Proposal / Submission Type
Peer Reviewed Paper
Location
Richmond, Virginia
Start Date
29-5-2014 2:40 PM
Abstract
Fake AntiVirus (FakeAV) malware experienced a resurgence in the fall of 2013 after falling out of favor after several high profile arrests. FakeAV presents two unique challenges to investigators. First, because each criminal organization running a FakeAV affiliate system regularly alters the appearance of their system, it is sometimes difficult to know whether an incoming criminal complaint or malware sample is related to one ring or the other. Secondly, because FakeAV is delivered in a “Pay Per Install” affiliate model, in addition to the ring-leaders of each major ring, there are many high-volume malware infection rings who are all using the same malware. Indeed, a single criminal could participate in multiple affiliate programs using the same spreading and distribution system. Because of this, traditional malware clustering may identify common code, but fail to achieve distinction or attribution of the individual affiliate actors profiting from the scam. By combining n-way vendor agreement and live network capture, malware samples can quickly be associated with particular affiliate infrastructure and/or managing affiliate programs, while identifying and helping to prioritize investigations.
Scholarly Commons Citation
Warner, Gary; Nagy, Mike; Jones, Kyle; and Mitchem, Kevin, "Investigative Techniques of N-Way Vendor Agreement and Network Analysis Demonstrated with Fake Antivirus" (2014). Annual ADFSL Conference on Digital Forensics, Security and Law. 3.
https://commons.erau.edu/adfsl/2014/thursday/3
Included in
Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons
Investigative Techniques of N-Way Vendor Agreement and Network Analysis Demonstrated with Fake Antivirus
Richmond, Virginia
Fake AntiVirus (FakeAV) malware experienced a resurgence in the fall of 2013 after falling out of favor after several high profile arrests. FakeAV presents two unique challenges to investigators. First, because each criminal organization running a FakeAV affiliate system regularly alters the appearance of their system, it is sometimes difficult to know whether an incoming criminal complaint or malware sample is related to one ring or the other. Secondly, because FakeAV is delivered in a “Pay Per Install” affiliate model, in addition to the ring-leaders of each major ring, there are many high-volume malware infection rings who are all using the same malware. Indeed, a single criminal could participate in multiple affiliate programs using the same spreading and distribution system. Because of this, traditional malware clustering may identify common code, but fail to achieve distinction or attribution of the individual affiliate actors profiting from the scam. By combining n-way vendor agreement and live network capture, malware samples can quickly be associated with particular affiliate infrastructure and/or managing affiliate programs, while identifying and helping to prioritize investigations.
