Rogue security software

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer.[1] It is a form of scareware that manipulates users through fear, and a form of ransomware.[2] Rogue security software has been a serious security threat in desktop computing since 2008.[3] An early example that gained infamy was SpySheriff and its clones,[a] such as Nava Shield.

With the rise of cyber-criminals and a black market with thousands of organizations and individuals trading exploits, malware, virtual assets, and credentials, rogue security software has become one of the most lucrative criminal operations.

Propagation

Rogue security software mainly relies on social engineering (fraud) to defeat the security built into modern operating system and browser software and install itself onto victims' computers.[3] A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus, and encourage them through manipulation to install or purchase scareware in the belief that they are purchasing genuine antivirus software.

Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

Some rogue security software, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in web browsers, PDF viewers, or email clients to install themselves without any manual interaction.[4][6]

More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites[7] before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program.[8][9] A 2010 study by Google found 11,000 domains hosting fake anti-virus software, accounting for 50% of all malware delivered via internet advertising.[10]

Cold-calling has also become a vector for distribution of this type of malware, with callers often claiming to be from "Microsoft Support" or another legitimate organization.[11]

Common infection vectors

Black Hat SEO

Black Hat search engine optimization (SEO) is a technique used to trick search engines into displaying malicious URLs in search results. The malicious webpages are filled with popular keywords in order to achieve a higher ranking in the search results. When the end user searches the web, one of these infected webpages is returned. Usually the most popular keywords from services such as Google Trends are used to generate webpages via PHP scripts placed on the compromised website. These PHP scripts will then monitor for search engine crawlers and feed them with specially crafted webpages that are then listed in the search results. Then, when the user searches for their keyword or images and clicks on the malicious link, they will be redirected to the Rogue security software payload.[12][13]

Malvertising

Most websites usually employ third-party services for advertising on their webpages. If one of these advertising services is compromised, they may end up inadvertently infecting all of the websites using their service by advertising rogue security software.[13]

Spam campaigns

Spam messages that include malicious attachments, links to binaries and drive-by download sites are another common mechanism for distributing rogue security software. Spam emails are often sent with content associated with typical day-to-day activities such as parcel deliveries, or taxation documents, designed to entice users to click on links or run attachments. When users succumb to these kinds of social engineering tricks they are quickly infected either directly via the attachment, or indirectly via a malicious website. This is known as a drive-by download. Usually in drive-by download attacks the malware is installed on the victim's machine without any interaction or awareness and occurs simply by visiting the website.[13]

Operation

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

  • Alerting the user with the fake or simulated detection of malware or pornography.[14]
  • Displaying an animation simulating a system crash and reboot.[3]
  • Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.
  • Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs.
  • Altering system registries and security settings, then "alerting" the user.

Developers of rogue security software may also entice people into purchasing their product by claiming to give a portion of their sales to a charitable cause. The rogue Green antivirus, for example, claims to donate $2 to an environmental care program for each sale made.

Some rogue security software overlaps in function with scareware by also:

  • Presenting offers to fix urgent performance problems or perform essential maintenance on the computer.[14]
  • Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices.[15] These are intended to use the trust that the user has in vendors of legitimate security software.[3]

Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware and adware distribution networks—already complex to begin with[16]—to operate profitably.[17] Malware vendors have turned instead to the simpler, more profitable business model of rogue security software, which is targeted directly at users of desktop computers.[18]

Rogue security software is often distributed through highly lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software.[19] An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 over 10 days, from tens of thousands of successful installations.[20]

Despite its use of old-fashioned and somewhat unsophisticated techniques, rogue security software has become a significant security threat, due to the size of the impacted populations, the number of different variants that have been unleashed (over 250), and the profits that have been made for cyber-criminals (over $300,000 a month).[21]

Countermeasures

Private efforts

Law enforcement and legislation in all countries are slow to react to the appearance of rogue security software. In contrast, several private initiatives providing discussion forums and lists of dangerous products were founded soon after the appearance of the first rogue security software. Some reputable vendors, such as Kaspersky,[22] also began to provide lists of rogue security software. In 2005, the Anti-Spyware Coalition was founded, a coalition of anti-spyware software companies, academics, and consumer groups.

Many of the private initiatives were initially informal discussions on general Internet forums, but some were started or even entirely carried out by individual people. The perhaps most famous and extensive one is the Spyware Warrior list of rogue/suspect antispyware products and websites by Eric Howes,[23] which has however not been updated since May 2007. The website recommends checking the following websites for new rogue anti-spyware programs, most of which are not really new and are "simply re-branded clones and knockoffs of the same rogue applications that have been around for years."[24]

Government efforts

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a restraining order against Innovative Marketing Inc, a Kyiv-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.[25] The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names associated with those products and any further advertisement or false representation.[26]

Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors.[27]

See also

Notes

  1. ^ The clones of SpySheriff are BraveSentry, Pest Trap, SpyTrooper, Adware Sheriff, SpywareNo, SpyLocked, SpywareQuake, SpyDawn, AntiVirGear, SpyDemolisher, System Security, SpywareStrike, SpyShredder, Alpha Cleaner, SpyMarshal, Adware Alert, Malware Stopper, Mr. Antispy, Spycrush, SpyAxe, MalwareAlarm, VirusBurst, VirusBursters, DIARemover, AntiVirus Gold, Antivirus Golden, SpyFalcon, and TheSpyBot/SpywareBot.

References

  1. ^ "Rogue Security Software » BUMC Information Technology | Boston University". www.bumc.bu.edu. Retrieved 2021-11-13.
  2. ^ "Symantec Report on Rogue Security Software" (PDF). Symantec. 2009-10-28. Archived from the original (PDF) on 2012-05-15. Retrieved 2010-04-15.
  3. ^ a b c d "Microsoft Security Intelligence Report volume 6 (July - December 2008)". Microsoft. 2009-04-08. p. 92. Retrieved 2009-05-02.
  4. ^ a b Doshi, Nishant (2009-01-19), Misleading Applications – Show Me The Money!, Symantec, retrieved 2016-03-22
  5. ^ Doshi, Nishant (2009-01-21), Misleading Applications – Show Me The Money! (Part 2), Symantec, retrieved 2016-03-22
  6. ^ "News Adobe Reader and Acrobat Vulnerability". blogs.adobe.com. Retrieved 25 November 2010.
  7. ^ Chu, Kian; Hong, Choon (2009-09-30), Samoa Earthquake News Leads To Rogue AV, F-Secure, retrieved 2010-01-16
  8. ^ Hines, Matthew (2009-10-08), Malware Distributors Mastering News SEO, eWeek, archived from the original on 2009-12-21, retrieved 2010-01-16
  9. ^ Raywood, Dan (2010-01-15), Rogue anti-virus prevalent on links that relate to Haiti earthquake, as donors encouraged to look carefully for genuine sites, SC Magazine, retrieved 2010-01-16
  10. ^ Moheeb Abu Rajab and Luca Ballard (2010-04-13). "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution" (PDF). Retrieved 2010-11-18. {{cite journal}}: Cite journal requires |journal= (help)
  11. ^ "Warning over anti-virus cold-calls to UK internet users". BBC News. 2010-11-15. Retrieved 7 March 2012.
  12. ^ "Sophos Technical Papers - Sophos SEO Insights". sophos.com.
  13. ^ a b c "Sophos Fake Antivirus Journey from Trojan tpna" (PDF).
  14. ^ a b "Free Security Scan" Could Cost Time and Money, Federal Trade Commission, 2008-12-10, retrieved 2009-05-02
  15. ^ "SAP at a crossroads after losing $1.3B verdict". Yahoo! News. 24 November 2010. Retrieved 25 November 2010.
  16. ^ Testimony of Ari Schwartz on "Spyware" (PDF), Senate Committee on Commerce, Science, and Transportation, 2005-05-11
  17. ^ Leyden, John (2009-04-11). "Zango goes titsup: End of desktop adware market". The Register. Retrieved 2009-05-05.
  18. ^ Cole, Dave (2006-07-03), Deceptonomics: A Glance at The Misleading Application Business Model, Symantec, retrieved 2016-03-22
  19. ^ Doshi, Nishant (2009-01-27), Misleading Applications – Show Me The Money! (Part 3), Symantec, retrieved 2016-03-22
  20. ^ Stewart, Joe. "Rogue Antivirus Dissected - Part 2". Secureworks.com. SecureWorks. Retrieved 9 March 2016.
  21. ^ Cova, Marco; Leita, Corrado; Thonnard, Olivier; Keromytis, Angelos; Dacier, Marc (2009). Gone Rogue: An Analysis of Rogue Security Software Campaigns. pp. 1–3. doi:10.1109/EC2ND.2009.8. ISBN 978-1-4244-6049-6. Retrieved 2024-02-09.
  22. ^ "Safety 101". support.kaspersky.com. Retrieved 11 November 2018.
  23. ^ "Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites". spywarewarrior.com.
  24. ^ "Virus, Spyware, & Malware Removal Guides". BleepingComputer.
  25. ^ Ex Parte Temporary Restraining Order RDB08CV3233 (PDF), United States District Court for the District of Maryland, 2008-12-03, retrieved 2009-05-02
  26. ^ Lordan, Betsy (2008-12-10), Court Halts Bogus Computer Scans, Federal Trade Commission, retrieved 2009-05-02
  27. ^ Krebs, Brian (2009-03-20), "Rogue Antivirus Distribution Network Dismantled", Washington Post, archived from the original on July 23, 2012, retrieved 2009-05-02

Read other articles:

Nanda Malini

Dr.Nanda Malini නන්දා මාලනීBornMirihana Arachchige Nanda Malini Perera (1943-08-23) 23 August 1943 (age 80)[[Kotahena. ]], Sri LankaNationalitySri LankanEducationSri Gunananda VidyalayaAlma materHeywood Institute of ArtBhatkhande Music Institute (1963)Occupation(s)Singer, Music DirectorSpouseSuneth GokulaChildren2ParentsVincent Perera (father)Liyanage Emily Perera (mother)AwardsDoctor of Philosophy (Fine Arts) Honoris Causa (University of the Visual & Perfor...

 

 

Élections législatives de 2012 en Moselle

2007 2017 Élections législatives de 2012 en Moselle 9 sièges de députés à l'Assemblée nationale 10 et 17 juin 2012 Corps électoral et résultats Inscrits 746 392 Votants au 1er tour 390 052   52,26 %  0,6 Votes exprimés au 1er tour 384 196 Votants au 2d tour 385 840   51,70 % Votes exprimés au 2d tour 373 395 Majorité présidentielle Liste Parti socialisteEurope Écologie Les VertsDivers gaucheParti radical de gauche Voix au 1e...

 

 

Hamilton, Bermuda

Hamilton, BermudaKotaJalanan utama di Hamilton.Peta letak kota Hamilton di wilayah Bermuda.Koordinat: 32°17′35″N 64°46′55″W / 32.293°N 64.782°W / 32.293; -64.782Koordinat: 32°17′35″N 64°46′55″W / 32.293°N 64.782°W / 32.293; -64.782Negara Britania RayaWilayah Seberang Laut BermudaParokiPembrokeDidirikan1790Pemerintahan • WalikotaCharles R. Gosling[2]Luas • Total0,28 sq mi (70&...

Ozark Air Lines Flight 650

1983 aviation accident Ozark Air Lines Flight 650N994Z, the aircraft involved in the accidentAccidentDateDecember 20, 1983SummaryCollision with vehicleSiteSioux Falls Regional Airport, Sioux Falls, South Dakota43°34′55″N 96°44′40″W / 43.58194°N 96.74444°W / 43.58194; -96.74444Total fatalities1Total injuries2AircraftAircraft typeMcDonnell Douglas DC-9-31OperatorOzark Air LinesRegistrationN994Z[1]Flight originSioux Gateway Airport, Sioux City, Io...

 

 

قناع الوركاء

هذه المقالة يتيمة إذ تصل إليها مقالات أخرى قليلة جدًا. فضلًا، ساعد بإضافة وصلة إليها في مقالات متعلقة بها. (ديسمبر 2016) قناع الوركاءمعلومات عامةمادة الإنشاء رخام — حجر جيري — لازورد — أسفلتالأبعاد 21٫2 () سم تاريخ الإنشاء 3300 ق.متاريخ الاكتشاف 22 فبراير 1939موقع الاكتشاف الوركاء�...

 

 

Kucing havana

Halaman ini berisi artikel tentang ras kucing. Untuk DJ dan artis rekaman dari Australia, lihat Havana Brown (musisi). Havana Nama lain Kucing cokelat havanaSuffolkKucing gunung swis Asal  Thailand Standar ras TICA standar CFA standar CCA standar AACE standar ACFA/CAA standar Catatan Diakui oleh GCCF dan FIFe dengan nama Oriental Shorthair, sedangkan oleh TICA dan CFF dengan nama Havana saja. Kucing domestik (Felis catus) Kucing havana (bahasa Inggris: Havana Brown cat; atau kucing c...

Suffolk

Para otros usos de este término, véase Suffolk (desambiguación). Suffolk Condado Ceremonial y No Metropolitano BanderaEscudo Lema: Guide Our Endeavour Coordenadas 52°12′N 1°00′E / 52.2, 1Capital IpswichEntidad Condado Ceremonial y No Metropolitano • País Reino Unido Reino Unido • Nación Inglaterra Inglaterra • Región Este de InglaterraSuperficie   • Total 3798 km²Población   • Total 715 700 hab....

 

 

Winnipeg School Division

Public school district in Manitoba, Canada Winnipeg School DivisionLocation1577 Wall Street East, Winnipeg, Manitoba CanadaCoordinates49°54′00″N 97°10′05″W / 49.900°N 97.168°W / 49.900; -97.168District informationGradesN-12Established1877Chief SuperintendentMatthew Henderson (2023)School boardBoard of TrusteesChair of the boardTamara Kuly (2023-2024)Schools78Budget$421 m CAD (2021/22)[1]Students and staffStudents33,000Teachers2,500Staff6,000Other in...

 

 

Glucagon receptor

Protein-coding gene in the species Homo sapiens GCGRAvailable structuresPDBOrtholog search: PDBe RCSB List of PDB id codes3CZF, 4ERS, 4L6R, 2A83, 4LF3, 5EE7IdentifiersAliasesGCGR, GGR, GL-R, glucagon receptor, MVAHExternal IDsOMIM: 138033 MGI: 99572 HomoloGene: 131 GeneCards: GCGR Gene location (Human)Chr.Chromosome 17 (human)[1]Band17q25.3Start81,804,132 bp[1]End81,814,008 bp[1]Gene location (Mouse)Chr.Chromosome 11 (mouse)[2]Band11|11 E2Start120,421,525 ...

バカロレア (フランス)

他国のバカロレアについては「バカロレア」をご覧ください。 「国際バカロレア」とは異なります。 普通バカロレアの合格証書 バカロレア(仏: Baccalauréat)は、フランスの国民教育省が管理する、高等学校教育の修了を認証する国家試験である[1]。「バック」(Bac[2])とも通称され、1808年にナポレオン・ボナパルトによって導入された。国際バカロレ�...

 

 

Thirsk and Malton (UK Parliament constituency)

Parliamentary constituency in the United Kingdom Thirsk and MaltonCounty constituencyfor the House of CommonsBoundary of Thirsk and Malton in Yorkshire and the HumberCountyNorth YorkshireElectorate79,964 (December 2019)[1]Major settlementsPickering, Filey, Thirsk, Easingwold, MaltonCurrent constituencyCreated2010Member of ParliamentKevin Hollinrake (Conservative)SeatsOneCreated fromRyedale (majority)Vale of York (part)1885–1983Created fromThirsk and Malton; preceded by North Riding ...

 

 

Paleolithic religion

Religions thought to have appeared during the Paleolithic time period Picture of a half-animal half-human in a Paleolithic cave painting in Dordogne, France. The Paleolithic ↑ Pliocene (before Homo) Lower Paleolithic (c. 3.3 Ma – 300 ka) Lomekwi (3.3 Ma) Oldowan (2.6–1.7 Ma) Acheulean (1.76–0.13 Ma) Madrasian (1.5 Ma) Soanian (500–130 ka) Clactonian (424–400 ka) Mugharan (400–220 ka) Middle Paleolithic (c. 300–50 ka) Mousterian (160–40 ka) Aterian (145–20 k...

Chance of a Lifetime

Cet article est une ébauche concernant une chanson, le Concours Eurovision de la chanson et l’Irlande. Vous pouvez partager vos connaissances en l’améliorant (comment ?) selon les recommandations des projets correspondants. Chance of a Lifetime Chanson de Pat McGeegan auConcours Eurovision de la chanson 1968 Sortie 1968 Langue Anglais Genre Pop Auteur-compositeur John Kennedy Classement 4e (18 points) Chansons représentant l'Irlande au Concours Eurovision de la chanson If I ...

 

 

Charles Fourier

Charles Fourier François Marie Charles Fourier (Besançon, 7 aprile 1772 – Parigi, 10 ottobre 1837) è stato un filosofo francese, che ispirò la fondazione della comunità socialista utopista chiamata La Reunion sorta presso l'attuale Dallas in Texas, oltre a diverse altre comunità negli Stati Uniti d'America (tra le quali ricordiamo Brook Farm, fondata nel 1841 vicino a Boston e sciolta a seguito di un incendio, nel 1849). Indice 1 Biografia 2 Pensiero politico 3 Eredità del suo pensie...

 

 

U.S. Route 2

US-2 beralih ke halaman ini. Untuk Untuk kapal terbang US-2 Jepang, lihat ShinMaywa US-2, lihat US-2 (disambiguasi). U.S. Route 2US 2 berwarna merahInformasi rutePanjang:2.579 mi[2] (4.150 km)Berdiri:November 11, 1926[1] – sekarangBagian baratPanjang:2.119 mi[2] (3.410 km)Barat: I-5 / SR 529 di Everett, WAPersimpanganbesar: US 395 di Spokane, WA I-15 di Shelby, MT US 87 dekat Havre, MT US 83 di Minot, ND I-29 / US 81 di Grand Forks, ...

Little Dragoon Mountains

Landform in Chochise County, Arizona USGS topographic map of a portion of the ridgeline of the Little Dragoons The Little Dragoon Mountains, are included in the Douglas Ranger District of Coronado National Forest, in Cochise County, Arizona.[1] The summit of the range is the center peak of the three Mae West Peaks, 6 miles northwest of Dragoon, Arizona. The center peak, known as Lime has a peak elevation of 6,732 feet (2,052 m).[2] Lime Peak is a named peak along the ridg...

 

 

David McCann (cyclist)

Irish cyclist David McCannMcCann during the time trial at the 2011 UCI Road World ChampionshipsPersonal informationFull nameDavid McCannBorn (1973-03-17) 17 March 1973 (age 51)Belfast, Northern IrelandHeight1.86 m (6 ft 1 in)Weight73 kg (161 lb)Team informationCurrent teamRetiredDisciplineRoadTrackRoleRiderRider typeTime trialistAmateur team2000Phoenix CC Professional teams2001Ceresit–CCC–Mat2002Volksbank–Ideal2003Team Endurasport.com–Princ...

 

 

Mandrake d'or

Mandrake d'or Pays France Date de création 1990 modifier  Gilles Arthur, créateur du festival et la statuette des Mandrakes d'Or Créés en 1990 par Gilles Arthur, le Mandrake d'Or est une distinction française récompensant les magiciens. Histoire Le Festival International de l'Illusion et de la Prestidigitation Les Mandrakes d'Or est un rendez-vous annuel des professionnels de la magie, avec des magiciens repérés dans le monde par l'Académie française des illusionnistes. In...

St. Elizabeth's flood (1421)

Flooding of the Grote Hollandse Waard, an area in what is now the Netherlands A near-contemporary painting depicting the St. Elizabeth's flood The St. Elizabeth's flood of 1421 was a flooding of the Grote Hollandse Waard, an area in what is now the Netherlands. It takes its name from the feast day of Saint Elisabeth of Hungary which was formerly 19 November. It ranks 20th on the list of worst floods in history. During the night of 18/19 November 1421 a heavy storm near the North Sea coast cau...

 

 

Albertus Antoni Hinsz

Gedenksteen in de Lutherse Kerk (Groningen) Albertus Antoni Hinsz (Hamburg, 1704 - Uithuizen, 17 maart 1785[1]) was een Nederlandse orgelbouwer van Duitse afkomst. Hij heeft een belangrijke rol gespeeld in de voortzetting van de Noord-Duitse orgelbouwtraditie, die een hoogtepunt beleefde door de komst van de Duitse orgelbouwer Arp Schnitger in Nederland. Hinsz was een leerling van Franz Caspar Schnitger (zoon van Arp Schnitger). Na diens overlijden trouwde Hinsz in 1732 met zijn weduw...