (TNO) A New 9 th Planet And what about Rogue Planets ?

The Dwarf Planets Trans Neptunian Objects (TNO) A New 9 th Planet And what about Rogue Planets ?

The Dwarf Planets Trans Neptunian Objects (TNO) A New 9 th Planet And what about Rogue Planets ? There may be more than there are stars ! http://solarsystem.nasa.gov/ planets/planetx 3 min. Links to Solar System Videos on the Internet

427 views • 13 slides
Challenges of Solar Cycle Prediction Introduced by Rogue Active Region Emergences and

Challenges of Solar Cycle Prediction Introduced by Rogue Active Region Emergences and

Challenges of Solar Cycle Prediction Introduced by Rogue Active Region Emergences and Meridional Inflow Melinda Nagy 1 au 2 Paul l Char arbonneau rle 3 Alexan andre Lemerle Kristf Petrovay 1 1 1 Etvs Lornd University, Budapest,

829 views • 27 slides
Detection of Rogue APs Using Clock Skews: Does it Really Work? Sergey Bratus Chrisil

Detection of Rogue APs Using Clock Skews: Does it Really Work? Sergey Bratus Chrisil

Detection of Rogue APs Using Clock Skews: Does it Really Work? Sergey Bratus Chrisil Arackaparambil Anna Shubina Dartmouth College This talk in 30 seconds Clock skews are interesting usable for fingerprinting devices (kind of)

953 views • 59 slides
antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

Easy ways to bypass antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at GovCERT-Hungary (SSNS) Email: attila.marosi@gmail.com Web: http://marosi.hu Twitter: @0xmaro Why? All of us use

285 views • 16 slides
Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and

Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and

Rogue Femtocell Owners: How Mallory Can Monitor My Devices David Malone, Darren F. Kavanagh and Niall R. Murphy 19 April 2013 Femtocells Small devices acting as cellular base stations. Deployed to extend coverage in homes, offices, . . .

450 views • 20 slides
Distributed Consensus Motiv tivation ation A rogue blockchain Consider Peer B wishing to

Distributed Consensus Motiv tivation ation A rogue blockchain Consider Peer B wishing to

Distributed Consensus Motiv tivation ation A rogue blockchain Consider Peer B wishing to tamper with Block #3 https://anders.com/blockchain/distributed Modifies data, then re-calculates hashes How can you pick between two

1.18k views • 59 slides
MVC and Interface Builder IAP 2010 iphonedev.csail.mit.edu edward benson / eob@csail.mit.edu

MVC and Interface Builder IAP 2010 iphonedev.csail.mit.edu edward benson / eob@csail.mit.edu

MVC and Interface Builder IAP 2010 iphonedev.csail.mit.edu edward benson / eob@csail.mit.edu Tuesday, January 12, 2010 Information-Driven Applications Tuesday, January 12, 2010 Application Flow UIApplication Main NIB Initialized

670 views • 36 slides
Mediensystemen mit iOS SS 2012 Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de MHCI Lab, LMU

Mediensystemen mit iOS SS 2012 Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de MHCI Lab, LMU

Praktikum Entwicklung von Mediensystemen mit iOS SS 2012 Prof. Dr. Michael Rohs michael.rohs@ifi.lmu.de MHCI Lab, LMU Mnchen Today Schedule Organization Video watching Introduction to iOS Exercise 1 Michael Rohs, LMU

1.1k views • 81 slides
Programming for the Fun of It OS X, Python, and Kids Dethe Elza (Justsystems)

Programming for the Fun of It OS X, Python, and Kids Dethe Elza (Justsystems)

Programming for the Fun of It OS X, Python, and Kids Dethe Elza (Justsystems) http://livingcode.org/ The company I work for, Justsystems, is in parentheses because Im not representing the company here. The applications and code Im

697 views • 42 slides
Cocoa Demo: GUI-based Stk app. Xcode Interface Builder StkX 5/5/06, Music 3SI,

Cocoa Demo: GUI-based Stk app. Xcode Interface Builder StkX 5/5/06, Music 3SI,

Last Week... Music 3SI: Introduction to IDE (briefly) Audio/Multimedia App. VST Plug-in Programming Assignment 1 hints Week #5 - 5/5/2006 CCRMA, Department of Music Stanford University 5/5/06, Music 3SI, CCRMA, Stanford 1 2

537 views • 7 slides
Debunking the Myths: Creating a Shared Understanding of Emergent Curriculum WEBINAR BY SUSAN

Debunking the Myths: Creating a Shared Understanding of Emergent Curriculum WEBINAR BY SUSAN

Debunking the Myths: Creating a Shared Understanding of Emergent Curriculum WEBINAR BY SUSAN STACEY, M.A. Context: A little about myself and my connection to Emergent Curriculum A British education hands- on experiences as a learner,

727 views • 44 slides
Encapsulation Considerations OAM update for NVO3 Design team report draft-rtg-dt-encap-02.txt

Encapsulation Considerations OAM update for NVO3 Design team report draft-rtg-dt-encap-02.txt

Encapsulation Considerations OAM update for NVO3 Design team report draft-rtg-dt-encap-02.txt Packet size and fragmentation Deployed overlays assume underlay MTU Reasonable for controlled deployments in datacenter or SP networks

56 views • 5 slides
Economics 2 Professor Christina Romer Spring 2020 Professor David Romer LECTURE 2 COMPARATIVE

Economics 2 Professor Christina Romer Spring 2020 Professor David Romer LECTURE 2 COMPARATIVE

Economics 2 Professor Christina Romer Spring 2020 Professor David Romer LECTURE 2 COMPARATIVE ADVANTAGE AND THE GAINS FROM SPECIALIZATION January 23, 2020 I. O VERVIEW II. T HE K EY R OLE OF D IFFERENCES IN R ELATIVE A BILITY A. Intuition B.

479 views • 33 slides
Economics 2 Professor Christina Romer Spring 2018 Professor David Romer LECTURE 2 COMPARATIVE

Economics 2 Professor Christina Romer Spring 2018 Professor David Romer LECTURE 2 COMPARATIVE

Economics 2 Professor Christina Romer Spring 2018 Professor David Romer LECTURE 2 COMPARATIVE ADVANTAGE AND THE GAINS FROM SPECIALIZATION January 18, 2018 I. O VERVIEW II. T HE K EY R OLE OF D IFFERENCES IN R ELATIVE A BILITY A. Intuition B.

487 views • 31 slides

More recommend