Strategies for prioritization of malicious URL re-evaluation

Onur Komili Sophos
Kyle Zeeuwen Sophos/University of British Columbia
Matei Ripeanu University of British Columbia
Konstantin Beznosov University of British Columbia

  download slides (PDF)

We perform a study of Fake AV distribution networks advertised via SEO poisoning that affect our customers. Using a high interaction fetcher we repeatedly evaluate the networks by querying the poisoned SEO pages. We identify means to group Fake AV networks into families using URL pattern matching, and we find that each family exhibits distinct update behaviours and sample characteristics. We identify the payload updating techniques used by each family, and show different degrees of honey client blacklisting countermeasures used by the different families. We propose optimizations to the re-evaluation logic for Fake AV networks based on these characteristics. We evaluate these optimizations and show that they can be used to reduce the required fetch frequency by X%, which in turn reduces the likelihood of being blacklisted.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.