Detecting fake anti-virus software distribution webpages

Attackers are continually seeking novel methods to distribute malware. Among various approaches, fake Anti-Virus (AV) attacks represent an active trend for malware distribution. In a fake AV attack, attackers disguise malware as legitimate anti-virus software and convince users to install it. As web browsers become the most popular applications for users to access online resources, webpages have become the dominating means to launch fake AV attacks. In this paper, we presented an automated and effective detection system, namely DART, to identify fake AV webpages in the Internet. We proposed a collection of novel features to characterize an unknown webpage and then integrate them using statistical classifiers. These features focus on profiling a fake AV webpage from three aspects that are fundamentally important for its success, thereby resulting in the high detection accuracy and implying resistance against evasion attempts. We have performed extensive evaluation based on real fake AV webpages that are collected from the Internet. Experimental results have demonstrated that DART can accomplish a high detection rate of 90.4% at an extremely low false positive rate of 0.2%.