Extended Abstract: Detecting Scareware by Mining Variable Length Instruction Sequences

Scareware represents scam applications that usually masquerade as security applications such as fake anti-virus software to display fake scanning processes and results to scare users into believing that their systems have been infected with malicious content. Traditional countermeasures that rely on either signature-based methods or heuristic-based methods lack the capability of detecting novel instances of scareware since, for both methods, anti-malware vendors need to catch novel instances, analyze them, create new signatures or rules and then update their databases. Generalizing the scareware detection method so that it can detect novel instances can arguably be regarded as important for user protection. Another problem regarding the detection of scareware is that differences between scareware and legitimate software are subtler than between, say, viruses and legitimate software. That is, there is less information that can be used to distinguish between scareware and legitimate software. To our knowledge, no other studies have been conducted regarding the detection of scareware. There could perhaps be two reasons for this: on the one hand, researchers may have regarded scareware as just another type of malware and thus have assumed that previous malware detectors should work for scareware as well. On the other hand, scareware may have been regarded as harmless. We argue that scareware is too distinct to other forms of malware for previous detectors to work and that the risks of scareware could be substantial primarily due to the fact that scareware uses social engineering to gain access to the complete file system of personal computers.