Rogue security software: Difference between revisions

Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent malware. Rogue software will often install a trojan horse to download a trial version, or it will execute other unwanted actions. The first and most comprehensive study of rogue and real antispyware programs was carried out by Eric L. Howes.^[1]

Installation

The main goal of rogue software makers is to install and sell their product. In order to attempt to install their program, fake Windows dialog boxes and other browser pop-ups are often displayed attempting to entice the user to click on them. Most of the time, they will display a message such as "WARNING! Your computer is infected with Spyware/Adware/Viruses! Buy [software name] to remove it!", a variant of which will say "Click OK to scan your system" instead of asking the user to outright buy the software. Another variant on this method involves telling the user their "Computer/Internet Connection/OS is not optimized and to Click Here to scan now". Usually, when the dialog box's OK button is clicked, this will direct the user to a malicious website, which will install the program. Sometimes, even clicking the upper right hand X button to close the dialog box will produce the same effect. (Pressing Alt+F4 or using Task Manager with Ctrl-Alt-Delete can circumvent that trick). Some software, like SpyAxe, will automatically download the trial version without any user action, in a process know as a drive-by installation. Along with the installation of the rogue programs, many sites now attempt to install multiple trojans at one time by downloading what is called a dropper first, which then loads a variety of malware to the computer.

Tactics

Once installed, the programs rely on several tactics to attempt to entice the user into purchasing a "full" version. These include false positives, downloaded malware, false security alerts and locking various aspects of the system to prevent user changes.

False positives

A common method used by rogue security software makers use is that of intentional false positives. A false positive is a fake or false malware detection in a computer scan. This attempts to convince even advanced users (who may not be deceived by previous methods) that their computer is infected. There are two variants of this method. Some rogue software creates a list of non-existent files and infections. Others select files from the computer at random, including valid clean system files. In a few rare instances, the "full" version of the rogue program actually attempts to remove these files, damaging the system.

These intentional false positives should be differentiated from an accidental false positive, which can occur in a scan by real legitimate security software.

Invited real discoveries

A variant on the false positive method is that some programs first download real malware to a computer and then "detect" them. This method is more rare as many of these malicious programs are detected by other legitimate anti-malware programs, limiting the effectiveness of the sell.

False security alerts

Many rogue applications now couple false positives with realistic and dramatic looking system security alerts. They may change the desktop background to a dramatic warning, continuously or sporadically redirect web browsers to a page that informs the user that they are infected and need to purchase a program. They may also change the homepage to a security warning, or bombard the user with continuous security alerts from the task bar, often using the yellow triangle with an exclamation point used by Windows to denote a system error. Some even go to the point of changing the screensaver to the BSOD, to make the user think that windows has crashed due to malware.

Locking various aspects of the system

To prevent removal by the user and entice the user to buy the program, rogue software will often lock various aspects of the system, including the control panel, the Add/Remove Programs feature, the ability to change the desktop, the ability to change the home page, and the ability to go to certain malware removal sites. These are all intended to prevent the user from removing the program and instead try to force them to buy the "full" version.

Detection and removal

Almost all reputable anti-spyware software will detect rogue software if it is installed on the scanned computer. Often, non-reputable rogue anti-spyware software will install a trojan horse to download the software from the maker's website, like Titan Shield.^[2] Reputable anti-virus and anti-spyware software can detect the trojan even before the software is installed. Programs such as Ad-Aware SE, AVG Anti-Virus, Avast!, etc, can usually detect these with their real-time protection modules. HIPS software such as the Defense+ module of Comodo Internet Security is also capable of detecting and stopping the methods rogue software use to install onto a computer. However, often removal of new, aggressive rogue programs requires the use of programs such as HijackThis combined with manual removal processes because it can take quite a while before the manufacturers of the above mentioned legitimate programs learn how to automate the process and update their programs. In addition, rogue software sometimes has hidden parts that rebuild the rogue if they are partially removed. Other options for removal include use of a bootable "rescue disk" or reformatting the hard disk and reinstalling the operating system (the only way to ensure that the computer is 100% clean). If the rogue doesn't limit the user, then it is possible to manually remove the software.

Lawsuits

Recently, lawmakers as well as private and public citizens have attempted to shut down vendors of these companies. XPdefender, WinSpywareProtect, WinDefender, WinFixer, MalwareCore, and Antivirus 2009 have been named in lawsuits. Notably due to the vendors of those programs creating extremely similar names, slogans & user-interfaces, all in an effort to confuse users about names of legitimate security programs, EXAMPLE: Norton Internet Security and Windows Defender confused with MS Antivirus.

Partial list of rogue software

There are a large number of fake anti-spyware programs active on the Internet. Typically, widely-distributed Web banner ads falsely warn users that their computers have been infected with malware, enticing them to download the rogue software. Once installed, the software uses human engineering and false positives to manipulate the user into purchasing the software. These programs do not actually remove spyware — or worse, may add more.

The following is a partial list of known rogue software. Often the same software is distributed under several names. Many currently do not have Wikipedia articles.

Advanced Cleaner[3] AlfaCleaner[4] AntiSpyCheck 2.1[5] AntiSpyStorm[6] AntiSpywareExpert[7] AntiSpywareMaster[8] AntiSpywareSuite[9] AntiSpyware Shield[10] Antivermins[11] Antivirgear[12] Antivirus 2008[13] Antivirus 2009[14] Antivirus 2010 (also known as Anti-virus-1)[15],[16] Antivirus 360[17] Antivirus Pro 2009[18] AntiVirus Gold [19] Antivirus Master[20] Antivirus XP 2008 [21] Avatod Antispyware 8.0 [22] Awola[23] Brave Sentry[24] BestsellerAntivirus[25] Cleanator[26] ContraVirus[27] Doctor Antivirus[28] Doctor Antivirus 2008[29] DriveCleaner [30] EasySpywareCleaner[31] Errorsafe[32] GreenAV2009[33] IE Antivirus (aka IE Antivirus 3.2)[34] IEDefender[35] InfeStop[36] Internet Antivirus (aka Internet Antivirus Pro)[37] KVMSecure[38] MacSweeper[39] MalwareCrush[40] MalwareCore[41] MalwareAlarm[42]

Malware Bell (a.k.a. Malware Bell 3.2)[43] Malware Defender (not to be confused with the HIPS firewall of the same name)[44] MS Antivirus[45] MS AntiSpyware 2009[46] MaxAntiSpy[47] Netcom3 Cleaner[48] PCSecureSystem [49] PC Antispy[50] PC Clean Pro [51] PC Privacy Cleaner[52] PC SpeedScan Pro (distributed by FinallyFast.com, Rogueness is questionable) PestTrap [53] PerfectCleaner[54] Perfect Defender 2009[55] PersonalAntiSpy Free[56] PAL Spyware Remover[57] PCPrivacy Tools[58] PC Antispyware[59] PSGuard[60] Rapid AntiVirus[61] Real AntiVirus[62] Registry Great[63] SaliarAR[64] SecurePCCleaner[65] Security Toolbar 7.1[66] Smart Antivirus 2009[67] SpyAxe [68] Spy Away[69] SpyCrush[70] Spydawn[71] SpyGuarder[72] SpyHeal (a.k.a SpyHeals & VirusHeal)[73] SpyMarshal[74] Spylocked [75] SpySheriff[76] SpySpotter[77] SpywareBot (Spybot - Search & Destroy knockoff)[78]

Spyware Cleaner SpywareGuard 2008 Spyware Protect 2009 Spyware Quake [79] SpywareSheriff (often confused with SpySheriff) Spyware Stormer Spyware Striker Pro (distributed by FinallyFast.com)[80] Spy-Protect 2009 SpywareStrike Spy-Rid SpyWiper System anti virus 2008 System Live Protect [81] SystemDoctor System Security Total Secure 2009 TrustedAntivirus TheSpyBot (Spybot - Search & Destroy knockoff) UltimateCleaner VirusHeat Virus Isolator VirusProtectPro VirusRemover2008 VirusRemover2009 VirusMelt VirusRanger Virus Respone Lab 2009 Virus Trigger Vista Antivirus 2008 Watchnet Protection WinAntiVirus Pro 2006 WinDefender WinFixer [82] WinHound WinSpywareProtect WinWeb Security 2008 [83] WorldAntiSpy XP Antivirus XP AntiSpyware 2009 Zinaps AntiSpyware 2008

See also

• Scareware
• Russian Business Network
• SmitFraud
• Zlob

References

^[84]

1. Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites
2. TitanShield - Symantec.com
3. Precise Security - Advanced Cleaner
4. Spyware Warrior - AlfaCleaner
5. BleepingComputer - AntiSpyCheck 2.1
6. BleepingComputer - AntispyStorm
7. 2-Spyare - AntiSpywareExpert
8. 2-Spyware - AntiSpywareMaster
9. Precise Security - AntiSpywareSuite
10. BleepingComputer - AntiSpyware Shield
11. BleepingComputer - Antivermins
12. BleepingComputer - Antivirgear
13. BleepingComputer - Antivirus 2008
14. 2-Spyware - Antivirus 2009
15. Article noting that Antivirus 2010 and Anti-virus-1 are the same
16. Details on Antivirus 2010 showing it is rogue, its symptoms and removal
17. BleepingComputer - Antivirus360
18. BleepingComputer - AntivirusPro2009
19. Symantec - AntiVirus Gold
20. BleepingComputer - Antivirus Master
21. Symantec - Antivirus XP
22. 2-Spyware - Avatod Antispyware
23. SpywareRemove - Awola
24. BleepingComputer - Brave Sentry
25. SpywareRemove - BestsellerAntivirus
26. 2-Spyware - Cleanator
27. McAfee - ContraVirus
28. XP-Vista - Doctor Antivirus
29. 2-Spyare - Doctor Antivirus 2008
30. Symantec Symantec - DriveCleaner
31. MalwareBytes - EasySpywareCleaner
32. Symantec - Errorsafe
33. 411-Spyare - GreenAV2009
34. 2-Spyare - IE Antivirus
35. MalwareBytes - IEDefender
36. SpywareRemove - InfeStop
37. Symantec - Internet Antivirus
38. 2-Spyare - KVMSecure
39. Symantec - MacSweeper
40. MalwareBytes - MalwareCrush
41. MalwareBytes - MalwareCore
42. MalwareBytes - Malware Alarm
43. 2-Spyware - Malware Bell
44. 2-Spyware - Malware Defender
45. BleepingComputer - MS Antivirus
46. http://www.bleepingcomputer.com/malware-removal/remove-ms-antispyware-2009 BleepingComputer MS Antispyware 2009]
47. 2-Spyware - MaxAntispy
48. Sunbelt Security - Netcom3 Cleaner
49. 411-spyware - PCSecureSystem
50. BleepingComputer - PC Antispy
51. MalwareBytes - PC Clean Pro
52. SpywareRemove - PC Privacy Cleaner
53. BleepingComputer - PestTrap
54. MalwareBytes - PerfectCleaner
55. BleepingComputer - Perfect Defender 2009
56. BleepingComputer - PersonalAntiSpy Free
57. http://www.spywarewarrior.com/rogue_anti-spyware.htm SpywareWarrior - PAL Spyware Remover]
58. ComputerAssociates - PCPrivacy Tools
59. SpywareRemove - PC Antispyware
60. SpywareRemove - PSGuard
61. BleepingComputer - Rapid AntiVirus
62. BleepingComputer - Real Antivirus
63. Precise Security - Registry Great
64. Emsi Soft - SaliarAR
65. SpywareRemove - SecurePCCleaner
66. Precise Security - Security Toolbar 7.1
67. 2-Spyware - Smart Antivirus 2009
68. Symantec
69. Spyware Warrior - Spy Away
70. BleepingComputer - SpyCrush
71. Symantec - SpyDawn
72. Precise Security - SpyGuarder
73. BleepingComputer - SpyHeal
74. 411-Spyware - SpyMarshal
75. Symantec - Spylocked
76. Symantec - SpySheriff
77. Symantec - SpySpotter
78. 2-Spyare - SpywareBot
79. Symantec - Spyware Quake
80. MalwareBytes - Spyware Striker Pro]
81. Symantec
82. Symantec
83. [1]
84. http://www.pcthreat.com/parasitebyid-7817en.html | Information about WinPC Defendfer