Rogue Security Software

Rogue Security Software masquerades as an Antivirus Product but is in reality a virus program that is trying to hijack your computer and extort money from you. Don’t fall for this scam!

Rogue Security Software will appear suddenly on your computer. It will pop up windows claiming to be scanning your computer and finding viruses. It may change your background wallpaper to show purported viruses found. It may pop up message bubbles claiming your computer is infected. This virus will always recommend that you buy their product online to remove the viruses found. The product may look official but it is a scam. Do not give it any money or personal information.

Rogue Security Software has been attacking computers since 2007 and is big business, $100 million .

Rogue Security Software has penetrated reputable web sites such as the NY Times

Screen captures

malware scare 1

malware scare 2

Names

Rogue Security Software goes by many changing names to try to avoid detection. Names include permutations of words including AntiSpyware, Antivirus, XP , Vista, 7, Malware, PC, Privacy, Security, Cleaner, Care, Spy, Virus, Total, Remover, Cleaner, Pro, 2010, …

Nomenclature – Rogue Security Software is a virus, malware

“Computer virus” is the term we hear most and has become a generic catch all term to describe all unwanted computer software. Malware (mal=bad + ware=software) is a better term to encompass all unwanted software that you do not want on your computer. Malware includes all bad software such as viruses, worms, trojans, spyware, adware, scareware, Rogue Security Software, keystroke loggers, root kits, …

Rogue Security Software is malware.

How people/computers are infected with Rogue Security Software (malware)

The purveyors of Rogue Security Software have crafted multiple ways to infect your computer including pop up windows, email, and known security vulnerabilities. They have also used techniques including hijacked web sites, hijacked advertisements, infiltrating legitimate advertising agencies, and creating professional looking web sites to sell their wares.

The favorite path to infection is social engineering – scare the user into thinking their computer is infected and that they must purchase their product to disinfect and fix their computer.

The best way to scare the user is to pop up a window that says “Your computer is infected!” with some technical looking info and offer a solution. The solution looks real using terms like Windows, XP, Antivirus and even icons and text that seem consistent with Microsoft and other reputable antivirus vendors. This scare tactic wants you to click their link to either download and install their solution which is really their virus or take you to their web site to convince you that their solution will disinfect and protect you so that you will then download and install their product.

If you download and install their product you will soon learn that the demo only finds viruses and that you must buy the product and activate it to remove viruses. The price may be $59.99 and they will accept your credit card. If you go to their site, they want to sell you the product.

When you buy the Rogue Security Software product, you buy trouble: a bogus product, fraud and identity theft. The product is bogus and malicious, the money is stolen and you have released personal information such as credit card info, name and email.

The origin of the scary pop up window can be a web site that the bad guys have hijacked or a cooperating web site, possibly a file sharing site, an adult web site or hacker web site. The pop up can also be from a legitimate advertiser that has been tricked into serving these malicious ads (the bad guys can enter into a contract with a legitimate advertiser and give them real valid ads for a while to gain their confidence then switch to ads for Rogue Security Software). Pop ups can also originate from programs and files from file sharing sites as Trojans. Trojans trick you by seeming to be some program that you want but secretly also install software that you do not want.

Email can bring spam messages with links that look convincing to click but lead to malware sites or programs. Email attachments are worse, they can install unwanted software (malware).

Search engines can poisoned with links to sites that may seem to be offering useful or topical information but are really links to infected sites or sites for Rogue Security Software and other malware.

Web sites can be infected or designed to be “drive by down loaders” for malware such as Rogue Security Software. Getting infected with malware can be as simple a visiting an infected web site with a computer with software that is not up to date with the latest  software and patches.   A drive by download site relies on unpatched security holes in software.  Software can have security vulnerabilities that allow remote code execution and other misuse by buffer overflows or other design flaws. This happens to all code today including Microsoft, Apple, Adobe and Open Source software. Unfortunately these security holes are found in the most popularly used software such as Windows, Internet Explorer, Outlook, Flash, Acrobat.

Computers may also be infected by installing Trojans, sharing a USB drive or being on a corporate or local network.

Consequences of an infected computer

A computer infected with Rogue Security Software will at best be annoying to use, with pop ups telling us the computer is infected, or at worst stealing our personal information and committing crimes. The computer may be compromised so that we cannot run certain programs and visit certain web sites. The worst case scenario is the computer is completely owned by hackers – harboring other malware such as keystroke loggers, spam sending programs, bot programs and downloaders to install new mischief.

Eliminating the rogue malware

There are multiple ways to remove Rogue Security Software viruses from your computer including: 1) System Restore, 2) running antivirus and anti-malware software scans and 3) manually removing the virus components.

1) System Restore is the quickest and easiest way to remove the virus. Simply restore your PC to a time before the infection occurred. This technique may not work for several reasons, such as System Restore was not turned on (some versions of the virus will turn off System Restore) and the virus may block running System Restore. If System Restore is blocked by the virus in Normal boot mode, try a Safe Mode boot and then System Restore. If that is blocked, try a Safe Mode with Command Prompt and run System Restore from the command line: %systemroot%\system32\restore\rstrui.exe

2) Run antivirus and anti-malware program scans to eliminate the Rogue Security Software. Main stream reputable antivirus programs from Microsoft, McAfee, Symantec, AVG, etc should find and remove the virus. One excellent tool to use is MalwareBytes AntiMalware, free and pay versions available at www.malwarebytes.org. If your antivirus and MalwareBytes Anti-Malware can’t find the virus, there are other tools that may: SuperAntiSpyware, combofix, Spybot, AdAware, Dr. Web CureIT! and others. Search for them and download from a reputable site like www.download.com. Remember to update your antivirus/anti-malware to the latest definitions file before scanning and run full scans. Continue to run full scans until at least 2 products report clean.

3) Rogue Security Software can be removed manually by deleting the registry entries and files by hand. This method depends on the specific malware – for example the registry entry may be in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with a file name including sysguard.exe.  Delete the key and the corresponding file that is referenced by the registry key. Some versions of this virus totally hijack the computer to the point you can’t access certain web sites or programs such as the task manager, System Restore, or file explorer after the system has booted fully. If this is the case, you may be able to work around this by starting a task manager as the system is booting  with the famous keystrokes <Crtl><Alt><Del> and before the virus is run. Then you can find the task that is the virus (for example running sysguard.exe) and kill it. Now you can run System Restore, scans or other methods to fix your computer.

Notes on cleanup

Once a computer has been compromised, you can not be sure the system has been completely cleaned up by any of these methods. The only sure way to have a completely virus clean computer is to “wipe” the hard drive and completely reinstall Windows, programs and data from reliable media. This is time consuming. Whatever your strategy for cleanup, it reminds us of the importance of regular data backups.

If you go the virus disinfection (cleanup) route as outlined in the 3 techniques above you will want to follow up with the following steps: 1) delete all System Restore points after cleanup, 2) review that your antivirus software is updating and scanning regularly, 3) have your favorite anti-malware software installed and available for use at the first sign of trouble (run MalwareBytes Anti-malware or other at the first sign of trouble because rebooting can just more deeply entrench the virus), and review your backup plan (ideally you are copying your data to more than one media and more than one location (external disk, USB, DVD, online backup)).

Preventing malware

Malware is not 100% preventable because it is a cat and mouse game between the bad guys and good guys but we can be most safe by following some guidelines –

o Learn/Education/Training/Be Aware/Think. Learn how to use your computer safely. Protect your privacy and security, do not give out any personal info unless you are confident of the requestor.   Don’t click on junk ads (You have won! Take this IQ test!).

o Keep all your software updated. Enable Microsoft Update. Click yes to update windows, office, Java, Flash, Adobe, FireFox and all your valid software.

o Avoid popular software. The most popular software is the biggest target for bad guys. Use alternatives. Use Mac OS or Linux instead of Windows. Use FireFox or Safari or Chrome or Opera as your browser instead of Internet Explorer. Use Thunderbird or web email (Hotmail, Yahoo mail, gmail) instead of Outlook.

o  Close pop ups with an <Alt><F4> or on the tast bar, right-click and close, that way you are not clicking anywhere on the pop up window, therefore not clicking (agreeing) to anything .

References

http://www.howtogeek.com/howto/8693/how-to-remove-antivirus-live-and-other-roguefake-antivirus-malware/

http://en.wikipedia.org/wiki/Rogue_security_software

Leave a Reply

Your email address will not be published. Required fields are marked *