World Library  
Flag as Inappropriate
Email this Article

Rogue security software

Article Id: WHEBN0006172076
Reproduction Date:

Title: Rogue security software  
Author: World Heritage Encyclopedia
Language: English
Subject: Winwebsec, Technical support scam, Malware, List of confidence tricks, Trojan horse (computing)
Collection: Rogue Software, Scareware, Social Engineering (Computer Security), Types of Malware
Publisher: World Heritage Encyclopedia

Rogue security software

Rogue security software is a form of malicious software and Internet fraud that misleads users into believing there is a virus on their computer, and manipulates them into paying money for a fake malware removal tool (that actually introduces malware to the computer). It is a form of scareware that manipulates users though fear, and a form of ransomware.[1] Rogue security software has become a growing and serious security threat in desktop computing in recent years (from 2008 on).[2]


  • Propagation 1
  • Common Infection Vectors 2
    • Black Hat SEO 2.1
    • Malvertising 2.2
    • Spam Campaigns 2.3
  • Operation 3
  • Countermeasures 4
    • Private efforts 4.1
  • See also 5
  • References 6
  • External links 7


Rogue security software mainly relies on social engineering (fraud) to defeat the security built into modern operating system and browser software and install itself onto victims' computers.[2] A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus, and encourage them through manipulation to install or purchase scareware in the belief that they are purchasing genuine antivirus software.

Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

  • A browser plug-in or extension (typically toolbar)
  • An image, screensaver or archive file attached to an e-mail message
  • Multimedia codec required to play a certain video clip
  • Software shared on peer-to-peer networks[3]
  • A free online malware-scanning service[4]

Some rogue security software, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in web browsers, PDF viewers, or email clients to install themselves without any manual interaction.[3][5]

More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events.[6] People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites[7] before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program.[8][9] A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.[10]

External links

  1. ^
  2. ^ a b c d
  3. ^ a b
  4. ^
  5. ^
  6. ^
  7. ^
  8. ^
  9. ^
  10. ^
  11. ^
  12. ^
  13. ^
  14. ^ a b
  15. ^
  16. ^
  17. ^ CanTalkTech - Fake Green AV disguises as security software with a cause
  18. ^
  19. ^
  20. ^
  21. ^
  22. ^
  23. ^
  24. ^ Rogue security software
  25. ^ Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites
  26. ^ Spyware & Malware Removal Guides
  27. ^
  28. ^
  29. ^


See also

Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors.[29]

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a restraining order against Innovative Marketing Inc, a Kiev-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.[27] The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names associated with those products and any further advertisement or false representation.[28]

Many of the private initiatives were at first more or less informal discussions on general Internet forums, but some were started or even entirely carried out by individual people. The perhaps most famous and extensive one is the Spyware Warrior list of rogue/suspect antispyware products and websites by Eric Howes,[25] which has however not been updated since May 2007. The website recommends checking the following websites for new rogue anti-spyware programs, most of which are however not really new and are "simply re-branded clones and knockoffs of the same rogue applications that have been around for years"[26]

Law enforcement and legislation in all countries were very slow to react to the appearance of rogue security software even though it simply uses new technical means to carry out mainly old and well-established kinds of crimes. In contrast, several private initiatives providing discussion forums and lists of dangerous products were founded soon after the appearance of the first rogue security software. Some reputable vendors also began to provide lists of rogue security software, for example Kaspersky.[24] In 2005, the Anti-Spyware Coalition was founded, a coalition of anti-spyware software companies, academics, and consumer groups.

Private efforts


Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software.[22] An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations.[23]

Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware and adware distribution networks—already complex to begin with[19]—to operate profitably.[20] Malware vendors have turned instead to the simpler, more profitable business model of rogue security software, which is targeted directly at users of desktop computers.[21]

  • Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.[14]
  • Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices.[18] These are intended to use the trust that the user has in vendors of legitimate security software.[2]

Some rogue security software overlaps in function with scareware by also:

Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.[17]

  • Alerting the user with the fake or simulated detection of malware or pornography.[14]
  • Displaying an animation simulating a system crash and reboot.[2]
  • Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.[15]
  • Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs.
  • Altering system registries and security settings, then "alerting" the user.[16]

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:


Spam messages that include malicious attachments, links to binaries and driveby download sites are another common mechanism for distributing Rogue security software. Spam emails are often sent with content associated with typical day-to-day activities such as parcel deliveries, or taxation documents, designed to entice users to click on links or run attachments. When users succumb to these kinds of social engineering tricks they are quickly infected either directly via the attachment, or indirectly via a malicious website. This is known as a driveby download. Usually in drive-by download attacks the malware is installed on the victim’s machine without any interaction or awareness and occurs simply by visiting the website.

Spam Campaigns

Most websites usually employ third-party services for advertising on their webpages. If one of these advertising services is compromised,they may end up inadvertently infecting all of the websites using their service by showing advertising rogue security software.


Black Hat search engine optimization (SEO) is a technique used to trick search engines into displaying malicious URLs in search results. The malicious webpages are filled with popular keywords in order to achieve a higher ranking in the search results. When the end user searches the web, one of these infected webpages is returned. Usually the most popular keywords from services such as Google Trends are used to generate webpages via PHP scripts placed on the compromised website. These PHP scripts will then monitor for search engine crawlers and feed them with especially crafted webpages that are then listed in the search results. Then, when the user searches for their keyword or images and clicks on the malicious link, they will be redirected to the Rogue security software payload.

Black Hat SEO [13]

Common Infection Vectors [12]


This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.