What is Rogue Security Software?
Rogue Security Software, also known as Fake AV (Antivirus) Software, or Rogue Antivirus Software, is a malicious computer program which is illicitly promoted and distributed as a virus removal tool, while it in fact either doesn’t provide any functionality, or downloads additional malware. Following installation, Fake AV applications introduce forged scan reports brimming with fabricated security issue entries, thus scaring users into buying the counterfeit program’s alleged full version which would supposedly solve them. This dangerous sub-form of Scareware has been gaining increased popularity since 2008 onwards, becoming one of the prevalent types of malware nowadays. Disturbingly, Among Fake AV’s untold victims also count Internet security experts, Kaspersky Lab, and 117-fold Pulitzer Prize winner, New York Times.
How is Fake AV Software Advertised and Distributed?
Rogue Security Software is promoted via social engineering techniques and Black Hat SEO (Search Engine Optimization) practices. Its installation takes place either intentionally, or unintentionally, depending on whether the user is lured into deliberately downloading it, or the malicious program is automatically downloaded without human interaction.
Fraudulent “Official” Homepages
In order to persuade users of their product’s credibility, Fake AV creators launch pseudo-official homepages which are designed to look identically to those of trustworthy Security Software developers. Typically, these websites are enhanced with ostensibly authentic company logos, quality certificates and satisfied customer testimonials, thus enticing the false impression they are the proud home of safe professional software.
Spam E-Mail Campaigns
Nowadays, sending myriads of spam e-mails is both quick (especially if using a botnet) and inexpensive (e-mails lists sell relatively cheap on Internet black markets), which makes it one of the major infection vectors for Fake Antivirus programs. E-mails either carry malicious attachments (disguised as seemingly innocuous files such as images, PDFs, screensavers, etc.), or links to corrupted/maliciously designed websites (the latter method becoming more popular since most e-mail service providers have implemented security mechanisms which block suspicious attachments). In order to convince victims to open attachments or follow links, subject lines and text in messages are misleadingly formulated, claiming to address important daily matters such as taxation, delivery of goods or services, bank transactions, etc.
Blogs, Forums, Pornographic Websites, Social Media, Link Spamming
Just like any other product, Rogue security software is promoted via banners and other advertising items on diverse websites ranging from legitimate to suspicious, as well as on social media. Additionally, guestbooks, forums and blogs may be spammed using Link Spamming Packages (also known as auto-submitters) which can automatically generate entries and place links, circumventing security procedures such as e-mail confirmation and CAPTCHA tests. Notable example of such a Black Hat marketing tool is XRumer (targeted at forums). Considering their exorbitant users numbers, Social Media is inevitably also used for the promotion of Fake Antivirus. Not quite surprisingly, both its two most prominent representatives, Facebook and Twitter, together with leading professional networking service, LinkedIn, have been hit by scamware attacks.
Malvertising
Malvertising, the display of malicious ads within legitimate affiliate networks, is among Rogue Security Software’s most vital means of propagation. Fake AV distributors either directly pay for an advertising campaign (as long as their true intentions are not unveiled yet), impersonate a trusted company ((like in the NY Times case), or exploit vulnerabilities in advertising vendors’ networks, replacing benign ads with corrupted ones. Malvertising attacks are especially dangerous for two main reasons. First, their impact has an exponentially huge damaging potential because of the immensely large audience their victims reach. Second, they are sometimes extremely hard to predict or prevent due to the intricate structure of advertising networks (typically an advertising networks will incorporate ads from a couple of third party advertising networks and trackers).
Drive-by Downloads
So called Drive-by Download attacks are among most feared methods of dispersing Fake AV programs because they are designed to download and install malware without ever notifying the user or asking for his permission. Cybercriminals usually employ Exploit Kits to identify client-side vulnerabilities (such as code flaws in browsers, or applications like Adobe Reader, Adobe Flash Player and Java Runtime Environment), and use them to execute malicious code (which typically serves the downloading of additional malware components). To prevent detection, Exploit Kits usually are backed up by obfuscation software (so called “packers) which makes their binary data unreadable for antivirus programs.
Rogue Security Software Distribution Networks
Rogue Security Software is widely spread through whole affiliate-based illegal networks, collectively known as “Partnerka”. Scheme participants usually enroll for free and are paid per successful malware install. In order to optimize the fraud’s effectiveness and make it accessible also for aspiring online criminals without profound IT-knowledge, Fake AV creators usually provide affiliate partners with full support and an extensive set useful tools such as maliciously coded advertising items, exploit kits and obfuscation programs.
Risks of Rogue Security Software
From webmasters’, advertising networks’, and advertisers’ perspective, Rogue Security Software is an ever-growing threat which undermines their company’s image (in the case end-users are contaminated through malicious ads sneakily placed on legitimate websites) and simultaneously equals substantial financial loss (since originally intended adverts don’t reach their target audience).
For the end-user, Fake Antivirus programs impose a great risk in many damaging ways. For one, the more trustworthy users are often scared into purchasing a worthless application, which can only be described as a “daylight robbery”. Furthermore, since payments are processed online, victims’ financially relevant information may be recorded, misused or sold (there are a great number of Darknet black markets specialized in selling stolen credit card details). Furthermore, Fake AV is fully capable of rending important legitimate software unusable, and causing affected systems to become less stable. It is very important to note that rogue antivirus often propagates via Drive-by downloads, which usually means that additional, possibly even more dangerous malware is also installed.
Mitigation and Protection against Rogue Security Software.
Since computer infections are, to a great extent, dependent on human interaction, users can strongly diminish the risks of Rogue Security Software contamination by adopting a self-responsible online behavior. It is strongly advisable to be extremely cautious with unsolicited e-mails and links, unfamiliar websites, dubious video codecs and pop-up windows which are made to resemble legitimate system or software alerts. E-mail attachments should be handled with increased care, whereby it is hugely recommendable to only open files sent by completely trusted third parties. Among active precautionary measures count acquiring and running a reputable security program, and always keeping all installed software to the latest updates.
