Visible to the public Exploiting Visual Appearance to Cluster and Detect Rogue Software

TitleExploiting Visual Appearance to Cluster and Detect Rogue Software
Publication TypeConference Paper
Year of Publication2013
AuthorsDietrich, Christian J., Rossow, Christian, Pohlmann, Norbert
Conference NameProceedings of the 28th Annual ACM Symposium on Applied Computing
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-1656-9
Keywordscomposability, Human Behavior, Metrics, pubcrawl, ransomware, Resiliency
Abstract

Rogue software, such as Fake A/V and ransomware, trick users into paying without giving return. We show that using a perceptual hash function and hierarchical clustering, more than 213,671 screenshots of executed malware samples can be grouped into subsets of structurally similar images, reflecting image clusters of one malware family or campaign. Based on the clustering results, we show that ransomware campaigns favor prepay payment methods such as ukash, paysafecard and moneypak, while Fake A/V campaigns use credit cards for payment. Furthermore, especially given the low A/V detection rates of current rogue software - sometimes even as low as 11% - our screenshot analysis approach could serve as a complementary last line of defense.

URLhttp://doi.acm.org/10.1145/2480362.2480697
DOI10.1145/2480362.2480697
Citation Keydietrich_exploiting_2013