measuring pup prevalence and pup distribution …4 google 3.1m 5 apple 1.8m 6 intel 1.6m 7 sun...
TRANSCRIPT
![Page 1: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/1.jpg)
Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services
Platon Kotzias, Leyla Bilge, Juan Caballero
![Page 2: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/2.jpg)
Potential Unwanted Programs (PUP)
2
![Page 3: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/3.jpg)
Potential Unwanted Programs (PUP)
2
![Page 4: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/4.jpg)
PUP vs Malware
3
![Page 5: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/5.jpg)
PUP vs Malware
3
![Page 6: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/6.jpg)
PUP vs Malware
3
What are the relationships between
PUP and malware?
![Page 7: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/7.jpg)
Evidence of PUP Prevalence
Kotzias et al. Certified PUP: Abuse in Authenticode Code Signing. In Proceedings of the 22nd ACM Conference on Computer and Communication Security, 2015.
4
![Page 8: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/8.jpg)
Evidence of PUP Prevalence
Kotzias et al. Certified PUP: Abuse in Authenticode Code Signing. In Proceedings of the 22nd ACM Conference on Computer and Communication Security, 2015.
5% of unique IPs accessing Google have injected advertisements
Thomas et al. Ad injection at scale: Assessing deceptive advertisement modification. In Proceedings of the IEEE Symposium on Security and Privacy, 2015.
4
![Page 9: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/9.jpg)
Evidence of PUP Prevalence
Kotzias et al. Certified PUP: Abuse in Authenticode Code Signing. In Proceedings of the 22nd ACM Conference on Computer and Communication Security, 2015.
5% of unique IPs accessing Google have injected advertisements
Thomas et al. Ad injection at scale: Assessing deceptive advertisement modification. In Proceedings of the IEEE Symposium on Security and Privacy, 2015.
4
How many users are affected by
PUP?
![Page 10: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/10.jpg)
Pay-Per-Install (PPI) Ecosystem
Advertisers
5
![Page 11: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/11.jpg)
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
5
![Page 12: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/12.jpg)
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
5
VLC
![Page 13: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/13.jpg)
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
5
VLC
![Page 14: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/14.jpg)
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
Target
Hosts 5
VLC
![Page 15: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/15.jpg)
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
Target
Hosts 5
VLC
![Page 16: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/16.jpg)
Publishers = Software owners
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
Target
Hosts 5
VLC
![Page 17: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/17.jpg)
Publishers = Software owners
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
Target
Hosts 5
VLC
Disjoint from malware PPI services (Caballero et al. Usenix 2011)
![Page 18: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/18.jpg)
Publishers = Software owners
Pay-Per-Install (PPI) Ecosystem
Advertisers
PPI Service
Affiliate
Publishers
Target
Hosts 5
VLC
Disjoint from malware PPI services (Caballero et al. Usenix 2011)
How many PPI services?
What type of PUP is advertised?
![Page 19: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/19.jpg)
Pay-Per-Install (PPI) Ecosystem
6
PPI Service
Affiliate
Publishers
Target
Hosts
VLC
![Page 20: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/20.jpg)
Pay-Per-Install (PPI) Ecosystem
Country PPI (Avg.) Malware PPI (Avg.)
United States $1.30 $0.11
United Kingdom $0.80 $0.16
Australia $0.40 $0.13
Canada $0.40 $0.09
France $0.28 $0.06
Malware distribution through malware PPIs can be up to an order of magnitude cheaper
6
PPI Service
Affiliate
Publishers
Target
Hosts
VLC
![Page 21: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/21.jpg)
7
Contributions
Measure PUP prevalence and its distribution through PPI services
![Page 22: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/22.jpg)
7
Build publisher graph to captures who-installs-who relationships among PUP Publishers
Identify the prevalent PPI services and advertisers
Contributions
Measure PUP prevalence and its distribution through PPI services
![Page 23: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/23.jpg)
7
Build publisher graph to captures who-installs-who relationships among PUP Publishers
Identify the prevalent PPI services and advertisers
Contributions
Measure PUP prevalence and its distribution through PPI services
Examine PUP-Malware relationships
![Page 24: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/24.jpg)
Comparison with Simultaneous Work
8
Complementary works
Bottom-to-top compared to top-to-bottom approach
4
PPI Adv.
SW
PPI
Measure-
ments
Safe
Browsing
data
23
PPI
77
Adv.3.9M
PUP
Prev.
WINE Dataset
![Page 25: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/25.jpg)
Comparison with Simultaneous Work
8
19 months
(Jan ’13 – July ‘14)
12 months
(Aug ’15 – Jul ‘16)
Complementary works
Bottom-to-top compared to top-to-bottom approach
Analysis period
4
PPI Adv.
SW
PPI
Measure-
ments
Safe
Browsing
data
23
PPI
77
Adv.3.9M
PUP
Prev.
WINE Dataset
![Page 26: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/26.jpg)
Comparison with Simultaneous Work
8
19 months
(Jan ’13 – July ‘14)
12 months
(Aug ’15 – Jul ‘16)
Complementary works
Bottom-to-top compared to top-to-bottom approach
Analysis period
Geographical coverage
4
PPI Adv.
SW
PPI
Measure-
ments
Safe
Browsing
data
23
PPI
77
Adv.3.9M
PUP
Prev.
WINE Dataset
![Page 27: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/27.jpg)
Datasets
11M reports of malicious/undesirable software
9
![Page 28: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/28.jpg)
Datasets
11M reports of malicious/undesirable software
142K signed malware and PUP (binaries & clustering families)Malsign dataset
[Kotzias et al. CCS ’15]
9
![Page 29: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/29.jpg)
Datasets
AV telemetry from 3.9M real Windows hosts
8B events for 19 months (Jan ‘13 – July ‘14)WINE Dataset
11M reports of malicious/undesirable software
142K signed malware and PUP (binaries & clustering families)Malsign dataset
[Kotzias et al. CCS ’15]
9
![Page 30: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/30.jpg)
Datasets
AV telemetry from 3.9M real Windows hosts
8B events for 19 months (Jan ‘13 – July ‘14)WINE Dataset
11M reports of malicious/undesirable software
142K signed malware and PUP (binaries & clustering families)Malsign dataset
[Kotzias et al. CCS ’15]
9
Parent
Downloads
UncompressChild
![Page 31: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/31.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
10
![Page 32: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/32.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
11Mhashes
10
![Page 33: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/33.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
11Mhashes
Query
VT
10
![Page 34: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/34.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
11Mhashes
Query
VT
Filter:- Benign samples
- Invalid signatures
11MVT reports
10
![Page 35: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/35.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
11Mhashes
Query
VT
Filter:- Benign samples
- Invalid signatures
11MVT reports
Extract
Publishers
(Digital signatures)
2.5MVT reports
10
![Page 36: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/36.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
11Mhashes
Query
VT
Filter:- Benign samples
- Invalid signatures
11MVT reports
1.4KPUP
Publishers Extract
Publishers
(Digital signatures)
2.5MVT reports
WINE events that
parent/child in
Publisher list
10
![Page 37: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/37.jpg)
Focus on signed executables Digital signatures allow attribution of software publisher
Properly signed executables flagged by AVs are predominantly PUP [Kotzias et al. CCS ‘15]
Identify PUP Publishers
11Mhashes
Query
VT
Filter:- Benign samples
- Invalid signatures
11MVT reports
1.4KPUP
Publishers Extract
Publishers
(Digital signatures)
2.5MVT reports
WINE events that
parent/child in
Publisher list
Events 8B
Files 2.6M
Publishers 6K
URLs 290K10
![Page 38: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/38.jpg)
Clustering Publishers
Publisher name similarity
Tuguu Israel Ltd
TUGUU SLU
Tuguu sl
Tuguu S.L.U.
Tuguu
11
![Page 39: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/39.jpg)
Clustering Publishers
Publisher name similarity Child download domains
Tuguu Israel Ltd
TUGUU SLU
Tuguu sl
Tuguu S.L.U.
Tuguu Maldown.com
Publisher A
Publisher B
Publisher C
Parent download domains
Publisher A
Publisher B
Publisher C
Maldown.com
11
![Page 40: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/40.jpg)
Clustering Publishers
Publisher name similarity Child download domains
Malsign clustering
Tuguu Israel Ltd
TUGUU SLU
Tuguu sl
Tuguu S.L.U.
Tuguu Maldown.com
Publisher A
Publisher B
Publisher C
Parent download domains
142Ksigned
samples
2.2Kclusters
Publisher A
Publisher B
Publisher C
Maldown.com
11
![Page 41: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/41.jpg)
Clustering Publishers
Publisher name similarity Child download domains
Malsign clustering
Tuguu Israel Ltd
TUGUU SLU
Tuguu sl
Tuguu S.L.U.
Tuguu Maldown.com
Publisher A
Publisher B
Publisher C
Parent download domains
142Ksigned
samples
2.2Kclusters
Publisher A
Publisher B
Publisher C
Maldown.com
11
5K
Publisher
clusters
![Page 42: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/42.jpg)
Clustering Publishers
Publisher name similarity Child download domains
Malsign clustering
Tuguu Israel Ltd
TUGUU SLU
Tuguu sl
Tuguu S.L.U.
Tuguu Maldown.com
Publisher A
Publisher B
Publisher C
Parent download domains
142Ksigned
samples
2.2Kclusters
Publisher A
Publisher B
Publisher C
Maldown.com
915
PUP
Publisher
clusters
11
5K
Publisher
clustersHigh DR
Publisher Detection Ratio (DR) = # EXEs flagged by AVs / All EXEs
![Page 43: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/43.jpg)
Intro
Road Map
PUP
Prevalence
PPI
Ecosystem
12
![Page 44: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/44.jpg)
PUP Prevalence
Internet Users
Symantec Users
WINE Opted-in
Users with
PUP
13
![Page 45: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/45.jpg)
PUP Prevalence
54% (2.1M) of WINE hosts
have at least one PUP executable installed
Internet Users
Symantec Users
WINE Opted-in
Users with
PUP
13
![Page 46: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/46.jpg)
PUP Prevalence
54% (2.1M) of WINE hosts
have at least one PUP executable installed
Internet Users
Symantec Users
WINE Opted-in
Users with
PUP
13
~210M Internet users affected
![Page 47: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/47.jpg)
Publisher Ranking
# Cluster Hosts
1 Microsoft 3.9M
2 Symantec 3.8M
3 Adobe Systems 3.5M
4 Google 3.1M
5 Apple 1.8M
6 Intel 1.6M
7 Sun Microsystems 1.6M
8 Cyberlink 1.6M
9 GEAR Software 1.5M
10 Hewlett-Packard 1.5M
# Cluster Hosts
11 Oracle 1.4M
12 Skype Technologies 1.3M
13 Mozilla Corporation 1.0M
14 McAfee 1.0M
15 Perion Network/Conduit 1.0M
24 Mindspark 533K
…
14
![Page 48: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/48.jpg)
Publisher Ranking
# Cluster Hosts
1 Microsoft 3.9M
2 Symantec 3.8M
3 Adobe Systems 3.5M
4 Google 3.1M
5 Apple 1.8M
6 Intel 1.6M
7 Sun Microsystems 1.6M
8 Cyberlink 1.6M
9 GEAR Software 1.5M
10 Hewlett-Packard 1.5M
# Cluster Hosts
11 Oracle 1.4M
12 Skype Technologies 1.3M
13 Mozilla Corporation 1.0M
14 McAfee 1.0M
15 Perion Network/Conduit 1.0M
PUP publishers are among the most widely installed software publishers
24 Mindspark 533K
…
14
![Page 49: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/49.jpg)
Intro
Road Map
PPI
Ecosystem
PUP
Prevalence
15
![Page 50: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/50.jpg)
16
PPI Ecosystem
How many PPI services exist?
What type of PUP is distributed?
PUP – Malware relationship?
Advertisers
PPI Service
Affiliate
Publishers
Target
Hosts
VLC
How is PUP distributed?
![Page 51: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/51.jpg)
Publisher Graph
OpenCandy
17
![Page 52: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/52.jpg)
Publisher Graph
Inc
OpenCandy
Uniblue
Systems
#Events: 2K
#Hosts: 500#Events: 10K
#Hosts: 1K
IminentAdsology
Skype
Tech. SA
17
![Page 53: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/53.jpg)
Publisher Graph
Inc
OpenCandy
Systweak
Wajam
Web Cake Spigot
Uniblue
Systems
#Events: 2K
#Hosts: 500#Events: 10K
#Hosts: 1K
Publisher graph captures the who-installs-who relationships
IminentAdsology
Skype
Tech. SA
Microsoft
Corp.#Events: 3K
#Hosts: 60K
17
![Page 54: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/54.jpg)
Publisher Graph
OpenCandy
Systweak
Wajam
Web Cake Spigot
Uniblue
Systems
#Events: 2K
#Hosts: 500#Events: 10K
#Hosts: 1K
Publisher graph captures the who-installs-who relationships
IminentAdsology
Microsoft
Corp.#Events: 3K
#Hosts: 60K
In-Degree (ID): 3
17
![Page 55: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/55.jpg)
Publisher Graph
OpenCandy
Systweak
Wajam
Web Cake Spigot
Uniblue
Systems
#Events: 2K
#Hosts: 500#Events: 10K
#Hosts: 1K
Publisher graph captures the who-installs-who relationships
IminentAdsology
#Events: 3K
#Hosts: 60K
In-Degree (ID): 3
Out-Degree (OD): 4
17
![Page 56: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/56.jpg)
How many PPI services exist?
High DR and High ID and High OD
18
![Page 57: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/57.jpg)
How many PPI services exist?
High DR and High ID and High OD
24PPIs
49Candidates
5KPublishers
Rule Manual
Analysis
18
![Page 58: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/58.jpg)
How many PPI services exist?
PPI cluster DR ID OD Hosts
Perion Network/Conduit 52% 168 63 1M
Web Pick 79% 65 22 346K
iBario 84% 62 36 336K
IronSource 81% 73 112 332K
OpenCandy 55% 91 36 311K
High DR and High ID and High OD
24PPIs
49Candidates
5KPublishers
Rule Manual
Analysis
18
![Page 59: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/59.jpg)
How many PPI services exist?
PPI cluster DR ID OD Hosts
Perion Network/Conduit 52% 168 63 1M
Web Pick 79% 65 22 346K
iBario 84% 62 36 336K
IronSource 81% 73 112 332K
OpenCandy 55% 91 36 311K
3/Top 5 most popular PUP publishers are PPI services
High DR and High ID and High OD
24PPIs
49Candidates
5KPublishers
Rule Manual
Analysis
18
![Page 60: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/60.jpg)
How many PPI services exist?
PPI cluster DR ID OD Hosts
Perion Network/Conduit 52% 168 63 1M
Web Pick 79% 65 22 346K
iBario 84% 62 36 336K
IronSource 81% 73 112 332K
OpenCandy 55% 91 36 311K
3/Top 5 most popular PUP publishers are PPI services
12 other PPIs not seen:
Not popular or gain popularity later
Distribute unsigned bundles
Resellers
High DR and High ID and High OD
24PPIs
49Candidates
5KPublishers
Rule Manual
Analysis
18
![Page 61: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/61.jpg)
What type of PUP is distributed?
High DR and High ID and Low OD and Parent PPI > 0
19
![Page 62: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/62.jpg)
What type of PUP is distributed?
High DR and High ID and Low OD and Parent PPI > 077
Advertisers
19
![Page 63: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/63.jpg)
What type of PUP is distributed?
High DR and High ID and Low OD and Parent PPI > 077
Advertisers
19
Modify default search engine Inject shopping deals & price comparisons
18/30Add-ons
![Page 64: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/64.jpg)
What type of PUP is distributed?
High DR and High ID and Low OD and Parent PPI > 077
Advertisers
6/30Rogueware
19
Modify default search engine Inject shopping deals & price comparisons
Performance Optimizers
18/30Add-ons
![Page 65: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/65.jpg)
What type of PUP is distributed?
High DR and High ID and Low OD and Parent PPI > 077
Advertisers
6/30Rogueware
19
Modify default search engine Inject shopping deals & price comparisons
Performance Optimizers
6/30Other
18/30Add-ons
Backup tools Multimedia players
![Page 66: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/66.jpg)
How is PUP distributed?
PUPPUP PUP
PUP
PUP
20
![Page 67: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/67.jpg)
How is PUP distributed?
PUPPUP PUP
PUP
PUP
ParentParent
ParentParent
Parent
20
![Page 68: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/68.jpg)
How is PUP distributed?
PUPPUP PUP
PUP
PUP
ParentParent Parent
71%signed parents
20
![Page 69: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/69.jpg)
How is PUP distributed?
PUPPUP PUP
PUP
PUP
ParentParent Parent
71%signed parents
PUPs are generally installed by other PUPs 74% are
PUP parents
20
![Page 70: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/70.jpg)
How is PUP distributed?
PUPPUP PUP
PUP
PUP
ParentParent Parent
71%signed parents
PUPs are generally installed by other PUPs 74% are
PUP parents
26% are
PPI services
PPI services play an important role in the distribution of PUP
20
![Page 71: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/71.jpg)
PUP - Malware Relationship
Challenge: Accurately label malware in WINE dataset
21
![Page 72: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/72.jpg)
PUP - Malware Relationship
Challenge: Accurately label malware in WINE dataset
AVClass malware labeling tool [Sebastián et al. RAID ´16]:
1be77f9e3abb48a481b1e683d617904a
8aeb7793645c05c6fe6e3c017703e45f
88f21f6a38bd35673dde705839885cce
1db177e0235fc32873973328f8f4f9b2
softpulse
installerex
virut
zeroaccess
AVClass
21
github.com/malicialab/avclass
![Page 73: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/73.jpg)
PUP - Malware Relationship
Challenge: Accurately label malware in WINE dataset
Selected 70 popular malware families (e.g., zbot, zeroaccess, reveton, virut, sality)
AVClass malware labeling tool [Sebastián et al. RAID ´16]:
1be77f9e3abb48a481b1e683d617904a
8aeb7793645c05c6fe6e3c017703e45f
88f21f6a38bd35673dde705839885cce
1db177e0235fc32873973328f8f4f9b2
softpulse
installerex
virut
zeroaccess
AVClass
21
github.com/malicialab/avclass
![Page 74: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/74.jpg)
PUP - Malware Relationship
22
![Page 75: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/75.jpg)
PUP - Malware Relationship
Does PUP download malware?
Examples:
Perion Network dropping Zbot, Shylock trojans
InstallBrain downloading Mevade/Sefnit as reported by TrendMicro
71PUP Publishers
40 families
5.6K (0.01%)download events
22
![Page 76: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/76.jpg)
PUP - Malware Relationship
Does PUP download malware?
Examples:
Perion Network dropping Zbot, Shylock trojans
InstallBrain downloading Mevade/Sefnit as reported by TrendMicro
Does malware download PUP?
71PUP Publishers
40 families
5.6K (0.01%)download events
25 families
98PUP
Publishers
11K (0.03%)download events
22
![Page 77: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/77.jpg)
PUP - Malware Relationship
Does PUP download malware?
Examples:
Perion Network dropping Zbot, Shylock trojans
InstallBrain downloading Mevade/Sefnit as reported by TrendMicro
Does malware download PUP?
Malware distribution seems disjoint from PUP distribution
71PUP Publishers
40 families
5.6K (0.01%)download events
25 families
98PUP
Publishers
11K (0.03%)download events
22
![Page 78: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/78.jpg)
Birds-eye view of the PPI ecosystem
24 PPI services that distribute 26% of all signed PUP
77 advertiser clusters (mostly BAO) that monetize in various ways
Summary
Malware distribution seems disjoint from PUP distribution
54% of 3.9M real hosts examined have PUP installed
23
![Page 79: Measuring PUP Prevalence and PUP Distribution …4 Google 3.1M 5 Apple 1.8M 6 Intel 1.6M 7 Sun Microsystems 1.6M 8 Cyberlink 1.6M 9 GEAR Software 1.5M 10 Hewlett-Packard 1.5M # Cluster](https://reader033.vdocuments.net/reader033/viewer/2022060512/5f2b6c150eee2148434c12e3/html5/thumbnails/79.jpg)
Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services
Platon Kotzias, Leyla Bilge, Juan Caballero