fbpx
Wikipedia

Rogue security software

August 24, 2023

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer.[1] It is a form of scareware that manipulates users through fear, and a form of ransomware.[2] Rogue security software has been a serious security threat in desktop computing since 2008.[3] An early example that gained infamy was SpySheriff and its clones[a], such as Nava Shield.

Propagation

Rogue security software mainly relies on social engineering (fraud) to defeat the security built into modern operating system and browser software and install itself onto victims' computers.[3] A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus, and encourage them through manipulation to install or purchase scareware in the belief that they are purchasing genuine antivirus software.

Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

Some rogue security software, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in web browsers, PDF viewers, or email clients to install themselves without any manual interaction.[4][6]

More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites[7] before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program.[8][9] A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.[10]

Cold-calling has also become a vector for distribution of this type of malware, with callers often claiming to be from "Microsoft Support" or another legitimate organization.[11]

Common infection vectors

Black Hat SEO

Black Hat search engine optimization (SEO) is a technique used to trick search engines into displaying malicious URLs in search results. The malicious webpages are filled with popular keywords in order to achieve a higher ranking in the search results. When the end user searches the web, one of these infected webpages is returned. Usually the most popular keywords from services such as Google Trends are used to generate webpages via PHP scripts placed on the compromised website. These PHP scripts will then monitor for search engine crawlers and feed them with specially crafted webpages that are then listed in the search results. Then, when the user searches for their keyword or images and clicks on the malicious link, they will be redirected to the Rogue security software payload.[12][13]

Malvertising

Most websites usually employ third-party services for advertising on their webpages. If one of these advertising services is compromised, they may end up inadvertently infecting all of the websites using their service by advertising rogue security software.[13]

Spam campaigns

Spam messages that include malicious attachments, links to binaries and drive-by download sites are another common mechanism for distributing rogue security software. Spam emails are often sent with content associated with typical day-to-day activities such as parcel deliveries, or taxation documents, designed to entice users to click on links or run attachments. When users succumb to these kinds of social engineering tricks they are quickly infected either directly via the attachment, or indirectly via a malicious website. This is known as a drive-by download. Usually in drive-by download attacks the malware is installed on the victim's machine without any interaction or awareness and occurs simply by visiting the website.[13]

Operation

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

  • Alerting the user with the fake or simulated detection of malware or pornography.[14]
  • Displaying an animation simulating a system crash and reboot.[3]
  • Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.
  • Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs.
  • Altering system registries and security settings, then "alerting" the user.

Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.

Some rogue security software overlaps in function with scareware by also:

  • Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.[14]
  • Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices.[15] These are intended to use the trust that the user has in vendors of legitimate security software.[3]

Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware and adware distribution networks—already complex to begin with[16]—to operate profitably.[17] Malware vendors have turned instead to the simpler, more profitable business model of rogue security software, which is targeted directly at users of desktop computers.[18]

Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software.[19] An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations.[20]

Countermeasures

Private efforts

Law enforcement and legislation in all countries are slow to react to the appearance of rogue security software. In contrast, several private initiatives providing discussion forums and lists of dangerous products were founded soon after the appearance of the first rogue security software. Some reputable vendors, such as Kaspersky,[21] also began to provide lists of rogue security software. In 2005, the Anti-Spyware Coalition was founded, a coalition of anti-spyware software companies, academics, and consumer groups.

Many of the private initiatives were initially informal discussions on general Internet forums, but some were started or even entirely carried out by individual people. The perhaps most famous and extensive one is the Spyware Warrior list of rogue/suspect antispyware products and websites by Eric Howes,[22] which has however not been updated since May 2007. The website recommends checking the following websites for new rogue anti-spyware programs, most of which are not really new and are "simply re-branded clones and knockoffs of the same rogue applications that have been around for years."[23]

Government efforts

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a restraining order against Innovative Marketing Inc, a Kyiv-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.[24] The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names associated with those products and any further advertisement or false representation.[25]

Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors.[26]

See also

Notes

  1. ^ The clones of SpySheriff are BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm, VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot.

References

  1. ^ "Rogue Security Software » BUMC Information Technology | Boston University". www.bumc.bu.edu. Retrieved 2021-11-13.
  2. ^ (PDF). Symantec. 2009-10-28. Archived from the original (PDF) on 2012-05-15. Retrieved 2010-04-15.
  3. ^ a b c d "Microsoft Security Intelligence Report volume 6 (July - December 2008)". Microsoft. 2009-04-08. p. 92. Retrieved 2009-05-02.
  4. ^ a b Doshi, Nishant (2009-01-19), Misleading Applications – Show Me The Money!, Symantec, retrieved 2016-03-22
  5. ^ Doshi, Nishant (2009-01-21), Misleading Applications – Show Me The Money! (Part 2), Symantec, retrieved 2016-03-22
  6. ^ "News Adobe Reader and Acrobat Vulnerability". blogs.adobe.com. Retrieved 25 November 2010.
  7. ^ Chu, Kian; Hong, Choon (2009-09-30), Samoa Earthquake News Leads To Rogue AV, F-Secure, retrieved 2010-01-16
  8. ^ Hines, Matthew (2009-10-08), , eWeek, archived from the original on 2009-12-21, retrieved 2010-01-16
  9. ^ Raywood, Dan (2010-01-15), Rogue anti-virus prevalent on links that relate to Haiti earthquake, as donors encouraged to look carefully for genuine sites, SC Magazine, retrieved 2010-01-16
  10. ^ Moheeb Abu Rajab and Luca Ballard (2010-04-13). "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution" (PDF). Retrieved 2010-11-18. {{cite journal}}: Cite journal requires |journal= (help)
  11. ^ "Warning over anti-virus cold-calls to UK internet users". BBC News. 2010-11-15. Retrieved 7 March 2012.
  12. ^ "Sophos Technical Papers - Sophos SEO Insights". sophos.com.
  13. ^ a b c "Sophos Fake Antivirus Journey from Trojan tpna" (PDF).
  14. ^ a b "Free Security Scan" Could Cost Time and Money, Federal Trade Commission, 2008-12-10, retrieved 2009-05-02
  15. ^ "SAP at a crossroads after losing $1.3B verdict". Yahoo! News. 24 November 2010. Retrieved 25 November 2010.
  16. ^ Testimony of Ari Schwartz on "Spyware" (PDF), Senate Committee on Commerce, Science, and Transportation, 2005-05-11
  17. ^ Leyden, John (2009-04-11). "Zango goes titsup: End of desktop adware market". The Register. Retrieved 2009-05-05.
  18. ^ Cole, Dave (2006-07-03), Deceptonomics: A Glance at The Misleading Application Business Model, Symantec, retrieved 2016-03-22
  19. ^ Doshi, Nishant (2009-01-27), Misleading Applications – Show Me The Money! (Part 3), Symantec, retrieved 2016-03-22
  20. ^ Stewart, Joe. "Rogue Antivirus Dissected - Part 2". Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  21. ^ "Safety 101". support.kaspersky.com. Retrieved 11 November 2018.
  22. ^ "Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites". spywarewarrior.com.
  23. ^ "Virus, Spyware, & Malware Removal Guides". BleepingComputer.
  24. ^ Ex Parte Temporary Restraining Order RDB08CV3233 (PDF), United States District Court for the District of Maryland, 2008-12-03, retrieved 2009-05-02
  25. ^ Lordan, Betsy (2008-12-10), Court Halts Bogus Computer Scans, Federal Trade Commission, retrieved 2009-05-02
  26. ^ Krebs, Brian (2009-03-20), "Rogue Antivirus Distribution Network Dismantled", Washington Post, retrieved 2009-05-02

External links

  •   Media related to Rogue software at Wikimedia Commons

August 24, 2023
rogue, security, software, form, malicious, software, internet, fraud, that, misleads, users, into, believing, there, virus, their, computer, aims, convince, them, fake, malware, removal, tool, that, actually, installs, malware, their, computer, form, scarewar. Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer 1 It is a form of scareware that manipulates users through fear and a form of ransomware 2 Rogue security software has been a serious security threat in desktop computing since 2008 3 An early example that gained infamy was SpySheriff and its clones a such as Nava Shield Contents 1 Propagation 2 Common infection vectors 2 1 Black Hat SEO 2 2 Malvertising 2 3 Spam campaigns 3 Operation 4 Countermeasures 4 1 Private efforts 4 2 Government efforts 5 See also 6 Notes 7 References 8 External linksPropagation EditRogue security software mainly relies on social engineering fraud to defeat the security built into modern operating system and browser software and install itself onto victims computers 3 A website may for example display a fictitious warning dialog stating that someone s machine is infected with a computer virus and encourage them through manipulation to install or purchase scareware in the belief that they are purchasing genuine antivirus software Most have a Trojan horse component which users are misled into installing The Trojan may be disguised as A browser plug in or extension typically toolbar An image screensaver or archive file attached to an e mail message Multimedia codec required to play a certain video clip Software shared on peer to peer networks 4 A free online malware scanning service 5 Some rogue security software however propagate onto users computers as drive by downloads which exploit security vulnerabilities in web browsers PDF viewers or email clients to install themselves without any manual interaction 4 6 More recently malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events People looking for articles on such events on a search engine may encounter results that upon being clicked are instead redirected through a series of sites 7 before arriving at a landing page that says that their machine is infected and pushes a download to a trial of the rogue program 8 9 A 2010 study by Google found 11 000 domains hosting fake anti virus software accounting for 50 of all malware delivered via internet advertising 10 Cold calling has also become a vector for distribution of this type of malware with callers often claiming to be from Microsoft Support or another legitimate organization 11 Common infection vectors EditBlack Hat SEO Edit Black Hat search engine optimization SEO is a technique used to trick search engines into displaying malicious URLs in search results The malicious webpages are filled with popular keywords in order to achieve a higher ranking in the search results When the end user searches the web one of these infected webpages is returned Usually the most popular keywords from services such as Google Trends are used to generate webpages via PHP scripts placed on the compromised website These PHP scripts will then monitor for search engine crawlers and feed them with specially crafted webpages that are then listed in the search results Then when the user searches for their keyword or images and clicks on the malicious link they will be redirected to the Rogue security software payload 12 13 Malvertising Edit Most websites usually employ third party services for advertising on their webpages If one of these advertising services is compromised they may end up inadvertently infecting all of the websites using their service by advertising rogue security software 13 Spam campaigns Edit Spam messages that include malicious attachments links to binaries and drive by download sites are another common mechanism for distributing rogue security software Spam emails are often sent with content associated with typical day to day activities such as parcel deliveries or taxation documents designed to entice users to click on links or run attachments When users succumb to these kinds of social engineering tricks they are quickly infected either directly via the attachment or indirectly via a malicious website This is known as a drive by download Usually in drive by download attacks the malware is installed on the victim s machine without any interaction or awareness and occurs simply by visiting the website 13 Operation EditOnce installed the rogue security software may then attempt to entice the user into purchasing a service or additional software by Alerting the user with the fake or simulated detection of malware or pornography 14 Displaying an animation simulating a system crash and reboot 3 Selectively disabling parts of the system to prevent the user from uninstalling the malware Some may also prevent anti malware programs from running disable automatic system software updates and block access to websites of anti malware vendors Installing actual malware onto the computer then alerting the user after detecting them This method is less common as the malware is likely to be detected by legitimate anti malware programs Altering system registries and security settings then alerting the user Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause The rogue Green antivirus for example claims to donate 2 to an environmental care program for each sale made Some rogue security software overlaps in function with scareware by also Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer 14 Scaring the user by presenting authentic looking pop up warnings and security alerts which may mimic actual system notices 15 These are intended to use the trust that the user has in vendors of legitimate security software 3 Sanction by the FTC and the increasing effectiveness of anti malware tools since 2006 have made it difficult for spyware and adware distribution networks already complex to begin with 16 to operate profitably 17 Malware vendors have turned instead to the simpler more profitable business model of rogue security software which is targeted directly at users of desktop computers 18 Rogue security software is often distributed through highly lucrative affiliate networks in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation and a commission from any resulting purchases The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software 19 An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network in which members were grossing commissions upwards of USD150 000 over 10 days from tens of thousands of successful installations 20 Countermeasures EditPrivate efforts Edit Law enforcement and legislation in all countries are slow to react to the appearance of rogue security software In contrast several private initiatives providing discussion forums and lists of dangerous products were founded soon after the appearance of the first rogue security software Some reputable vendors such as Kaspersky 21 also began to provide lists of rogue security software In 2005 the Anti Spyware Coalition was founded a coalition of anti spyware software companies academics and consumer groups Many of the private initiatives were initially informal discussions on general Internet forums but some were started or even entirely carried out by individual people The perhaps most famous and extensive one is the Spyware Warrior list of rogue suspect antispyware products and websites by Eric Howes 22 which has however not been updated since May 2007 The website recommends checking the following websites for new rogue anti spyware programs most of which are not really new and are simply re branded clones and knockoffs of the same rogue applications that have been around for years 23 Government efforts Edit In December 2008 the US District Court for Maryland at the request of the FTC issued a restraining order against Innovative Marketing Inc a Kyiv based firm producing and marketing the rogue security software products WinFixer WinAntivirus DriveCleaner ErrorSafe and XP Antivirus 24 The company and its US based web host ByteHosting Internet Hosting Services LLC had their assets frozen were barred from using domain names associated with those products and any further advertisement or false representation 25 Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases In some cases the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors 26 See also EditAnti virus List of rogue security software Scareware Technical support scam WinwebsecNotes Edit The clones of SpySheriff are BraveSentry Pest Trap SpyTrooper Adware Sheriff SpywareNo SpyLocked SpywareQuake SpyDawn AntiVirGear SpyDemolisher System Security SpywareStrike SpyShredder Alpha Cleaner SpyMarshal Adware Alert Malware Stopper Mr Antispy Spycrush SpyAxe MalwareAlarm VirusBurst VirusBursters DIARemover AntiVirus Gold Antivirus Golden SpyFalcon and TheSpyBot SpywareBot References Edit Rogue Security Software BUMC Information Technology Boston University www bumc bu edu Retrieved 2021 11 13 Symantec Report on Rogue Security Software PDF Symantec 2009 10 28 Archived from the original PDF on 2012 05 15 Retrieved 2010 04 15 a b c d Microsoft Security Intelligence Report volume 6 July December 2008 Microsoft 2009 04 08 p 92 Retrieved 2009 05 02 a b Doshi Nishant 2009 01 19 Misleading Applications Show Me The Money Symantec retrieved 2016 03 22 Doshi Nishant 2009 01 21 Misleading Applications Show Me The Money Part 2 Symantec retrieved 2016 03 22 News Adobe Reader and Acrobat Vulnerability blogs adobe com Retrieved 25 November 2010 Chu Kian Hong Choon 2009 09 30 Samoa Earthquake News Leads To Rogue AV F Secure retrieved 2010 01 16 Hines Matthew 2009 10 08 Malware Distributors Mastering News SEO eWeek archived from the original on 2009 12 21 retrieved 2010 01 16 Raywood Dan 2010 01 15 Rogue anti virus prevalent on links that relate to Haiti earthquake as donors encouraged to look carefully for genuine sites SC Magazine retrieved 2010 01 16 Moheeb Abu Rajab and Luca Ballard 2010 04 13 The Nocebo Effect on the Web An Analysis of Fake Anti Virus Distribution PDF Retrieved 2010 11 18 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help Warning over anti virus cold calls to UK internet users BBC News 2010 11 15 Retrieved 7 March 2012 Sophos Technical Papers Sophos SEO Insights sophos com a b c Sophos Fake Antivirus Journey from Trojan tpna PDF a b Free Security Scan Could Cost Time and Money Federal Trade Commission 2008 12 10 retrieved 2009 05 02 SAP at a crossroads after losing 1 3B verdict Yahoo News 24 November 2010 Retrieved 25 November 2010 Testimony of Ari Schwartz on Spyware PDF Senate Committee on Commerce Science and Transportation 2005 05 11 Leyden John 2009 04 11 Zango goes titsup End of desktop adware market The Register Retrieved 2009 05 05 Cole Dave 2006 07 03 Deceptonomics A Glance at The Misleading Application Business Model Symantec retrieved 2016 03 22 Doshi Nishant 2009 01 27 Misleading Applications Show Me The Money Part 3 Symantec retrieved 2016 03 22 Stewart Joe Rogue Antivirus Dissected Part 2 Secureworks com SecureWorks Retrieved 9 March 2016 Safety 101 support kaspersky com Retrieved 11 November 2018 Spyware Warrior Rogue Suspect Anti Spyware Products amp Web Sites spywarewarrior com Virus Spyware amp Malware Removal Guides BleepingComputer Ex Parte Temporary Restraining Order RDB08CV3233 PDF United States District Court for the District of Maryland 2008 12 03 retrieved 2009 05 02 Lordan Betsy 2008 12 10 Court Halts Bogus Computer Scans Federal Trade Commission retrieved 2009 05 02 Krebs Brian 2009 03 20 Rogue Antivirus Distribution Network Dismantled Washington Post retrieved 2009 05 02External links Edit Media related to Rogue software at Wikimedia Commons Retrieved from https en wikipedia org w index php title Rogue security software amp oldid 1146019484, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.