Rogue security software (fake or rogue Anti-Virus)
Rogue security software poses a growing threat to computer security. Basically, it is a form of Internet fraud that uses malicious code in an attempt to deceive users into paying for a fake removal of malware. In that sense, rogue security software can be considered a form of ransomware or scareware (malicious code that affects a computer system and demands payment in order for the restriction to be removed – in this case a simulated security issue).
Rogue security developers exploit both the trust and distrust of computer users regarding security vulnerabilities and the way of handling them. On one hand, it appeals to the authoritative term of “security software” while disguising the opposite intention – that of, in fact, breaching the fore mentioned security. On the other hand, it uses fear and the human reaction to a threat, that of immediately removing it. In this case the threat is fake (“your computer security is compromised”), but the consequences are real (your computer security will be actually compromised after following the “instructions” of the rogue security software). For a non-technical computer user, there is bound to be some amount of confusion here. Learning how to recognize fake security warnings is an important step in preventing infections.
To increase the chances of staying rogue software-free, the first step should be familiarizing oneself to the best-known legitimate security software, in order to be able to identify rogue security software. AV-Comparatives list of security vendors is a good place to start.
Also, for the same purpose, there are blacklists containing the names of notorious fake security software, such as this one https://en.wikipedia.org/wiki/List_of_rogue_security_software
Installing legitimate Anti-Virus software and using a firewall (auto-updates on) is always the primary step to take towards better computer security. Safe online-behaviour guidelines regarding e-mailing, file download, streaming and navigation also apply in the prevention of infections caused by rogue security software.
How does rogue security software propagate
- Web navigation. Through a website displaying a fake alert (on page or as a pop-up) stating that the computer is infected and manipulating the user into downloading or purchasing a fake Anti-Virus tool – that is in fact the scareware/rogue Anti-Virus program. Some fake warnings will prompt the user to install the „Anti-Virus software”, „updates”, or remove the „found malware”. As soon as the user clicks the message, the rogue security software downloads into the system.
- SEO poisoning. Rogue security developers (and malware writers in general) are also known for using a technique called SEO poisoning in order to push the rogue software download links into the upper positions on search engines. Through SEO poisoning, rogue security software may appear in the list of search results when searching for computer security related keywords, along with legitimate security vendors. This way, an unaware user can get infected by landing on a malicious website posing as a “free online scanning service”. Other times, infected URLs exploit other keywords, such as for a particular piece of news or a notorious recent event.
- E-mail. Phishing scams are very common these days, so it’s important to know the basics about how phishing works in order to identify it. In the case of rogue security software, a phishing e-mail will try to get the user to download and execute the scareware. A phishing e-mail will include an apparently harmless URL pointing in fact to the malicious website propagating the infection. Other times the malicious code is masked as an attachment that the user is tricked into opening: an image, screensaver, or archive file. When opening the infected attachment, the user actually executes the malicious code.
- Drive-by downloads. Rogue security software can also act as a drive-by download. A drive-by download exploits vulnerabilities in third party software, so it’s very important to keep third party software (browsers, pdf viewers, e-mail clients) always up to date. A drive-by download uses un-patched vulnerabilities in older versions of third party software as a means to propagate itself without user intervention.
- Online video viewing. Some rogue software propagate through downloading an infected codec while trying to watch a video online. For learning how to reduce the risk of infection with online streaming, see Safe Streaming/progressive download.
- Infected files and malicious online applications. Computers can also get infected with malware/spyware (rogue Anti-Virus included) through an infected PDF file or a malicious flash or java program (an online game for example). To avoid infection through executing files and online applications, keep a legitimate Anti-Virus software always up to date, with the online/web and real time protection features active.
- P2P. The rogue software can also be disguised as a piece of software downloaded through a peer-to-peer network (for example, a file downloaded via a torrent client).
- User installation. The infection may propagate through installing questionable freeware, cracked programs or illegal copies. When you’re not sure about the program source but still want to run it, check every step of the installation, in order to avoid deploying malicious programs (in the form of a toolbar, add-on or other “free goodies”). See also Safe File Download and How to Prevent and Repair Browser Hijacking.
Rogue (fake) Anti-Virus program
How to identify an infected computer
While there is no standard picture of a rogue security program infection, there are several common symptoms indicating such an infection. Rogue security software will try to get the infected user to purchase a service or software, claiming that the computer is heavily infected. A pop-up or a “security” program the user does not remember installing (see How Does Rogue Security Software Propagate) will suddenly display an alert or warning – regarding spyware, malware or other security issues. These warnings may look like system notifications or genuine alerts. The malicious code will try to cripple the genuine protection of the system, by attempting to disable system components and Anti-Virus software, to avoid detection and prevent the user from uninstalling the unwanted software.
Some rogue programs will attempt to scare the victim by displaying an animation that simulates a system crash and reboot or other “catastrophic” system events. Access to legitimate Anti-Virus websites and online scanning services may be disabled, as well as system updates. Computer may run slower than usual and display unusual behaviour:
- fake balloon-type system alerts (generated by the malicious program)
- constant nagging pop-ups requesting to purchase/update the fake security program
- program interface looking like an Anti-Virus program, displaying an unusual number of infections, and claiming that registration is required in order to remove the infections.
- new/unknown icons on the desktop
- browser displays fake security warnings or redirects to questionable websites and/or security certificates do not appear to be valid, usually as a result of browser hijacking. See also Web Navigation.
Fake balloon system alert
What it does
Rogue security software downloads come with other malware components, such as trojans, rootkits and keyloggers. The trojan components alter the system, rendering it vulnerable to the attack, the rootkit redirects search engine results and keylogger attempts to record what the keyboard input (passwords, credit card data, etc.).
Once you have identified a potential rogue security software attack, use a clean computer to refer to a trusted online database containing rogue security software lists by name and removal tools. If unsure, contact a technical support or an IT security service in your area.