Staying low: how FakeAV flies under the AV's radar

Bojan Zdrnja
Branko Spasojevic

Type of lecture: lecture
Language: EN
Held on 2011-06-18 15:30:00 (length: 50 min)
Location: Area 1

In the last couple of years, FakeAV has arguably become the most prominent rogue application installed on hundreds of thousands of client PCs. At the same time, FakeAV continues to evolve in order to successfully fly under the real AV's radar.
The aim of this presentation is to explore some secrets behind FakeAV. We will start by analyzing modus operandi of several FakeAV groups: automatic poisoning of search engines with latest search trends in order to drive visitors to their pages as well as multi layered architecture that is used to make their infrastructure as resistant as possible. Besides this, we will pay special attention to client binaries that get dropped on victims' machines since these are the real cash maker for the FakeAV guys - how do they manage to stay one step in front of the real AV products and what do they really do once a machine is infected.

Bojan Zdrnja is a senior security consultant at Infigo IS, a Croatia based security company. Besides his day job, he is probably most well known for his SANS Internet Storm Center diaries where he has been dissecting various attacks and malware for years. This resulted in Bojan co-authoring SANS' popular GREM course/certificate. Bojan has been speaking at various conferences around the world, including AusCERT and Cybersecurity Malayisa. He holds CISSP, GCIH and GCIA certificates.

Branko Spasojevic works as a technical security consultant at Infigo IS. Besides hacking web sites during day, he develops plugins for IDA Pro that aim to help reverse engineers jump over obfuscation obstacles planted by malware authors. Branko previously presented at the 27C3 conference and BerlinSides.

Attached files: All slides in pdf format