Rogue Security Software On The Rise: Symantec Report

Often known as "scareware," rogue security software is any type of program -- such as a fake antivirus scanner -- that falsely claims to be legitimate security software. In reality, the bogus software offers little or no protection and is often used to compel users to submit credit card information. In some cases, the bogus software is used to install malicious code, such as botnets, keystroke loggers and banking Trojans, designed to take control of victims' computers and steal information.

To appear legitimate, many of the programs come with authentic sounding names such as "Virus Remover" or "AntiVirus Gold," accompanied by equally convincing ads designed to mimic legitimate antivirus software programs.

And the tactics work, said Vincent Weafer, vice president of Symantec Security Response. Thus far, Symantec has detected more than 250 rogue security software programs, according to the report.

"The scareware seems to work," Weafer said. "Most of these programs are designed to mimic legitimate programs. Everything appears to be the latest, greatest versions."

The report found that the rogue security applications are extremely profitable, primarily using a pay-per-install model that often nets the attackers between $.01 and $.55 for every successfully installation, which can translate to hundreds of thousands or millions of dollars. The top affiliate of rogue security distributor site TrafficConverter.biz reportedly earned as much as $332,000 a month on commissions for installing and selling security risks, including rogue security software, according to the report.

Ironically, scareware authors generally capitalize on users' fears of malicious code to dupe them into downloading the rogue application. Subsequently, they rely on scare tactics and social engineering by falsely claiming that the user's system is infected with malware, and urging them to click on a link to scan their computer or install software that promises to clean their system, Weafer said.

Other techniques include poisoning search engines, hijacking someone's paid search, embedding hidden keywords, cross linking, rendering certain pages only for search engines and hijacking banner ads, along with targeted social engineering techniques.

"[As with] malware, these guys will use multiple techniques to try to get [rogue antivirus] on your system," he said. "Many of them are designed to look like Microsoft applications. There are a number of different techniques used."

Once installed, the rogue applications almost always misrepresent the computer's security status, or display fake or exaggerated claims of security threats. They typically use coercive techniques including continuous pop-up displays, taskbar notification icons and other alerts that reinforce the premise that the user needs to purchase a full version or register for an annual subscription of the program in order to remove the threats. Some applications even install malicious software while producing reports that the victim's system is clean, Weafer said.

"Removal then requires upgrading to a full version. These guys are just downloading other crap onto your system," Weafer said. "At the very least it's a shady process, at the worst, it's malicious."

Rogue software is generally advertised on both malicious and legitimate Web sites such as blogs, forums and social networking sites in order to exploit users' trust. The rogue applications are also distributed on adult and other malicious sites distributed by shady service providers.

"In most cases, there's a program that needs to be downloaded and they're trying to bring victims to those download sites. They really follow a more traditional Web advertising model," Weafer said, adding that an intentional user download "is the best-case scenario for them."

"You're downloading multiple new malware while you think you're protected," he said.