Back to the tech blog overview

The continuous threat of malware hiding in fake Adobe Flash updates

Overview
The constant stream of Adobe Flash updates has always been a serious security headache. As a matter of fact, using our Domain Reputation System (DRS), we recently discovered hundreds of new core domains per day, each with different subdomains, which trick users to download and install the latest Adobe Flash security patches. The total unique client count for all these names is hundreds of thousands, based on the global traffic we see.

Finding Fake Flash Updates
The identification of these fake Flash update domains is done by analyzing new anomalous domains, clustering them using different features, and then propagating reputation metrics through the domain reputation graph.
Below is a small sample for 10 of the most active domains (with the total unique client count) used by fake Flash update detected by DRS:

Domains

Screenshot captured by our honeypotFlash popup

The chart below shows the per minute unique client count for small set of discovered names. Similar to other names in the cluster, we observe that these names have large bursts of activity which drops off sharply within a few minutes or a few hours. Although some names appear longer than the others and the unique client count varies for each individual domain, the combined client counts for all the new names are tens of thousands per day.

client count graph

Defenses must be agile
Users need to be protected against this threat as early as possible because hundreds of new core domains appear and disappear over short time periods every day. Classical approaches such as honeypots or feedback loops are not effective because they take more time to identify this kind of activity and don’t see the breadth of domain names so only offer limited coverage. To validate this claim our analysis shows among thousands of these domains identified using DRS, only one fourth are identified by other threat lists as malicious phishing or malware download domains.

Fast detection and protection
DRS detects malicious domains faster and provides better coverage because it implements a comprehensive framework that connects multiple entities such as: domain owners, server IP addresses, name servers, cname redirection chains, historical security feeds, traffic patterns and implicit client correlation features.
To manage the complexity of the features DRS is organized as a giant graph with hundreds of millions of nodes, attributes, and relationships. This graph-oriented approach allows new internal and external knowledge to scale and update in real time, and quickly propagate maliciousness from known entities to other entities where direct information is not available.

Summary
Fake Flash update websites are an ongoing problem that affects hundreds of thousands of consumers on provider networks. Because of the polymorphic nature of this threat, it requires robust research and analysis to detect the right domains in the shortest time. DRS continuously identifies and blocks domains associated with this threat within minutes after they first appear. Domains learned by DRS are populated in SubscribersSafety feeds continuously updated. This makes it simple for providers to offer agile defenses for their subscribers.

Back to the tech blog overview