Rogue Security Software – Evolution, Protection and Awareness

The Internet has come of age, and with it malicious software and related infections. Inevitably, Viruses, Trojans, advertising software and popups have been a part of it and as the Internet has evolved and grown, so have they. With the advent of the new century, and especially in last 5 years, newer types of malicious software, particularly spyware and rogue security software, have appeared. The evolutionary path of rogue security software is no less interesting than human evolution: from simple windows installer-based malware to recent web exploits and fake warnings and blue screens, the path is incredible.

Today, the malware industry is a billion dollar concern, and new variants/rogues and other new threats emerge all the time. Their main strategy lies in exploiting social engineering techniques, scaring users into purchasing the author's fake products. Of course, this gives the victims a false sense of security. Digging a little deeper, it is apparent that the rogue security software industry comprises a mix of determined authors who develop a product and occasionally release new variants of the same program, and those that release virulent and sometimes devastating malware that spreads like an epidemic (there is a strong suspicion that these are all interconnected somewhere, but that is for another article). Two notable products are winfixer and XPAntivirus, with Spysheriff being a notable early example.

The initial signs of infection are not always obvious.

Just like any setup procedure, the user (unknowingly) installs the program and the malware is in the machine. It even appears to have an uninstaller. Let’s see how this has evolved over time.

The malware industry has completely overhauled its strategies and the change is scary. Many are targeted at Microsoft’s own security initiatives, namely the Security Center (more explained below), Windows Defender, MSRT, and even Windows Vista (or OEM products) sales and DVD packages.

Let's look at how rogue software began exploiting Microsoft Windows Security Center.

The images look very similar. Anyone using Windows has almost certainly used the Security Center while trying to configure their Firewall or Windows Automatic Updates options. On closer inspection you can see that one of these is fake. The Windows Security Center does not include product registering recommendations as is seen in the second screen shot. Additionally, the language used is poor and completely at variance with the usual phraseology used in Windows products

For example: “Windows Security center reports that XP Deluxe Protector is inable.” These notifications also attempt to lure the user into purchasing the fake product.

These alerts are not restricted to the Security Center. Let's examine another example.

If the user follows the advice given in the message, they will be redirected to either the product's download page or registration page, which have been designed with a professional look and which would fool an unaware user

Unfortunately, many end users are fooled through this form of social engineering. The malware industry relies heavily on this technique, promoting fake security products in such a way that the end user is convinced their PC would be protected. Take the following examples.

In the images above, the first two look similar but have different product names, thus indicating a similarity in coding or UI design. The other uses a similar strategy but with a different UI. It is very easy for an end user who just uses their computer for email, online shopping or browsing to be tricked by these flashy and in-your-face prompts, and that’s where user awareness should come into play. The creators of these fake security products are always developing new ways in which to try to trick users.

The process of infection has also evolved over time. If we look at the earlier infections they were usually allowed either by a user inadvertantly installing the software or via third party bundleware. The earlier versions of XPAntivirus and SpySheriffs had product related websites which the user would stumble upon or be redirected to as part of either the user consenting to an installation or bundled installation.

This process has evolved dramatically and steadily. The malware industry is well integrated, and quite a few different malware types such as spambots, Trojan downloaders and rogue software together comprise a complete infection chain. For example, within the last year instances such as the CNN website-related infections or MSNBC, malwares like cbeplay and also Trojan downloaders download rogue software at the end of an infection chain. The mechanism of infection starts with attack vectors using exploited or hacked websites containing infected code, where the user is fooled into clicking links or prompts. Another prevalent method is through spam mail, where once a user follows a link, they are infected with a Trojan downloader which in turn either shows balloon messages containing warnings disguised as Windows taskbar prompts to trick the user:

Or even browser prompts such as:

As we mentioned at the start of the article, originally there were no such lures or tricks, but as the malware industry has grown it has obviously recognised the huge potential for user manipulation in the Security field and is now trying to exploit that as fully as possible. Let’s look at another example.

This was back in 2006:

And these are recent images:

 

The level of deception kept pace with the passage of time, so that the end user was always presented with a 'modern' UI. look at the attempts below

 

 

The Blue Screen of Death (the infamous BSOD), always puts Microsoft Windows users in a “What the heck happened” situation, and malware creators have exploited that too. To suddenly see your computer restart, and when the restart process incorporates scare tactics using Fake Advertising, or a Blue Screen with error messages, even if it has characteristically poor English, the end-user is already confused and likely to fall prey to this. And that’s where we at Emsisoft are trying to educate you as an end-user, through articles such as this about the tactics these malware creators are using and we will not stop. Do keep your antivirus and operating system updated, click only those links which you are sure about, and as always you can submit any suspicious file to us. Do visit http://www.emsisoft.com/en/support/malware/ for detailed information about the many different malwares we target.

At Emsisoft, we are continuously updating Emsisoft Anti-Malware's (EAM) product signatures and our analysts are always on the lookout for new, undetected malware. Emsisoft Anti-Malware's “Behavior Blocker” alerts you to a huge range of malicious related activities so that you are always aware of what is happening in your system. We try to make sure our customers have peace of mind and believe that computer security should be available naturally and without effort. It is not going to get any easier, and the malware industry will only become more devious, but we here at Emsisoft are always a step ahead. We offer the best protection and have a higher detection rate than other security software. We protect your computer and help prevent your PC from becoming infected. If you are infected our software can eradicate most threats. With the release of Emsisoft Anti-Malware version 5, we have overhauled our product and we make sure our users remain protected from these threats today and tomorrow.

From our security blog: http://blog.emsisoft.com