TY - GEN
T1 - Distinguishing legitimate and fake/crude antivirus software
AU - Kasuya, Masaki
AU - Kono, Kenji
PY - 2013/12/1
Y1 - 2013/12/1
N2 - Fake antivirus (AV) software, a kind of malware, pretends to be a legitimate AV product and frightens computer users by showing fake security alerts, as if their computers were infected with malware. In addition, fake AV urges users to purchase a "commercial" version of the fake AV. In this paper, we search for an indicator that captures behavioral differences in legitimate AV and fake AV. The key insight behind our approach is that legitimate AV behaves differently in clean and infected environments, whereas fake AV behaves similarly in both environments, because it does not analyze malware in the infected environments. We have investigated three potential indicators, file access pattern, CPU usage, and memory usage, and found that memory usage is an effective indicator to distinguish legitimate AV from fake AV. In an experiment, this indicator identifies all fake AV samples (39 out of 39) as fake and all legitimate AV products (8 out of 8) as legitimate. It is impractical for fake AV to evade this indicator because to do so it would require it to detect malware infections, just as legitimate AV does.
AB - Fake antivirus (AV) software, a kind of malware, pretends to be a legitimate AV product and frightens computer users by showing fake security alerts, as if their computers were infected with malware. In addition, fake AV urges users to purchase a "commercial" version of the fake AV. In this paper, we search for an indicator that captures behavioral differences in legitimate AV and fake AV. The key insight behind our approach is that legitimate AV behaves differently in clean and infected environments, whereas fake AV behaves similarly in both environments, because it does not analyze malware in the infected environments. We have investigated three potential indicators, file access pattern, CPU usage, and memory usage, and found that memory usage is an effective indicator to distinguish legitimate AV from fake AV. In an experiment, this indicator identifies all fake AV samples (39 out of 39) as fake and all legitimate AV products (8 out of 8) as legitimate. It is impractical for fake AV to evade this indicator because to do so it would require it to detect malware infections, just as legitimate AV does.
KW - Antivirus software
KW - Behavior analysis
KW - Fake antivirus software
KW - Malware
UR - http://www.scopus.com/inward/record.url?scp=84894217869&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84894217869&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84894217869
SN - 9781612082981
T3 - SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies
SP - 109
EP - 116
BT - SECURWARE 2013 - 7th International Conference on Emerging Security Information, Systems and Technologies
T2 - 7th International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2013
Y2 - 25 August 2013 through 31 August 2013
ER -