skip to main content
10.1145/2480362.2480697acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Exploiting visual appearance to cluster and detect rogue software

Published: 18 March 2013 Publication History

Abstract

Rogue software, such as Fake A/V and ransomware, trick users into paying without giving return. We show that using a perceptual hash function and hierarchical clustering, more than 213,671 screenshots of executed malware samples can be grouped into subsets of structurally similar images, reflecting image clusters of one malware family or campaign. Based on the clustering results, we show that ransomware campaigns favor prepay payment methods such as ukash, paysafecard and moneypak, while Fake A/V campaigns use credit cards for payment. Furthermore, especially given the low A/V detection rates of current rogue software -- sometimes even as low as 11% -- our screenshot analysis approach could serve as a complementary last line of defense.

References

[1]
U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, E. Kirda, and S. Barbara. Scalable, Behavior-Based Malware Clustering. In NDSS 2009.
[2]
H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. M. Youssef, M. Debbabi, and L. Wang. On the analysis of the zeus botnet crimeware toolkit. In PST, 2010.
[3]
K. Chiang and L. Lloyd. A case study of the rustock rootkit and spam bot. In HotBots, HotBots'07, Berkeley, CA, USA, 2007. USENIX Association.
[4]
M. Cova, C. Leita, O. Thonnard, A. D. Keromytis, and M. Dacier. An Analysis of Rogue AV Campaigns. In RAID, 2010.
[5]
O. Komili, K. Zeeuwen, M. Ripeanu, and K. Beznosov. Stragegies for Monitoring Fake AV Distribution Networks. In Virus Bulletin, 2011.
[6]
B. Kulis and K. Grauman. Kernelized locality-sensitive hashing for scalable image search. In ICCV. IEEE, 2009.
[7]
J. Nazario. BlackEnergy DDoS Bot Analysis. http://sites.google.com/site/evelynnjou/BlackEnergyDDoSBotAnalysis.pdf.
[8]
R. Perdisci, W. Lee, and N. Feamster. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In NSDI 2010.
[9]
M. A. Rajab, L. Ballard, P. Mavrommatis, N. Provos, and X. Zhao. The Nocebo Effect on theWeb: An Analysis of Fake Anti-Virus Distribution. In USENIX LEET, 2010.
[10]
M. Riccardi, D. Oro, J. Luna, M. Cremonini, and M. Vilanova. A Framework For Financial Botnet Analysis. In eCrime Researchers Summit, 2010.
[11]
K. Rieck, G. Schwenk, T. Limmer, T. Holz, and P. Laskov. Botzilla: Detecting the "Phoning Home" of Malicious Software. In SAC 2010.
[12]
B. Stone-Gross, R. Abman, R. A. Kemmerer, C. Kruegel, D. G. Steigerwald, and G. Vigna. The Underground Economy of Fake Antivirus Software. In WEIS, 2011.
[13]
B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns. In USENIX LEET, 2011.
[14]
C. Zauner. Implementation and Benchmarking of Perceptual Hash Functions. Master's thesis, 2010.

Cited By

View all
  • (2021)To Get Lost is to Learn the Way: An Analysis of Multi-Step Social Engineering Attacks on the WebIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2020CIP0005E104.A:1(162-181)Online publication date: 1-Jan-2021
  • (2020)To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the WebProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384714(394-408)Online publication date: 5-Oct-2020
  • (2017)Interactive Visual Analytics of Big DataOntologies and Big Data Considerations for Effective Intelligence10.4018/978-1-5225-2058-0.ch001(1-26)Online publication date: 2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '13: Proceedings of the 28th Annual ACM Symposium on Applied Computing
March 2013
2124 pages
ISBN:9781450316569
DOI:10.1145/2480362
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 March 2013

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

SAC '13
Sponsor:
SAC '13: SAC '13
March 18 - 22, 2013
Coimbra, Portugal

Acceptance Rates

SAC '13 Paper Acceptance Rate 255 of 1,063 submissions, 24%;
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)1
Reflects downloads up to 09 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2021)To Get Lost is to Learn the Way: An Analysis of Multi-Step Social Engineering Attacks on the WebIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2020CIP0005E104.A:1(162-181)Online publication date: 1-Jan-2021
  • (2020)To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the WebProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384714(394-408)Online publication date: 5-Oct-2020
  • (2017)Interactive Visual Analytics of Big DataOntologies and Big Data Considerations for Effective Intelligence10.4018/978-1-5225-2058-0.ch001(1-26)Online publication date: 2017
  • (2016)CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS.2016.46(303-312)Online publication date: Jun-2016
  • (2015)Detecting fake anti-virus software distribution webpagesComputers and Security10.1016/j.cose.2014.11.00849:C(95-106)Online publication date: 1-Mar-2015
  • (2013)Interactive Visual Analytics of Databases and Frequent SetsInternational Journal of Information Retrieval Research10.4018/ijirr.20131001073:4(120-140)Online publication date: 1-Oct-2013

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media