Rogue software
Encyclopedia
Rogue security software is a form of computer malware
that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware. Rogue security software, in recent years (2008–2011), has become a growing and serious security threat in desktop computing.
(fraud
) in order to defeat the security built into modern operating system
and browser software
and install itself onto victims' computers. A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus
, and encourage them through social engineering
to install or purchase scareware
in the belief that they are purchasing genuine antivirus software
.
Most have a Trojan horse
component, which users are misled into installing. The Trojan may be disguised as:
Some rogue security software, however, propagate onto users' computers as drive-by download
s which exploit security vulnerabilities
in web browsers, pdf viewers, or email clients to install themselves without any manual interaction.
More recently, malware distributors have been utilizing SEO poisoning
techniques by pushing infected URLs to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program. A 2010 study by Google
found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.
Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.
Some rogue security software overlaps in function with scareware
by also:
Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware
and adware
distribution networks—already complex to begin with—to operate profitably. Malware vendors have turned instead to the simpler, more profitable business model
of rogue security software, which is targeted directly at users of desktop computers
.
Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software. An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations.
announced that it had reached settlement in a suit against Secure Computer LLC, the White Plains
-based vendor of the Spyware Cleaner rogue security software, under the Computer Spyware Act passed by the Washington State Legislature
in 2005. Secure Computer, under consent decree
, agreed to pay more than $75,000 in restitution to consumers.
In December 2008, the US District Court for Maryland
—at the request of the FTC
—issued a restraining order
against Innovative Marketing Inc, a Kiev
-based firm producing and marketing the rogue security software products WinFixer
, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names
associated with those products and any further advertisement or false representation.
Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card
chargeback
s generated by such purchases has also prompted processors to take action against rogue security software vendors.
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware. Rogue security software, in recent years (2008–2011), has become a growing and serious security threat in desktop computing.
Propagation
Rogue security software mainly relies on social engineeringSocial engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
(fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
) in order to defeat the security built into modern operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
and browser software
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
and install itself onto victims' computers. A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, and encourage them through social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
to install or purchase scareware
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
in the belief that they are purchasing genuine antivirus software
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
.
Most have a Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
component, which users are misled into installing. The Trojan may be disguised as:
- A browser plug-in or extension (typically toolbar)
- An image, screensaver or archive fileFile archiverA file archiver is a computer program that combines a number of files together into one archive file, or a series of archive files, for easier transportation or storage...
attached to an e-mailE-mailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
message - Multimedia codec required to play a certain video clipVideo clipVideo clips are short clips of video, usually part of a longer recording. The term is also more loosely used to mean any short video less than the length of a traditional television program.- On the Internet :...
- Software shared on peer-to-peerPeer-to-peerPeer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
networks - A free online malware scanning service
Some rogue security software, however, propagate onto users' computers as drive-by download
Drive-by download
Drive-by download means three things, each concerning the unintended download of computer software from the Internet:# Downloads which a person authorized but without understanding the consequences Drive-by download means three things, each concerning the unintended download of computer software...
s which exploit security vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
in web browsers, pdf viewers, or email clients to install themselves without any manual interaction.
More recently, malware distributors have been utilizing SEO poisoning
Search engine optimization
Search engine optimization is the process of improving the visibility of a website or a web page in search engines via the "natural" or un-paid search results...
techniques by pushing infected URLs to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program. A 2010 study by Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.
Operation
Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:- Alerting the user with the fake or simulated detection of malware or pornographyPornographyPornography or porn is the explicit portrayal of sexual subject matter for the purposes of sexual arousal and erotic satisfaction.Pornography may use any of a variety of media, ranging from books, magazines, postcards, photos, sculpture, drawing, painting, animation, sound recording, film, video,...
. - Displaying an animation simulating a system crash and reboot.
- Selectively disabling parts of the system to prevent the user from uninstalling them. Some may also prevent anti-malware programs from running, disable automatic system softwareSystem softwareSystem software is computer software designed to operate the computer hardware and to provide a platform for running application software.The most basic types of system software are:...
updates and block access to websites of anti-malware vendors. - Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs.
- Altering system registries and security settings, then "alerting" the user.
Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.
Some rogue security software overlaps in function with scareware
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
by also:
- Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.
- Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices. These are intended to use the trust that the user has in vendors of legitimate security software.
Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
and adware
Adware
Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
distribution networks—already complex to begin with—to operate profitably. Malware vendors have turned instead to the simpler, more profitable business model
Business model
A business model describes the rationale of how an organization creates, delivers, and captures value...
of rogue security software, which is targeted directly at users of desktop computers
Personal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...
.
Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software. An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations.
Law enforcement
In December 2006, the Washington Attorney GeneralAttorney General
In most common law jurisdictions, the attorney general, or attorney-general, is the main legal advisor to the government, and in some jurisdictions he or she may also have executive responsibility for law enforcement or responsibility for public prosecutions.The term is used to refer to any person...
announced that it had reached settlement in a suit against Secure Computer LLC, the White Plains
White Plains, New York
White Plains is a city and the county seat of Westchester County, New York, United States. It is located in south-central Westchester, about east of the Hudson River and northwest of Long Island Sound...
-based vendor of the Spyware Cleaner rogue security software, under the Computer Spyware Act passed by the Washington State Legislature
Washington State Legislature
The Washington State Legislature is the state legislature of the U.S. state of Washington. It is a bipartisan, bicameral body, composed of the lower Washington House of Representatives, composed of 98 Representatives, and the upper Washington State Senate, with 49 Senators.The State Legislature...
in 2005. Secure Computer, under consent decree
Consent decree
A consent decree is a final, binding judicial decree or judgment memorializing a voluntary agreement between parties to a suit in return for withdrawal of a criminal charge or an end to a civil litigation...
, agreed to pay more than $75,000 in restitution to consumers.
In December 2008, the US District Court for Maryland
United States District Court for the District of Maryland
The United States District Court for the District of Maryland is the Federal district court whose jurisdiction is the state of Maryland....
—at the request of the FTC
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
—issued a restraining order
Injunction
An injunction is an equitable remedy in the form of a court order that requires a party to do or refrain from doing certain acts. A party that fails to comply with an injunction faces criminal or civil penalties and may have to pay damages or accept sanctions...
against Innovative Marketing Inc, a Kiev
Kiev
Kiev or Kyiv is the capital and the largest city of Ukraine, located in the north central part of the country on the Dnieper River. The population as of the 2001 census was 2,611,300. However, higher numbers have been cited in the press....
-based firm producing and marketing the rogue security software products WinFixer
WinFixer
WinFixerAlso known under various other names including: WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Windows Police Pro, Performance Optimizer, StorageProtector, PrivacyProtector, WinReanimator, DriveCleaner, WinspywareProtect, PCTurboPro, FreePCSecure,...
, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
associated with those products and any further advertisement or false representation.
Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
chargeback
Chargeback
A chargeback is the return of funds to a consumer, forcibly initiated by the consumer's issuing bank. Specifically, it is the reversal of a prior outbound transfer of funds from a consumer's bank account, line of credit, or credit card....
s generated by such purchases has also prompted processors to take action against rogue security software vendors.