Rogue security software is a form of

malicious software Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...

and

internet fraud Internet fraud is a type of cybercrime fraud or deception which makes use of the Internet and could involve hiding of information or providing incorrect information for the purpose of tricking victims out of money, property, and inheritance. Inte ...

that misleads users into believing there is a

virus A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsky' ...

on their computer and aims to convince them to pay for a fake

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...

removal tool that actually installs malware on their computer. It is a form of

scareware Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes ...

that manipulates users through fear, and a form of

ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...

. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was

SpySheriff SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats ...

and its clones.

Propagation

Rogue security software mainly relies on social engineering (

fraud In law, fraud is intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compen ...

) to defeat the

security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...

built into modern

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also ...

and browser software and install itself onto victims' computers. A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a

computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a comput ...

, and encourage them through manipulation to install or purchase

in the belief that they are purchasing genuine

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

. Most have a

Trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...

component, which users are misled into installing. The Trojan may be disguised as: * A browser plug-in or extension (typically toolbar) * An image, screensaver or

archive file In computing, an archive file is a computer file that is composed of one or more files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compre ...

attached to an

e-mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mean ...

message * Multimedia

codec A codec is a device or computer program that encodes or decodes a data stream or signal. ''Codec'' is a portmanteau of coder/decoder. In electronic communications, an endec is a device that acts as both an encoder and a decoder on a signal or ...

required to play a certain

video clip Video clips refer to mostly short videos, most of the time called memes, which are short videos of silly jokes and funny clips, most of the time coming from movies or any entertainment videos such as YouTube. The term is also used more loosely to ...

* Software shared on

peer-to-peer Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer ...

networks * A free online malware-scanning service Some rogue security software, however, propagate onto users' computers as

drive-by download Drive-by download is of two types, each concerning the unintended download of computer software from the Internet: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. down ...

s which exploit security vulnerabilities in web browsers, PDF viewers, or email clients to install themselves without any manual interaction. More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected

URL A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifi ...

s to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program. A 2010 study by

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronic ...

found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising. Cold-calling has also become a vector for distribution of this type of malware, with callers often claiming to be from "Microsoft Support" or another legitimate organization.

Common infection vectors

Black Hat SEO

Black Hat

search engine optimization Search engine optimization (SEO) is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. SEO targets unpaid traffic (known as "natural" or " organic" results) rather than direc ...

(SEO) is a technique used to trick search engines into displaying malicious

URLs A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...

in search results. The malicious webpages are filled with popular keywords in order to achieve a higher ranking in the search results. When the end user searches the web, one of these infected webpages is returned. Usually the most popular keywords from services such as

Google Trends Google Trends is a website by Google that analyzes the popularity of top search queries in Google Search across various regions and languages. The website uses graphs to compare the search volume of different queries over time. On August 5, ...

are used to generate webpages via PHP scripts placed on the compromised website. These

PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group. ...

scripts will then monitor for search engine crawlers and feed them with specially crafted webpages that are then listed in the search results. Then, when the user searches for their keyword or images and clicks on the malicious link, they will be redirected to the Rogue security software payload.

Malvertising

Most websites usually employ third-party services for advertising on their webpages. If one of these advertising services is compromised, they may end up inadvertently infecting all of the websites using their service by advertising rogue security software.

Spam campaigns

Spam Spam may refer to: * Spam (food), a canned pork meat product * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ** Messaging spam, spam targeting users of instant messaging ( ...

messages that include malicious attachments, links to binaries and drive-by download sites are another common mechanism for distributing rogue security software. Spam emails are often sent with content associated with typical day-to-day activities such as parcel deliveries, or taxation documents, designed to entice users to click on links or run attachments. When users succumb to these kinds of social engineering tricks they are quickly infected either directly via the attachment, or indirectly via a malicious website. This is known as a drive-by download. Usually in drive-by download attacks the malware is installed on the victim's machine without any interaction or awareness and occurs simply by visiting the website.

Operation

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by: * Alerting the user with the fake or simulated detection of malware or

pornography Pornography (often shortened to porn or porno) is the portrayal of sexual subject matter for the exclusive purpose of sexual arousal. Primarily intended for adults,

. * Displaying an animation simulating a system crash and reboot. * Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic

system software System software is software designed to provide a platform for other software. Examples of system software include operating systems (OS) like macOS, Linux, Android and Microsoft Windows, computational science software, game engines, search engin ...

updates and block access to websites of anti-malware vendors. * Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs. * Altering system registries and security settings, then "alerting" the user. Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made. Some rogue security software overlaps in function with

by also: * Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer. * Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices. These are intended to use the trust that the user has in vendors of legitimate security software. Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...

and

adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the ...

distribution networks—already complex to begin with—to operate profitably. Malware vendors have turned instead to the simpler, more profitable

business model A business model describes how an organization creates, delivers, and captures value,''Business Model Generation'', Alexander Osterwalder, Yves Pigneur, Alan Smith, and 470 practitioners from 45 countries, self-published, 2010 in economic, soci ...

of rogue security software, which is targeted directly at users of

desktop computers A desktop computer (often abbreviated desktop) is a personal computer designed for regular use at a single location on or near a desk due to its size and power requirements. The most common configuration has a case that houses the power suppl ...

. Rogue security software is often distributed through highly lucrative

affiliate network An affiliate network acts as an intermediary between publishers (affiliates) and merchant affiliate programs. It allows website publishers to more easily find and participate in affiliate programs which are suitable for their website (and thus ge ...

s, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software. An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $

USD The United States dollar (symbol: $; code: USD; also abbreviated US$ or U.S. Dollar, to distinguish it from other dollar-denominated currencies; referred to as the dollar, U.S. dollar, American dollar, or colloquially buck) is the official ...

150,000 over 10 days, from tens of thousands of successful installations.

Countermeasures

Private efforts

Law enforcement and legislation in all countries are slow to react to the appearance of rogue security software. In contrast, several private initiatives providing discussion forums and lists of dangerous products were founded soon after the appearance of the first rogue security software. Some reputable vendors, such as Kaspersky, also began to provide lists of rogue security software. In 2005, the

Anti-Spyware Coalition The Anti-Spyware Coalition (ASC) was a group formed in 2005 with the goal to build a consensus about definitions and best practices in the debate surrounding spyware Spyware (a portmanteau for spying software) is software with malicious beh ...

was founded, a coalition of anti-spyware software companies, academics, and consumer groups. Many of the private initiatives were initially informal discussions on general

Internet forum An Internet forum, or message board, is an online discussion site where people can hold conversations in the form of posted messages. They differ from chat rooms in that messages are often longer than one line of text, and are at least tempor ...

s, but some were started or even entirely carried out by individual people. The perhaps most famous and extensive one is the Spyware Warrior list of rogue/suspect antispyware products and websites by Eric Howes, which has however not been updated since May 2007. The website recommends checking the following websites for new rogue anti-spyware programs, most of which are not really new and are "simply re-branded clones and knockoffs of the same rogue applications that have been around for years."

Government efforts

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a

restraining order A restraining order or protective order, is an order used by a court to protect a person in a situation involving alleged domestic violence, child abuse, assault, harassment, stalking, or sexual assault. Restraining and personal protection or ...

against Innovative Marketing Inc, a

Kyiv Kyiv, also spelled Kiev, is the capital and most populous city of Ukraine. It is in north-central Ukraine along the Dnieper River. As of 1 January 2021, its population was 2,962,180, making Kyiv the seventh-most populous city in Europe. Kyi ...

-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using

domain names A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...

associated with those products and any further advertisement or false representation. Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of

credit card A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt (i.e., promise to the card issuer to pay them for the amounts plus the o ...

chargeback A chargeback is a return of money to a payer of a transaction, especially a credit card transaction. Most commonly the payer is a consumer. The chargeback reverses a money transfer from the consumer's bank account, line of credit, or credit ca ...

s generated by such purchases has also prompted processors to take action against rogue security software vendors.

Notes

References

External links

* {{Malware Scareware Types of malware Security breaches Social engineering (computer security) zh:流氓软件