A systematic empirical analysis of unwanted software abuse, prevalence, distribution, and economics

  1. Kotzias, Platon Pantelis
Dirigida por:
  1. Juan Caballero Director/a

Universidad de defensa: Universidad Politécnica de Madrid

Fecha de defensa: 27 de mayo de 2019

Tribunal:
  1. Marc Dacier Presidente/a
  2. Dario Fiore Secretario/a
  3. Igor Santos Grueiro Vocal
  4. Angel Cuevas Rumín Vocal
  5. Claudio Soriente Vocal
  6. Narseo Vallina Rodriguez Vocal
  7. Juan Manuel Estévez Tapiador Vocal

Tipo: Tesis

Teseo: 590186 DIALNET lock_openArchivo Digital UPM editor

Resumen

Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users' security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and systematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware. We build an infrastructure that classifies potentially malicious samples as PUP or malware and use this infrastructure to evaluate 356K samples. We show that most signed samples are PUP and that malware is not commonly signed. We also evaluate the efficacy of Certification Authority (CA) defenses such as identity checks and revocation. Our results suggest that CA identity checks pose some barrier to malware, but do not affect PUP. CA revocations are equally low for both malware and PUP. We conclude that current CA defenses are largely ineffective for PUP. Second, we measure the prevalence of unwanted software on real consumer hosts using telemetry from 3.9 million hosts. We also analyze the commercial pay-per-install (PPI) service ecosystem showing that commercial PPI services play a major role in the distribution of PUP. Third, we perform an analysis of enterprise security and measure the prevalence of both malware and PUP on real enterprise hosts. We use AV telemetry collected from 28K enterprises and 67 industry sectors with over 82M client hosts. Almost all enterprises, despite their different security postures, encounter some malware or PUP in a three year period. We also observe that some industries, especially those related to finance, secure their systems far better than other industries. Fourth, we perform an analysis of PUP economics. For that, we first propose a novel technique for performing PUP attribution. Then, we use our technique to identify the entities behind three large Spanish-based PUP operations and measure the profitability of the companies they operate. Our analysis shows that in each operation a small number of people manages a large number of companies, and that the majority of them are shell companies. In the period 2013-2015, the three operations have a total revenue of 202.5M EUR and net income of 23M EUR. Finally, we observe a sharp decrease on both revenue and income for all three operations starting mid-2014. We conclude that improved PUP defenses deployed by various software and security vendors significantly impacted the PPI market.