The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution
Venue
Large-Scale Exploits and Emergent Threats, USENIX (2010)
Publication Year
2010
Authors
Moheeb Abu Rajab, Lucas Ballard, Panayiotis Marvrommatis, Niels Provos, Xin Zhao
BibTeX
Abstract
We present a study of Fake Anti-Virus attacks on the web. Fake AV software
masquerades as a legitimate security product with the goal of deceiving victims
into paying registration fees to seemingly remove malware from their computers. Our
analysis of 240 million web pages collected by Google's malware detection
infrastructure over a 13 month period discovered over 11,000 domains involved in
Fake AV distribution. We show that the Fake AV threat is rising in prevalence, both
absolutely, and relative to other forms of web-based malware. Fake AV currently
accounts for 15% of all malware we detect on the web. Our investigation reveals
several characteristics that distinguish Fake AVs from other forms of web-based
malware and shows how these characteristics have changed over time. For instance,
Fake AV attacks occur frequently via web sites likely to reach more users including
spam web sites and on-line Ads. These attacks account for 60% of the malware
discovered on domains that include trending keywords. As of this writing, Fake AV
is responsible for 50% of all malware delivered via Ads, which represents a
five-fold increase from just a year ago.
