Malicious software, commonly abbreviated as malware, is a growing concern. We often refer to any unwanted installations and alterations as simply ‘viruses’, but malware covers many means of infection and behaviors, including viruses. Spyware. Trojans. Worms. Adware. Gremlins, ghosts, ghouls. I might just be throwing out scary-sounding names now.
But the threat of malware and the confusion surrounding it is the primary tool of a particular form of malware which has become prominent in the last five years: rogue security software, known as ‘rogueware.’
In some variations it can be called ‘scareware’ or ‘ransomware’ depending on the methods used, but I’ll be focusing on rogueware as the definitive type. Though not the most dangerous or newest variety, rogueware is indicative of our modern era of malware.
Gone is the era of purposeless viruses, deleting files and crashing systems for the sake of pure mischief (though some still possess nasty side effects). The descendants of these simple thugs have evolved and multiplied into profitable con artists, generating advertising hits, spam mail, and gathering personal information for sale. Rogueware alone generates hundreds of millions of dollars per year. Their developers operate openly in foreign countries where cybercrime enforcement is lax and advertisers simply do not care where information is obtained. In short, malware has become big business in the past few years.
So What Is Rogueware?
Rogueware specifically describes programs that pretend to detect and fix problems on your computer, and uses this pretense to convince the user to provide money or install more malware. It’s a nasty automation of social engineering, using fraud to make people give away money or install all sorts of malware.
This deception typically begins with the sudden appearance of an alert window from what looks like a valid program, such as an antivirus scanner or Windows’ built-in security features. The alerts will claim that your computer requires immediate attention from threats such as viruses, spyware, or data corruption. At this point the program will typically demand one of two things: the installation of additional software or the purchase of the ‘full version’ of the program to supposedly fix the issues detected.
But of course the program does nothing and none of the alerts are real. Yet far too often rogueware gets away with the people’s money or leaves them with real malware, sometimes without being detected by their real anti-virus service.
Rogueware itself doesn’t register as malware because it doesn’t complete any suspicious activities initially. Often times, rogueware could just be lurking in a website banner ad, waiting for you to click on it or on a hijacked website in the form of a link. Some bundled software also may include unwanted programs filled with rougueware. People often go looking for software downloads from unconfirmed, free sources. That gets risky. Free is a dangerous search term…much of malware hides as these free programs.
How to Avoid Rogueware
Sounds like we’re losing the war on cybercrime, doesn’t it? Well let’s leave that issue to the big security firms. For people like us – individuals and small business environments worried about protecting their data and money – the key defense involves some general self-education. The first step, as always, is to not panic.
Ironically, rogueware is often so problematic because initially it doesn’t cause any problems. Sometime it will install alongside actual malware, but the scam can be performed without installing anything. Why install a malicious program on a computer to link to a payment site when a mere photo on a website can trick some people into downloading it themselves? In these cases, avoiding the attack can be as simply as closing the webpage.
Much of the threat of rogueware and scareware depends upon unfamiliarity with legitimate software. Afterall, the ideal antivirus software runs without being noticed, and how would you know what a fake alert looks like if you haven’t had a virus before? Since we can’t keep track of every rogueware being added to the internet every day, knowing how to recognize a fake security program means knowing what the real ones look like.
Spot the Differences
Be mindful of emotionally-charged alerts and warnings, which is specifically the tactic of scareware. While rogueware tries to obtain payment through appearing as legitimate as possible, scareware goes straight for the panic button and demands users to push it. Alerts like ‘Warning! You are at risk of losing all your data!’ or ‘download fix NOW!’ are not the words of professional programs. If any infected files are detected, your AV scanner will simply list them and prompt you to remove them. It will tell you they are harmful; it won’t declare they will destroy your computer, job, or marriage. Seriously, don’t trust programs that talk like junk mail.
Rogueware is distributed under a variety of names, attempting to mimic legitimate software but often sounding like cheap knockoffs. ‘WinAntivirusPro,’ ‘Smart Fortress 2012,’ and ‘PC Antispyware 2010’ are all examples of rogueware. Their operators have to modify and rename their fake programs regularly to avoid signature detection by real antivirus protection. This is always the case with malware but essential to catch rogueware, as its success stems from avoiding behavioral detection. If System Doctor 2014 doesn’t perform any exploits or bad code an AV program can’t detect it’s a fraudulent ad. Even if System Doctor 2013 is on record as malware the AV definitions will need to wait for 2014 to be added; So long as the two programs’ signatures are different enough it can’t tell they’re basically the same.
Know Your Antivirus Protection
Find out what antivirus protection is being used on your computers, and familiarize yourself with their controls, and actual scan processes. Ask what program is being used and how is it updated; was it purchased with a subscription or is it a free program (like Microsoft Security Essentials)? What time are active scans scheduled to run? Many companies will run antivirus protection from a server computer, performing updates and scans across the network rather than on each workstation. Open the program and take a look at its controls. You can even manually start a scan and note how it runs and the time it takes. When familiar with antivirus protection’s normal operations, rogueware can be spotted almost immediately.
When rogueware pretends to scan a computer, it does so using simple animated lists. These rarely take more than a few seconds to ‘find’ dozens of fake infections (sometimes different ones each time) and certainly not in locations unique to your PC (Like “C:\Users\[user name]…” despite the users’ temp folder being the common download location for malware). Rogueware is in a rush to grab your attention, to make the threat of infection or data loss immediate, but even the briefest real scans need a few minutes to discover anything on the typical hard drive. In my experience, using an antivirus scan to hunt down malware means leaving it to run for an hour, and I find most infections aren’t detected until towards the very end.
Don’t Send Money or Install Unknown Programs
Bear in mind that not every fake security program will be this transparent in appearance. Many are moving away from blatant scareware tactics and some use professional-looking logos and copyright info. Some even show signs of having been proof-read. I know of at least one instance of Microsoft Security Essentials being perfectly duplicated. The point is you may not spot the fake at a glance. But eventually rogueware will reveal its true goal: it wants you to send money or it wants you to install additional programs. Hold off on these requests and find an alternate means to scan and verify the issues to confirm they are legitimate.
There are countless ways for real software to set up a payment online, but it’s unlikely to run into ones as forceful as rogueware’s methods. There are plenty of decent free antivirus and hard drive cleaning programs that will do a basic job without signing up for your credit card. But the bottom line is to do these on your own terms, rather than relying on the popup’s provided links and claims. Even opening a new browser window and navigating to the website in question is a safer route. You may quickly discover by using a search engine that the program reporting the presence of malware is malware itself.
Examples of Rougeware:
Below are some real life rougeware examples with captions explaining what to look for.
Fig. 1.1: The vagueness of this popup alert is the first clue for this known rogueware. It never states anything simply is infected or present and only lists what ‘could’ be out there. It reads much more like an advertisement; ‘Get best protection’ isn’t far from ‘click to win an iPad!’ Ads don’t monitor your computer’s health.
Fig. 1.2: Watch out for vague emails like this, and attachments that don’t match what’s described. These typically contain Trojans and similar malware but can also be rogueware installers. After opening, many assume the antivirus alert that pops up is legit when often the alert is the virus itself. It’s a good idea to only open emails and attachments from people you know and expect certain file types (documents and photos).
Fig. 1.3: Look for bad punctuation, misspellings, and other proofreading errors. (“Status: no activate”?). Funky color schemes and emotionally-charged phrasing are other signs of imitation.
Fig. 1.4: This is a photo of me photographing the FBI Virus, photographing me. But of course this infamous ransomware is merely showing me the laptop’s webcam and pulling common data from the computer show its name, network address, etc. Nothing is being broadcast. Notice the MoneyPak logo; an online payment service. I suppose they think the IRS uses Paypal, too?