Strategies for prioritization of malicious URL re-evaluation

Onur Komili Sophos
Kyle Zeeuwen Sophos/University of British Columbia
Matei Ripeanu University of British Columbia
Konstantin Beznosov University of British Columbia

We perform a study of Fake AV distribution networks advertised via SEO poisoning that affect our customers. Using a high interaction fetcher we repeatedly evaluate the networks by querying the poisoned SEO pages. We identify means to group Fake AV networks into families using URL pattern matching, and we find that each family exhibits distinct update behaviours and sample characteristics. We identify the payload updating techniques used by each family, and show different degrees of honey client blacklisting countermeasures used by the different families. We propose optimizations to the re-evaluation logic for Fake AV networks based on these characteristics. We evaluate these optimizations and show that they can be used to reduce the required fetch frequency by X%, which in turn reduces the likelihood of being blacklisted.

 del.icio.us  digg this! digg this

Quick Links

Poll
Does your company allow you to use a personal laptop/mobile device to access company resources?
Yes, it's allowed
Yes, it's actively encouraged
No
I don't know
Leave a comment
View 1 comment

EC-council-boston

VB100 certification
VB100 As expected, the annual VB100 test on Windows XP was an epic. A higher than usual pass rate was tempered by numerous stability issues with the products under test, prompting the unveiling of a new stability rating system. John Hawes has all the details.
See full results.

Virus Bulletin currently has 225,187 registered users.