Rogue security software

Rogue security software (or rogueware^[1]) is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware.^[2] Rogue security software, in recent years (2008–2011), has become a growing and serious security threat in desktop computing.^[3]

1 Propagation
2 Operation
3 Removal
4 Law enforcement
5 See also
6 References
7 External links

Propagation

Rogue security software mainly relies on social engineering (fraud) in order to defeat the security built into modern operating system and browser software and install itself onto victims' computers.^[3] A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus, and encourage them through social engineering to install or purchase scareware in the belief that they are purchasing genuine antivirus software.

Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

A browser plug-in or extension (typically toolbar)
An image, screensaver or archive file attached to an e-mail message
Multimedia codec required to play a certain video clip
Software shared on peer-to-peer networks^[4]
A free online malware scanning service^[5]

Some rogue security software, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in web browsers, pdf viewers, or email clients to install themselves without any manual interaction.^[4]^[6]

More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites^[7] before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program.^[8]^[9] A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.^[10]

Operation

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

Alerting the user with the fake or simulated detection of malware or pornography.^[11]
Displaying an animation simulating a system crash and reboot.^[3]
Selectively disabling parts of the system to prevent the user from uninstalling them. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.
Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs.
Altering system registries and security settings, then "alerting" the user.

Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.^[12]

Some rogue security software overlaps in function with scareware by also:

Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.^[11]
Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices.^[13] These are intended to use the trust that the user has in vendors of legitimate security software.^[3]

Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware and adware distribution networks—already complex to begin with^[14]—to operate profitably.^[15] Malware vendors have turned instead to the simpler, more profitable business model of rogue security software, which is targeted directly at users of desktop computers.^[16]

Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software.^[17] An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations.^[18]

Removal

There are a number of ways to remove rogue antivirus software:

Some are browser based, so closing the browser may remove the program.
In a domain environment it may be linked to a specific logon; deleting the logon may resolve the problem.
On a Windows-based PC, System Restore can be used in some cases to take the computer back to a time before the rogue was installed. However, some rogue antiviruses purposely disable access to System Restore, to prevent their removal (this can be circumvented by entering safe mode and using System Restore or a malware removal utility).
In some cases, it may be necessary to reinstall the operating system.

Law enforcement

In December 2006, the Washington Attorney General announced that it had reached settlement in a suit against Secure Computer LLC, the White Plains-based vendor of the Spyware Cleaner rogue security software, under the Computer Spyware Act passed by the Washington State Legislature in 2005. Secure Computer, under consent decree, agreed to pay more than $75,000 in restitution to consumers.^[19]

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a restraining order against Innovative Marketing Inc, a Kiev-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.^[20] The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names associated with those products and any further advertisement or false representation.^[21]

Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors.^[22]

References

^ Sean-Paul Correll; Luis Corrons (2009-09-27). "The Business of Rogueware". Panda Security. http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf. Retrieved 2011-01-19.
^ "Symantec Report on Rogue Security Software". Symantec. 2009-10-28. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-symc_report_on_rogue_security_software_exec_summary_20326021.en-us.pdf. Retrieved 2010-04-15.
^ ^a ^b ^c ^d "Microsoft Security Intelligence Report volume 6 (July - December 2008)". Microsoft. 2009-04-08. pp. 92. http://www.microsoft.com/downloads/details.aspx?FamilyID=aa6e0660-dc24-4930-affd-e33572ccb91f&displaylang=en. Retrieved 2009-05-02.
^ ^a ^b Doshi, Nishant (2009-01-19), Misleading Applications – Show Me The Money!, Symantec, https://forums2.symantec.com/t5/blogs/blogprintpage/blog-id/security_risks/article-id/53, retrieved 2009-05-02
^ Doshi, Nishant (2009-01-21), Misleading Applications – Show Me The Money! (Part 2), Symantec, https://forums2.symantec.com/t5/blogs/blogprintpage/blog-id/security_risks/article-id/54, retrieved 2009-05-02
^ "News Adobe Raeder and Acrobat Vulnerability". blogs.adobe.com. http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html. Retrieved 25 November 2010.
^ Chu, Kian; Hong, Choon (2009-09-30), Samoa Earthquake News Leads To Rogue AV, F-Secure, http://www.f-secure.com/weblog/archives/00001779.html, retrieved 2010-01-16
^ Hines, Matthew (2009-10-08), Malware Distributors Mastering News SEO, eWeek, http://securitywatch.eweek.com/seo/malware_distributors_mastering_news_seo.html, retrieved 2010-01-16
^ Raywood, Dan (2010-01-15), Rogue anti-virus prevalent on links that relate to Haiti earthquake, as donors encouraged to look carefully for genuine sites, SC Magazine, http://www.scmagazineuk.com/rogue-anti-virus-prevalent-on-links-that-relate-to-haiti-earthquake-as-donors-encouraged-to-look-carefully-for-genuine-sites/article/161431/, retrieved 2010-01-16
^ Moheeb Abu Rajab and Luca Ballard (2010-04-13). The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. Google. http://krebsonsecurity.com/wp-content/uploads/2010/04/leet10.pdf. Retrieved 2010-11-18.
^ ^a ^b "Free Security Scan" Could Cost Time and Money, Federal Trade Commission, 2008-12-10, http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt121.shtm, retrieved 2009-05-02
^ CanTalkTech - Fake Green AV disguises as security software with a cause
^ "SAP at a crossroads after losing $1.3B verdict". Yahoo! News. 24 November 2010. http://tech.yahoo.com/blog/null/107193. Retrieved 25 November 2010.
^ Testimony of Ari Schwartz on "Spyware", Senate Committee on Commerce, Science, and Transportation, 2005-05-11, http://www.cdt.org/testimony/20050511schwartzspyware.pdf
^ Leyden, John (2009-04-11). "Zango goes titsup: End of desktop adware market". The Register. http://www.theregister.co.uk/2009/04/21/zango. Retrieved 2009-05-05.
^ Cole, Dave (2006-07-03), Deceptonomics: A Glance at The Misleading Application Business Model, Symantec, https://forums2.symantec.com/t5/blogs/blogprintpage/blog-id/grab_bag/article-id/5, retrieved 2009-05-02
^ Doshi, Nishant (2009-01-27), Misleading Applications – Show Me The Money! (Part 3), Symantec, https://forums2.symantec.com/t5/blogs/blogprintpage/blog-id/security_risks/article-id/55, retrieved 2009-05-02
^ Stewart, Joe (2008-10-22), Rogue Antivirus Dissected - Part 2, SecureWorks, http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2
^ Attorney General McKenna Announces $1 Million Settlement in Washington’s First Spyware Suit, Washington State Office of the Attorney General, 2006-12-04, http://www.atg.wa.gov/pressrelease.aspx?&id=5926, retrieved 2009-05-02
^ Ex Parte Temporary Restraining Order RDB08CV3233, United States District Court for the District of Maryland, 2008-12-03, http://www.ftc.gov/os/caselist/0723137/081203innovativemrktgtro.pdf, retrieved 2009-05-02
^ Lordan, Betsy (2008-12-10), Court Halts Bogus Computer Scans, Federal Trade Commission, http://www.ftc.gov/opa/2008/12/winsoftware.shtm, retrieved 2009-05-02
^ Krebs, Brian (2009-03-20), "Rogue Antivirus Distribution Network Dismantled", Washington Post, http://voices.washingtonpost.com/securityfix/2009/03/sunlight_disinfects_rogue_anti.html, retrieved 2009-05-02

External links

Howes, Eric L (2007-05-04), Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites, http://www.spywarewarrior.com/rogue_anti-spyware.htm, retrieved 2009-05-02

Malware

Infectious malware	Computer virus · List of computer viruses · Computer worm · List of computer worms · Timeline of computer viruses and worms

Concealment	Trojan horse · Rootkit · Backdoor · Zombie computer

Malware for profit	Privacy-invasive software · Adware · Spyware · Botnet · Keystroke logging · Web threats · Fraudulent dialer · Malbot · Scareware · Rogue security software · Ransomware

By operating system	Linux malware · Palm OS viruses · Mobile virus · Macro virus

Protection	Antivirus software · Defensive computing · Firewall · Intrusion detection system · Data loss prevention software

Countermeasures	Computer surveillance · Operation: Bot Roast · Honeypot · Anti-Spyware Coalition