Gary Warner, Mike Nagy, Kyle Jones, Kevin Mitchem


Fake AntiVirus (FakeAV) malware experienced a resurgence in the fall of 2013 after falling out of favor after several high profile arrests. FakeAV presents two unique challenges to investigators. First, because each criminal organization running a FakeAV affiliate system regularly alters the appearance of their system, it is sometimes difficult to know whether an incoming criminal complaint or malware sample is related to one ring or the other. Secondly, because FakeAV is delivered in a “Pay Per Install” affiliate model, in addition to the ring-leaders of each major ring, there are many high-volume malware infection rings who are all using the same malware. Indeed, a single criminal could participate in multiple affiliate programs using the same spreading and distribution system. Because of this, traditional malware clustering may identify common code, but fail to achieve distinction or attribution of the individual affiliate actors profiting from the scam. By combining n-way vendor agreement and live network capture, malware samples can quickly be associated with particular affiliate infrastructure and/or managing affiliate programs, while identifying and helping to prioritize investigations.

Full Text:



Antonio Nappa, M. Z. (2013). Driving in the Cloud: An analysis of drive-by download operations and abuse reporting. In P. S.-P. Konrad Rieck, Detection of Intrusions and Malware, and Vulnerability Assessment, 1-20. SpringerLink.

APWG. (2006). The crimeware landscape: Malware, phishing, identity theft and beyond. Retrieved on January 9, 2014, from Anti-Phishing Working Group

Bayon, D. (2011). Acronis true image home 2012 review. Retrieved on January 12, 2014 from PC Pro

Bodmer, S. (2011). It's raining source. Retrieved on January 9, 2014 from Damballa Blog: The Day Before Zero

Brett Stone-Gross, M. C. (2009). Your Botnet is My Botnet. CCS '09, 635-647. New York, NY: ACM.

Caballero, J. G. (2011). Measuring pay-per-install: The commodotization of malware distribution. Usenix security symposium.

Canto, J. (2013). About VirusTotal. Retrieved on January 12, 2014 from

CERT Polska. (2013). Technical report: Zeus-P2P monitoring and analysis. Retrieved on January 10, 2014 from CERT Polska

Chen, X. A. (2008). Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. IEEE International Conference on Dependable Systems and Networks, 177-186.

Claudio Guarnieri, A. T. (2014). Automated malware analysis. Retrieved on January 12, 2014 from Cuckoo Sandbox

Cova, M. L. (2010). An analysis of rogue AV campaigns. Recent Advances in Intrusion Detection (RAID '10), 442-463. Springer Berlin Heidelberg.

FBI Press. (2011). Department of Justice disrupts international cyber crime rings distributing scareware. Retrieved on December 29, 2013 from FBI National Press Releases

Federal Trade Commission v. Innovative Marketing, Inc., 08-CV-3233-RDB Federal Court District of Maryland, December 10, 2008.

FTC. (2013). Innovative Marketing, Inc., et al. Retrieved on January 9, 2014 from FTC Cases and Proceedings

Goodin, D. (2012). Turncoat hackers: A brief history of snitching in high-tech dragnets. Retrieved on January 10, 2014 from Ars Technica

Han, K. S., Kang, B., & Im, E. G. (2011). Malware classification using instruction frequencies. 2011 ACM Symposium on Research in Applied Computation, 298-300. New York, NY: 2011.

Jang, J. D. (2010). Bitshred: Fast, scalable malware triage. Pittsburgh, PA: Cylab, Carnegie Mellon University.

John, J. P., Yu, F., Xie, Y., & Abadi, M. (2011). deSEO: Combating search-result poisoning. USENIX Security Symposium.

K, S. (2011, June 19). Gagarincash AV Affiliate. Retrieved on January 20, 2014 from XyliBox: Tracking Cyber Crime

Kang, B. K. (2011). Fast malware family detection method using control flow graphs. RACS '11 Proceedings to the 2011 ACM Symposium on Research in Applied Computation, 287-292. ACM.

Krebs, B. (2011). Fake Antivirus Down, But Not Out. Retrieved on January 10, 2014 from Krebs On Security

Kreibich, C. W. (2011). GQ: Practical containment for measuring modern malware systems. Proceedings of the 2011 ACM SIGCOMM conference on Internet Measurement, 397-412. ACM.

Liangboonprakong, C., & Sornil, O. (2013). Classification of malware families based on n-grams sequential pattern features. 8th IEEE Conference on Industrial Electronics and Applications (ICIEA), IEEE, 777-782. Melbourne.

McCoy, D. P. (2012). PharmaLeaks: Understanding the business of online pharmaceutical affiliate programs. USENIX Security Symposium.

Michael Bailey, J. O. (2007). Automated classification and analysis of internet malware. RAID '07 Proceedings of the 10th international conference on Recent Advances in Intrusion Detection, 178-197. Berlin: Springer-Verlag.

Microsoft. (2013). Microsoft Security Intelligence Report Volume 15. Redmond, OR: Microsoft.

Mimoso, M. (2014). Malicious ads on DailyMotion redirect to fake AV attack. Retrieved on January 9, 2014 from ThreatPost

Ortega, A. (2012). Hardening cuckoo sandbox against VM aware malware. Retrieved on January 10, 2014 from AlienVault

Provos, N., Mavrommatis, P., Rajab, M. A., & Morose, F. (2008). All your iFRAMEs point to us. USENIX Security Symposium.

Rascagnères, P. (2013). APT1: Technical Backstage. Retrieved on January 11, 2014 from itrust consulting

Samosseiko, D. (2009). The Partnerka-what is it, and why should you care? Virus Bulletin Conference, 115-120.

Stone-Gross, B., Abman, R., Kemmerer, R., Kruegel, C., Steigerwald, D., & Vigna, G. (2013). The Underground Economy of Fake Antivirus Software. Economics of Information Security and Privacy III, 55-78.

Upchurch, J., & Zhou, X. (2013). First byte: Force-based clustering of filtered block N-grams to detect code reuse in malicious software. 8th International Conference on Malicious and Unwanted Software, IEEE, 68-76. Fajardo, PR, USA.

Villeneuve, N. (2011). Targeting the source: FakeAV affiliate networks. Retrieved on January 2014 from Trend Micro

Warner, G. (2008). FTC moves against fake AntiVirus "ScareWare" companies. Retrieved on January 7, 2014 from CyberCrime & Doing Time


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law