david walkiewicz / maik morgenstern caro workshop 2016 · david walkiewicz / maik morgenstern caro...

2016-05-19 PUA: Distribution and Detection 1

PUA

DISTRIBUTION AND DETECTION

DAVID WALKIEWICZ / MAIK MORGENSTERN

CARO Workshop 2016

The AV-TEST Institute in Magdeburg

PUA: Distribution and Detection 22016-05-19

ABOUT AV-TEST

SOME STATISTICS FIRST

New scary numbers

every year!

More Malware than

ever before!

Just Malware?


0

100.000.000

200.000.000

300.000.000

400.000.000

500.000.000

600.000.000

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016*

Total number of unique samples included inAV-TEST's malware repository (2005-2016)


Development of

Malware and PUA for

Windows from 2010

to now

266 Million files

received with at least

5 detections


0

2.000.000

4.000.000

6.000.000

8.000.000

10.000.000

20

10

-01

20

10

-05

20

10

-09

20

11

-01

20

11

-05

20

11

-09

20

12

-01

20

12

-05

20

12

-09

20

13

-01

20

13

-05

20

13

-09

20

14

-01

20

14

-05

20

14

-09

20

15

-01

20

15

-05

20

15

-09

20

16

-01

Malware PUA


Development of

Malware and PUA for

Windows from 2010

to now

57.77% classified as

Malware

41.53% classified as

PUA


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

20

10

-01

20

10

-05

20

10

-09

20

11

-01

20

11

-05

20

11

-09

20

12

-01

20

12

-05

20

12

-09

20

13

-01

20

13

-05

20

13

-09

20

14

-01

20

14

-05

20

14

-09

20

15

-01

20

15

-05

20

15

-09

20

16

-01

Malware PUA


Distribution of

Malware and PUA

PUA by far the

largest group with

110 Million files

Second biggest

group is Trojans with

with 66 Million files


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

20

10

-01

20

10

-05

20

10

-09

20

11

-01

20

11

-05

20

11

-09

20

12

-01

20

12

-05

20

12

-09

20

13

-01

20

13

-05

20

13

-09

20

14

-01

20

14

-05

20

14

-09

20

15

-01

20

15

-05

20

15

-09

20

16

-01

Rogue Backdoor BotTroj_Down Troj_Dropper Troj_GenericTroj_PWS Virus WormPUA


Prevalent PUA

Families per year

Families have

their ups and

downs

Number of

prevalent families

increased


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2010 2011 2012 2013 2014 2015 2016

browsefox domaiq gamevance hotbar ibryte installcore installerex

installrex loadmoney multiplug outbrowse softpulse solimba toggle


Prevalence and

Distribution

changed a lot

during the years


0

50.000

100.000

150.000

200.000

250.000

20

10

-01

20

10

-04

20

10

-07

20

10

-10

20

11

-01

20

11

-04

20

11

-07

20

11

-10

20

12

-01

20

12

-04

20

12

-07

20

12

-10

20

13

-01

20

13

-04

20

13

-07

20

13

-10

20

14

-01

20

14

-04

20

14

-07

20

14

-10

20

15

-01

20

15

-04

20

15

-07

20

15

-10

20

16

-01

20

16

-04

gamevance hotbar installcore


Prevalence and

Distribution

changed a lot

during the years


0

200.000

400.000

600.000

800.000

1.000.000

1.200.000

1.400.000

20

10

-01

20

10

-04

20

10

-07

20

10

-10

20

11

-01

20

11

-04

20

11

-07

20

11

-10

20

12

-01

20

12

-04

20

12

-07

20

12

-10

20

13

-01

20

13

-04

20

13

-07

20

13

-10

20

14

-01

20

14

-04

20

14

-07

20

14

-10

20

15

-01

20

15

-04

20

15

-07

20

15

-10

20

16

-01

20

16

-04

gamevance hotbar installcore loadmoney


Prevalence and

Distribution

changed a lot

during the years


0

500.000

1.000.000

1.500.000

2.000.000

2.500.000

3.000.000

3.500.000

20

10

-01

20

10

-04

20

10

-07

20

10

-10

20

11

-01

20

11

-04

20

11

-07

20

11

-10

20

12

-01

20

12

-04

20

12

-07

20

12

-10

20

13

-01

20

13

-04

20

13

-07

20

13

-10

20

14

-01

20

14

-04

20

14

-07

20

14

-10

20

15

-01

20

15

-04

20

15

-07

20

15

-10

20

16

-01

20

16

-04

gamevance hotbar installcore loadmoney softpulse


Prevalence and

Distribution

changed a lot

during the years


0

200.000

400.000

600.000

800.000

1.000.000

1.200.000

1.400.000

20

10

-01

20

10

-04

20

10

-07

20

10

-10

20

11

-01

20

11

-04

20

11

-07

20

11

-10

20

12

-01

20

12

-04

20

12

-07

20

12

-10

20

13

-01

20

13

-04

20

13

-07

20

13

-10

20

14

-01

20

14

-04

20

14

-07

20

14

-10

20

15

-01

20

15

-04

20

15

-07

20

15

-10

20

16

-01

20

16

-04

gamevance hotbar installcore loadmoney

softpulse multiplug browsefox

PUA/PUP/GREYWARE/NOT-A-VIRUS

PUA, what is it ? Wikipedia

“Unwanted software bundling is bundled software which computer

users are fooled into installing along with a wanted program.”

• displays intrusive advertising

• tracks the user's Internet usage to sell information to advertisers

• injects its own advertising into web pages

• uses premium SMS services

• etc...

“The practice is widely considered unethical because it violates the

security interests of users without their informed consent.”


SECURITY ISSUES ARISING

PUA and Security Wikipedia …

Security

• Install root certificate

• Provide an entry door for malware (through exploits)

• Causing issues on the system – leading the user to remove

/change the AV Software

• Keylogger/KeyGenerator/PasswordReader etc…

• ….

Basically is a potentially dangerous nuisance for the user and those

poor admins fixing their parents device every weekend


SOME PRETTY PICTURES


Sources

* http://www.cracksfiles.com/2015/01/universal-keygen-generator-2015-software/

* http://www.nirsoft.net/utils/mailpv.html

* http://deletemalware.blogspot.de/2012/01/pupcnetadwarebundle-uninstall-guide.html

* http://www.focus.de/digital/internet/anleitung-fuer-alle-browser-toolbar-ausversehen-installiert-so-werden-sie-die-leiste-wieder-los_id_4143166.html

Monetarization Non-objectionable means

Share/Trialware

SAAS or plain buying

Advertisement on product webpage (Help, Forum etc.)

Advertisement in products (App Stores apps)

Non aggressive bundling


EVERYBODY’S GOT TO EAT

Questionable means

Distribution through bundlers

Information Harvesting

Aggressive Advertisement

TEST SETUP

Experiment Setup


January 2016

Snapshot from one point in time (January 2016)

• Looking at 11 of the top 15 Download portals (according to

Alexa)

• Creating ranking of most distributed applications over all portals

• Downloading (and comparing) 21 most popular applications

• Analysing with AV-TEST in-house tools

• ….

EVALUATION

PUA found on Portals


PUA

Clean

Most popular Apps

17

4

PUA in Download portals

8

3

Protection against malware and infections

Providing additional Security features like reputation of files and

webpages, secure banking, file vaults, parental control etc.

Provide a hassle free usage of device by not slowing the computer

and being mostly invisible

Protect Privacy

…

And provide protection against disruptive software

AV AND PUA

Where AVs fit in


PUA DETECTION BY DEFAULT?

AV

Default Settings


34

3

8

16

2

5

January 2016

0,00%

10,00%

20,00%

30,00%

40,00%

50,00%

60,00%

70,00%

80,00%

90,00%

100,00%

PUA DETECTION (WINDOWS)

PUA detection

Rate per product

(on-demand)


PUA =89.5%

January 2016

PUA VS MALWARE DETECTION (WINDOWS)

PUA detection

Rate vs. Malware

detection per

product

(on-demand)


PUA =89.5%

Malware =96.0%

96%

January 2016

0,00%

10,00%

20,00%

30,00%

40,00%

50,00%

60,00%

70,00%

80,00%

90,00%

100,00%

DIGITALLY SIGNED PUA FILES

PUA files signed

by different

certificate

authorities


16%

32%

17%

17%

6%

4%

6%2%

0% 0%0%0%

July 2015

DIGITALLY SIGNED PUA FILES CONFLICT OF INTEREST ?

PUA files signed

by different AV

industry related

certificate

authorities


16%

32%

17%

17%

6%

4%

6%2%

0% 0%0%0%

July 2015

Symantec

VeriSign

Comodo

Thawte

NOT JUST WINDOWS IS AFFECTED … ALSO ANDROID


NOT JUST WINDOWS IS AFFECTED …


0,00%

10,00%

20,00%

30,00%

40,00%

50,00%

60,00%

70,00%

80,00%

90,00%

100,00%

PUA DETECTION VS MALWARE DETECTION (ANDROID)

PUA detection

Rate vs. Malware

detection per

product


PUA =93.85%

Malware =98.40%

January 2016

… ALSO MAC OS


…


CONCLUSION

PUA: Distribution and Detection2016-05-19

PUA is a problem as prevalent as Malware, maybe more…

Users are more likely to ‘see’ PUA instead of Malware.

Users expect AV to protect or at least warn them.

Big differences between vendors on how to approach PUA.

Industry wide rules are missing.

Is CSA helping or is it causing more trouble? Is it driven by the right

parties and with the right motivation?

32

Thank you for your attention!


@avtestorg (English) & @avtestde (German)

Follow us on facebook.com/avtestorg

Current test results at https://www.av-test.org

https://www.av-test.org/

david walkiewicz / maik morgenstern caro workshop 2016 · david walkiewicz / maik morgenstern caro...

Documents