Rogue security software

Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent malware. Rogue software will often install a trojan horse to download a trial version, or it will execute other unwanted actions. The first and most comprehensive study of rogue and real antispyware programs was carried out by Eric L. Howes.^[1]

Installation

The main goal of rogue software makers is to install and sell their product. In order to attempt to install their program, fake Windows dialog boxes and other browser pop-ups are often displayed attempting to entice the user to click on them. Most of the time, they will display a message such as "WARNING! Your computer is infected with Spyware/Adware/Viruses! Buy [software name] to remove it!", a variant of which will say "Click OK to scan your system" instead of asking the user to outright buy the software. Another variant on this method involves telling the user their "Computer/Internet Connection/OS is not optimized and to Click Here to scan now". Usually, when the dialog box's OK button is clicked, this will direct the user to a malicious website, which will install the program. Sometimes, even clicking the upper right hand X button to close the dialog box will produce the same effect. (Pressing Alt+F4 or using Task Manager with Ctrl-Alt-Delete can circumvent that trick). Some software, like SpyAxe, will automatically download the trial version without any user action, in a process know as a (drive-by installation). Along with the installation of the rogue programs, many sites now attempt to install multiple trojans at one time by downloading what is called a dropper first, which then loads a variety of malware to the computer.

Tactics

Once installed, the programs rely on several tactics to attempt to entice the user into purchasing a "full" version. These include false positives, downloaded malware, false security alerts and locking various aspects of the system to prevent user changes.

False positives

A common method used by rogue security software makers use is that of intentional false positives. A false positive is a fake or false malware detection in a computer scan. This attempts to convince even advanced users (who may not be deceived by previous methods) that their computer is infected. There are two variants of this method. Some rogue software creates a list of non-existent files and infections. Others select files from the computer at random, including valid clean system files. In a few rare instances, the "full" version of the rogue program actually attempts to remove these files, damaging the system.

These intentional false positives should be differentiated from an accidental false positive, which can occur in a scan by real legitimate security software.

Invited real discoveries

A variant on the false positive method is that some programs first download real malware to a computer and then "detect" them. This method is more rare as many of these malicious programs are detected by other legitimate anti-malware programs, limiting the effectiveness of the sell.

False security alerts

Many rogue applications now couple false positives with realistic or dramatic looking system security alerts. They may change the desktop background to a dramatic warning, continuously or sporadically redirect web browsers to a page that informs the user that they are infected and need to purchase a program. They may also change the homepage to a security warning, or bombard the user with continuous security alerts from the task bar, often using the yellow triangle with an exclamation point used by Windows to denote a system error. Some even go to the point of changing the screensaver to the BSOD, to make the user think that windows has crashed due to malware.

Locking various aspects of the system

To prevent removal by the user and entice the user to buy the program, rogue software will often lock various aspects of the system, including the control panel, the Add/Remove Programs feature, the ability to change the desktop, the ability to change the home page, and the ability to go to certain malware removal sites. These are all intended to prevent the user from removing the program and instead try to force them to buy the "full" version.

Detection and removal

Almost all reputable anti-spyware software will detect rogue software if it is installed on the scanned computer. Often, non-reputable rogue anti-spyware software will install a trojan horse to download the software from the maker's website, like Titan Shield.^[2] Reputable anti-virus and anti-spyware software can detect the trojan even before the software is installed. Programs such as Ad-Aware SE, AVG Anti-Virus, Avast!, etc, can usually detect these with their real-time protection modules. HIPS software such as the Defense+ module of Comodo Internet Security are also capable of detecting and stopping the methods rogue software use to install onto a computer. However, often removal of new, aggressive rogue programs requires the use of programs such as HijackThis combined with manual removal processes because it can take quite a while before the manufacturers of the above mentioned legitimate programs learn how to automate the process and update their programs. In addition, rogue software sometimes have hidden parts that rebuild the rogue if they are partially removed. Other options for removal include use of a bootable "rescue disk" or reformatting the hard disk and reinstalling the operating system (the only way to ensure that the computer is 100% clean). If the rogue doesn't limit the user, then it is possible to manually remove the software.

Lawsuits

Recently, lawmakers as well as private and public citizens have attempted to shut down vendors of these companies. XPdefender, WinSpywareProtect, WinDefender, WinFixer, MalwareCore, and Antivirus 2009 have been named in lawsuits. Notably due to the vendors of those programs creating extremely similar names, slogans & user-interfaces, all in an effort to confuse users about names of legitimate security programs, EXAMPLE: Norton Internet Security confused with Antivirus 2009.

Partial list of rogue software

There are a large number of fake anti-spyware programs active on the Internet. Typically, widely-distributed Web banner ads falsely warn users that their computers have been infected with malware, enticing them to download the rogue software. Once installed, the software uses human engineering and false positives to manipulate the user into purchasing the software. These programs do not actually remove spyware — or worse, may add more.

The following is a partial list of known rogue software. Often the same software is distributed under several names. Many currently do not have Wikipedia articles.

Advanced Cleaner[3] AlfaCleaner[4] AntiSpyCheck 2.1[5] AntiSpyStorm[6] AntiSpywareExpert[7] AntiSpywareMaster[8] AntiSpywareSuite[9] AntiSpyware Shield[10] Antivermins[11] Antivirgear[12] Antivirus 2008[13] Antivirus 2009[14] Antivirus 2010 (also known as Anti-virus-1)[15],[16] Antivirus 360[17] AntivirusPro2009[18] AntiVirus Gold [19] Antivirus Master[20] Antivirus XP 2008 [21] Avatod Antispyware 8.0 [22] Awola[23] Brave Sentry BestsellerAntivirus Cleanator ContraVirus Doctor Antivirus DriveCleaner [24] Disk Knight EasySpywareCleaner Errorsafe free-viruscan.com FinallyFast.com ("Ascentive" software is advritised on infomercial television) (Has been known to reduce system stability & performance instead of enhancing it.) GreenAV2009 Graboid IE Antivirus IEDefender InfeStop Internet Antivirus KVMSecure

MacSweeper MalCrush 3.7 MalwareCore MalwareAlarm Malware Bell 3.2 MS Antivirus MS AntiSpyware 2009 MaxAntiSpyware Netcom3 Cleaner (controversial) PCSecureSystem [25] PC Antispy [26] PC Clean Pro [26] PC Privacy Cleaner PC SpeedScan Pro PestTrap [27] Perfect Cleaner Perfect Defender 2009 PersonalAntiSpy Free PAL Spyware Remover PCPrivacytool PC-Antispyware Plus4scan.com Premium-Antivirus-Defence PSGuard Rapid AntiVirus Real AntiVirus Registry Great Saliar SecurePCCleaner Security toolbar 7.1 Smart Antivirus 2008 Smart Antivirus 2009 SpyAxe [28] Spy Away SpyCrush Spydawn [29] SpyGuarder SpyHeal

SpyMarshal Spylocked [30] SpySheriff [27] SpySpotter Spyware Cleaner SpywareGuard 2008 Spyware Protect 2009 Spyware Quake [31] Spyware Stormer Spy-Protect 2009 SpywareStrike Spy-Rid SpyWiper System anti virus 2008 System Live Protect [32] SystemDoctor System Security Total Secure 2009 TrustedAntivirus TheSpyBot (Spybot - Search & Destroy knockoff) UltimateCleaner VirusHeat Virus Isolator VirusProtectPro VirusRemover2008 VirusRemover2009 VirusMelt VirusRanger Virus Respone Lab 2009 Virus Trigger Vista Antivirus 2008 Watchnet Protection WinAntiVirus Pro 2006 WinDefender WinFixer [33] WinSpywareProtect WinWeb Security 2008 [34] WorldAntiSpy XP Antivirus XP AntiSpyware 2009 Zinaps AntiSpyware 2008

See also

• Scareware
• Russian Business Network

References

1. Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites
2. TitanShield - Symantec.com
3. Precise Security - Advanced Cleaner
4. Rogue List - AlfaCleaner
5. BleepingComputer - AntiSpyCheck 2.1
6. BleepingComputer - AntispyStorm
7. About.com AntiSPywareExpert
8. 2-Spyware - AntiSpywareMaster
9. Precise Security - AntiSpywareSuite
10. BleepingComputer - AntiSpyware Shield
11. BleepingComputer - Antivermins
12. BleepingComputer - Antivirgear
13. BleepingComputer - Antivirus 2008
14. 2-Spyware - Antivirus 2009
15. Article noting that Antivirus 2010 and Anti-virus-1 are the same
16. http://www.bleepingcomputer.com/malware-removal/remove-antivirus-2010 Details on Antivirus 2010 showing it is rogue, its symptoms and removal
17. http://www.bleepingcomputer.com/malware-removal/remove-antivirus-360
18. BleepingComputer - AntivirusPro2009
19. Symantec
20. BleepingComputer - Antivirus Master
21. Symantec
22. [1]
23. SpywareRemove - Awola
24. Symantec
25. 411-spyware
26. softratty.com
27. Symantec
28. Symantec
29. Symantec
30. Symantec
31. Symantec
32. Symantec
33. Symantec
34. [2]