An Analysis of Fake Antivirus Behaviors

概要

論文の詳細を見る
Fake antivirus (AV) software aims to scam web users, scaring them by showing fake alerts, as if their computers were infected by malware, urging them to purchase commercial versions of the antivirus. Deceived users disclose credit card numbers and other sensitive information. To defend against fake AV, security vendors and researchers provide or develop the countermeasures based on signatures and blacklists of the URLs distributing fake AV. However, these traditional solutions do not fit the current situation. Fake AV is rapidly increasing in number and changing the domain names frequently that are used for fake AV distribution. In this paper, we investigate the scanning behaviors of fake AV and search for an indicator that distinguishes fake AV from genuine AV. Using this indicator, fake AV is expected to be detected without signatures or blacklists. To this end, we collected 38 fake AV samples and 8 genuine AV products and gathered the data of file access tendency, CPU and memory usage. As a result, we found that memory usage indicates the difference between fake AV and genuine AV.
2012-02-21