Distinguishing legitimate and fake/crude antivirus software

Masaki Kasuya, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Fake antivirus (AV) software, a kind of malware, pretends to be a legitimate AV product and frightens computer users by showing fake security alerts, as if their computers were infected with malware. In addition, fake AV urges users to purchase a "commercial" version of the fake AV. In this paper, we search for an indicator that captures behavioral differences in legitimate AV and fake AV. The key insight behind our approach is that legitimate AV behaves differently in clean and infected environments, whereas fake AV behaves similarly in both environments, because it does not analyze malware in the infected environments. We have investigated three potential indicators, file access pattern, CPU usage, and memory usage, and found that memory usage is an effective indicator to distinguish legitimate AV from fake AV. In an experiment, this indicator identifies all fake AV samples (39 out of 39) as fake and all legitimate AV products (8 out of 8) as legitimate. It is impractical for fake AV to evade this indicator because to do so it would require it to detect malware infections, just as legitimate AV does.

Original languageEnglish
Title of host publicationSECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies
Pages109-116
Number of pages8
Publication statusPublished - 2013
Event7th International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2013 - Barcelona, Spain
Duration: 2013 Aug 252013 Aug 31

Other

Other7th International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2013
CountrySpain
CityBarcelona
Period13/8/2513/8/31

Fingerprint

Data storage equipment
Program processors
Malware
Experiments

Keywords

  • Antivirus software
  • Behavior analysis
  • Fake antivirus software
  • Malware

ASJC Scopus subject areas

  • Information Systems

Cite this

Kasuya, M., & Kono, K. (2013). Distinguishing legitimate and fake/crude antivirus software. In SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies (pp. 109-116)

Distinguishing legitimate and fake/crude antivirus software. / Kasuya, Masaki; Kono, Kenji.

SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies. 2013. p. 109-116.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kasuya, M & Kono, K 2013, Distinguishing legitimate and fake/crude antivirus software. in SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies. pp. 109-116, 7th International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2013, Barcelona, Spain, 13/8/25.
Kasuya M, Kono K. Distinguishing legitimate and fake/crude antivirus software. In SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies. 2013. p. 109-116
Kasuya, Masaki ; Kono, Kenji. / Distinguishing legitimate and fake/crude antivirus software. SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies. 2013. pp. 109-116
@inproceedings{8f4c80c8683d4d179acbcfa3120d467f,
title = "Distinguishing legitimate and fake/crude antivirus software",
abstract = "Fake antivirus (AV) software, a kind of malware, pretends to be a legitimate AV product and frightens computer users by showing fake security alerts, as if their computers were infected with malware. In addition, fake AV urges users to purchase a {"}commercial{"} version of the fake AV. In this paper, we search for an indicator that captures behavioral differences in legitimate AV and fake AV. The key insight behind our approach is that legitimate AV behaves differently in clean and infected environments, whereas fake AV behaves similarly in both environments, because it does not analyze malware in the infected environments. We have investigated three potential indicators, file access pattern, CPU usage, and memory usage, and found that memory usage is an effective indicator to distinguish legitimate AV from fake AV. In an experiment, this indicator identifies all fake AV samples (39 out of 39) as fake and all legitimate AV products (8 out of 8) as legitimate. It is impractical for fake AV to evade this indicator because to do so it would require it to detect malware infections, just as legitimate AV does.",
keywords = "Antivirus software, Behavior analysis, Fake antivirus software, Malware",
author = "Masaki Kasuya and Kenji Kono",
year = "2013",
language = "English",
isbn = "9781612082981",
pages = "109--116",
booktitle = "SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies",

}

TY - GEN

T1 - Distinguishing legitimate and fake/crude antivirus software

AU - Kasuya, Masaki

AU - Kono, Kenji

PY - 2013

Y1 - 2013

N2 - Fake antivirus (AV) software, a kind of malware, pretends to be a legitimate AV product and frightens computer users by showing fake security alerts, as if their computers were infected with malware. In addition, fake AV urges users to purchase a "commercial" version of the fake AV. In this paper, we search for an indicator that captures behavioral differences in legitimate AV and fake AV. The key insight behind our approach is that legitimate AV behaves differently in clean and infected environments, whereas fake AV behaves similarly in both environments, because it does not analyze malware in the infected environments. We have investigated three potential indicators, file access pattern, CPU usage, and memory usage, and found that memory usage is an effective indicator to distinguish legitimate AV from fake AV. In an experiment, this indicator identifies all fake AV samples (39 out of 39) as fake and all legitimate AV products (8 out of 8) as legitimate. It is impractical for fake AV to evade this indicator because to do so it would require it to detect malware infections, just as legitimate AV does.

AB - Fake antivirus (AV) software, a kind of malware, pretends to be a legitimate AV product and frightens computer users by showing fake security alerts, as if their computers were infected with malware. In addition, fake AV urges users to purchase a "commercial" version of the fake AV. In this paper, we search for an indicator that captures behavioral differences in legitimate AV and fake AV. The key insight behind our approach is that legitimate AV behaves differently in clean and infected environments, whereas fake AV behaves similarly in both environments, because it does not analyze malware in the infected environments. We have investigated three potential indicators, file access pattern, CPU usage, and memory usage, and found that memory usage is an effective indicator to distinguish legitimate AV from fake AV. In an experiment, this indicator identifies all fake AV samples (39 out of 39) as fake and all legitimate AV products (8 out of 8) as legitimate. It is impractical for fake AV to evade this indicator because to do so it would require it to detect malware infections, just as legitimate AV does.

KW - Antivirus software

KW - Behavior analysis

KW - Fake antivirus software

KW - Malware

UR - http://www.scopus.com/inward/record.url?scp=84894217869&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84894217869&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84894217869

SN - 9781612082981

SP - 109

EP - 116

BT - SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies

ER -