Rogue security software

Last updated

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. [1] It is a form of scareware that manipulates users through fear, and a form of ransomware. [2] Rogue security software has been a serious security threat in desktop computing since 2008. [3] An early example that gained infamy was SpySheriff and its clones, [lower-alpha 1] such as Nava Shield.

Contents

With the rise of cyber-criminals and a black market with thousands of organizations and individuals trading exploits, malware, virtual assets, and credentials, rogue security software has become one of the most lucrative criminal operations.

Propagation

Rogue security software mainly relies on social engineering (fraud) to defeat the security built into modern operating system and browser software and install itself onto victims' computers. [3] A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus, and encourage them through manipulation to install or purchase scareware in the belief that they are purchasing genuine antivirus software.

Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

Some rogue security software, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in web browsers, PDF viewers, or email clients to install themselves without any manual interaction. [4] [6]

More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites [7] before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program. [8] [9] A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising. [10]

Cold-calling has also become a vector for distribution of this type of malware, with callers often claiming to be from "Microsoft Support" or another legitimate organization. [11]

Common infection vectors

Black Hat SEO

Black Hat search engine optimization (SEO) is a technique used to trick search engines into displaying malicious URLs in search results. The malicious webpages are filled with popular keywords in order to achieve a higher ranking in the search results. When the end user searches the web, one of these infected webpages is returned. Usually the most popular keywords from services such as Google Trends are used to generate webpages via PHP scripts placed on the compromised website. These PHP scripts will then monitor for search engine crawlers and feed them with specially crafted webpages that are then listed in the search results. Then, when the user searches for their keyword or images and clicks on the malicious link, they will be redirected to the Rogue security software payload. [12] [13]

Malvertising

Most websites usually employ third-party services for advertising on their webpages. If one of these advertising services is compromised, they may end up inadvertently infecting all of the websites using their service by advertising rogue security software. [13]

Spam campaigns

Spam messages that include malicious attachments, links to binaries and drive-by download sites are another common mechanism for distributing rogue security software. Spam emails are often sent with content associated with typical day-to-day activities such as parcel deliveries, or taxation documents, designed to entice users to click on links or run attachments. When users succumb to these kinds of social engineering tricks they are quickly infected either directly via the attachment, or indirectly via a malicious website. This is known as a drive-by download. Usually in drive-by download attacks the malware is installed on the victim's machine without any interaction or awareness and occurs simply by visiting the website. [13]

Operation

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.

Some rogue security software overlaps in function with scareware by also:

Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware and adware distribution networks—already complex to begin with [16] —to operate profitably. [17] Malware vendors have turned instead to the simpler, more profitable business model of rogue security software, which is targeted directly at users of desktop computers. [18]

Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software. [19] An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations. [20]

Despite its use of old-fashioned and somewhat unsophisticated techniques, rogue security software has become a significant security threat, due to the size of the impacted populations, the number of different variants that have been unleashed (over 250), and the profits that have been made for cyber-criminals (over $300,000 a month). [21]

Countermeasures

Private efforts

Law enforcement and legislation in all countries are slow to react to the appearance of rogue security software. In contrast, several private initiatives providing discussion forums and lists of dangerous products were founded soon after the appearance of the first rogue security software. Some reputable vendors, such as Kaspersky, [22] also began to provide lists of rogue security software. In 2005, the Anti-Spyware Coalition was founded, a coalition of anti-spyware software companies, academics, and consumer groups.

Many of the private initiatives were initially informal discussions on general Internet forums, but some were started or even entirely carried out by individual people. The perhaps most famous and extensive one is the Spyware Warrior list of rogue/suspect antispyware products and websites by Eric Howes, [23] which has however not been updated since May 2007. The website recommends checking the following websites for new rogue anti-spyware programs, most of which are not really new and are "simply re-branded clones and knockoffs of the same rogue applications that have been around for years." [24]

Government efforts

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a restraining order against Innovative Marketing Inc, a Kyiv-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. [25] The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names associated with those products and any further advertisement or false representation. [26]

Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors. [27]

See also

Notes

  1. The clones of SpySheriff are BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm, VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot.

Related Research Articles

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Spybot – Search & Destroy</span> Spyware removal software

Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows. Dating back to the first Adwares in 2000, Spybot scans the computer hard disk and/or RAM for malicious software.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

<span class="mw-page-title-main">HitmanPro</span> Anti-malware computer program

HitmanPro is a portable antimalware program, which aims to detect and remove malicious files and registry entries related to rootkits, trojans, viruses, worms, spyware, adware, rogue antivirus programs, ransomware, and other malware from infected computers.

<span class="mw-page-title-main">PC Tools (company)</span> Australian software company

PC Tools, formerly known as WinGuides.com, was a software company acquired by Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, the United States, United Kingdom, Ireland and Ukraine. The company had previously developed and distributed security and optimization software for the Mac OS X and Microsoft Windows platforms.

VirusProtectPro is a rogue malware program that claims to be a commercial anti-spyware, when in fact it is, itself, adware-advertised. The software installs itself, without consent, on the user's computers and registry. It then sends messages such as "System Error, Buy this software to fix" or "Your System is infected with spyware, buy VirusProtectPro to clean it", redirecting the user to VirusProtectPro's homepage where they are prompted to buy the VirusProtectPro software.

ContraVirus is a rogue spyware application that poses as a legitimate anti-spyware program. The application uses a false scanner to force computer users to pay for the removal of non-existent spyware items. It may also be known as ExpertAntivirus.

<span class="mw-page-title-main">MacSweeper</span> Rogue security software

MacSweeper is a rogue application that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland-based computer security software company, on January 17, 2008.

VirusHeat is malware that disguises itself as a legitimate anti-virus program. VirusHeat tricks users into buying the full version of the program through repeated false alerts and popups, purporting to alert the user that there is a system error or they are infected, and must buy the full version to remove. It was launched on February 8, 2008.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Discontinued antivirus product for Microsoft Windows

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

Common Computing Security Standards Forum is a voluntary organization of vendors and providers of security software, operating systems, and Internet browsers.

Winwebsec is a category of malware that targets the users of Windows operating systems and produces fake claims as genuine anti-malware software, then demands payment to provide fixes to fictitious problems.

References

  1. "Rogue Security Software » BUMC Information Technology | Boston University". www.bumc.bu.edu. Retrieved 2021-11-13.
  2. "Symantec Report on Rogue Security Software" (PDF). Symantec. 2009-10-28. Archived from the original (PDF) on 2012-05-15. Retrieved 2010-04-15.
  3. 1 2 3 4 "Microsoft Security Intelligence Report volume 6 (July - December 2008)". Microsoft. 2009-04-08. p. 92. Retrieved 2009-05-02.
  4. 1 2 Doshi, Nishant (2009-01-19), Misleading Applications – Show Me The Money!, Symantec , retrieved 2016-03-22
  5. Doshi, Nishant (2009-01-21), Misleading Applications – Show Me The Money! (Part 2), Symantec , retrieved 2016-03-22
  6. "News Adobe Reader and Acrobat Vulnerability". blogs.adobe.com. Retrieved 25 November 2010.
  7. Chu, Kian; Hong, Choon (2009-09-30), Samoa Earthquake News Leads To Rogue AV, F-Secure , retrieved 2010-01-16
  8. Hines, Matthew (2009-10-08), Malware Distributors Mastering News SEO, eWeek, archived from the original on 2009-12-21, retrieved 2010-01-16
  9. Raywood, Dan (2010-01-15), Rogue anti-virus prevalent on links that relate to Haiti earthquake, as donors encouraged to look carefully for genuine sites, SC Magazine, retrieved 2010-01-16
  10. Moheeb Abu Rajab and Luca Ballard (2010-04-13). "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution" (PDF). Retrieved 2010-11-18.{{cite journal}}: Cite journal requires |journal= (help)
  11. "Warning over anti-virus cold-calls to UK internet users". BBC News. 2010-11-15. Retrieved 7 March 2012.
  12. "Sophos Technical Papers - Sophos SEO Insights". sophos.com.
  13. 1 2 3 "Sophos Fake Antivirus Journey from Trojan tpna" (PDF).
  14. 1 2 "Free Security Scan" Could Cost Time and Money, Federal Trade Commission, 2008-12-10, retrieved 2009-05-02
  15. "SAP at a crossroads after losing $1.3B verdict". Yahoo! News . 24 November 2010. Retrieved 25 November 2010.
  16. Testimony of Ari Schwartz on "Spyware" (PDF), Senate Committee on Commerce, Science, and Transportation, 2005-05-11
  17. Leyden, John (2009-04-11). "Zango goes titsup: End of desktop adware market". The Register. Retrieved 2009-05-05.
  18. Cole, Dave (2006-07-03), Deceptonomics: A Glance at The Misleading Application Business Model, Symantec , retrieved 2016-03-22
  19. Doshi, Nishant (2009-01-27), Misleading Applications – Show Me The Money! (Part 3), Symantec , retrieved 2016-03-22
  20. Stewart, Joe. "Rogue Antivirus Dissected - Part 2". Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  21. Cova, Marco; Leita, Corrado; Thonnard, Olivier; Keromytis, Angelos; Dacier, Marc (2009). Gone Rogue: An Analysis of Rogue Security Software Campaigns. pp. 1–3. doi:10.1109/EC2ND.2009.8. ISBN   978-1-4244-6049-6 . Retrieved 2024-02-09.
  22. "Safety 101". support.kaspersky.com. Retrieved 11 November 2018.
  23. "Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites". spywarewarrior.com.
  24. "Virus, Spyware, & Malware Removal Guides". BleepingComputer.
  25. Ex Parte Temporary Restraining Order RDB08CV3233 (PDF), United States District Court for the District of Maryland, 2008-12-03, retrieved 2009-05-02
  26. Lordan, Betsy (2008-12-10), Court Halts Bogus Computer Scans, Federal Trade Commission , retrieved 2009-05-02
  27. Krebs, Brian (2009-03-20), "Rogue Antivirus Distribution Network Dismantled", Washington Post , retrieved 2009-05-02
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.