Rouge security software can bring you into false sense of security besides exposing your sensitive information and identity to risks. This article finds current sate of the rouge software and few simple but crucial measurements to prevent this.

Battle between hackers and industry security experts is an ongoing saga. But the rapid increase in computer systems infection in recent period has created major concern. Several reports have claimed a sharp rise in the number of rogue antivirus programs. The main aim of these programs is to convince users that their computers are at risk and scare them into buying an “antivirus” product. Symantec’s recently announced ‘Report on Rogue Security Software’ reveals that cyber criminals are employing increasingly persuasive online scare tactics to convince users to purchase rogue security software.  Rogue security software, or “scareware,” is software that pretends to be legitimate security software. These rogue applications provide little or no value and may even install malicious code or reduce the overall security of the computer.

Even according to the Microsoft Security Intelligence Report (SIRv7), rogue security software remained the single largest threat category for the first half of 2009. In addition, while there has been progress combating rogues, this threat remained a major pain point for computer users during the same period. The report also indicates that worm infections in the enterprise rose by nearly 100 percent during the first half of 2009 over the preceding six months. Rogue security software remains a major threat to customers; however, 20 percent fewer customers were affected by rogue infections during the past six months.

Understanding the Impact

Several studies show the steady rise in number of rogue antivirus programs from 2007 to August 2009. The number of new signatures rose sharply in May 2009. To encourage unsuspecting users to install their rogue software, cyber criminals place website ads that prey on users’ fears of security threats. These ads typically include false claims such as “If this ad is flashing, your computer may be at risk or infected,” urging the user to follow a link to scan their computer or get software to remove the threat.  According to the study, 93 percent of the software installations for the top 50 rogue security software scams were intentionally downloaded by the user.  As of June 2009, Symantec has detected more than 250 distinct rogue security software programs.

Rogue antivirus program are spread using the same methods that are used to spread most other malware, e.g. drive-by download when the user visits an infected site; via a Trojan downloader; or when the user clicks on an Internet advert or opens an email attachment. However more often than not, rogue antivirus programs are downloaded by the users themselves via dedicated (Hoax) programs. Hoax programs warn a user of a nonexistent threat (for example of a possible virus infection) and prompt the user to download a program to scan and clean the system. In many cases the rogue antivirus solution will be installed on the system even if the user declines the offer.

When a rogue antivirus program gets onto a system it first supposedly scans the computer (this sometimes takes less time than the first scan of the system by a genuine antivirus program) and informs the user that malicious programs have been detected and that system resources have been modified. The rogue solution will then offer to remedy the errors and repair the system, but this service is not free. The more legitimate the software appears the more chance the cyber criminals have that the user will pay for this service.

The initial monetary loss to consumers who download these rogue products ranges from $30 to $100. However, the costs associated to regain ones’ identity could be far greater. Not only can these rogue security programs cheat the user out of money, but the personal details and credit card information provided during the purchase can be used in additional fraud or sold on black market forums resulting in identify theft.   

To make matters worse, some rogue security software actually installs malicious code that puts users at risk of attack from additional threats. As a result, installing these programs can lower the security posture of a computer while claiming to strengthen it. For example, rogue programs may instruct the user to lower or disable any existing security settings while registering the bogus software or prevent the user from accessing legitimate security Web sites after installation. This, in turn, leaves users exposed to the very threats the rogue software promised to protect against.

A major risk associated with rogue security programs is that users are provided a "false sense of security". Such applications also potentially expose PCs to additional threats as they may instruct the user to adopt more lenient security settings, or block compromised machines from accessing legitimate Web sites of security companies. In addition, users' personal data including credit card details submitted during the registration process could be used without their knowledge or sold in the underground economy.

Can We Prevent?

The perpetrators of these rogue security software scams are well-equipped to prey on Internet users. Many of these scams are very lucrative and appear to be run by highly organized groups or individuals who maintain an effective distribution network bolstered by multi-level marketing efforts. Perpetrators of rogue security software scams use a wide variety of techniques to trick users into downloading and paying for these programs. Many of the methods use fear tactics and other social engineering methods that are distributed through spam, Web pop-up and banner advertisements, postings on forums.

To protect against rogue security software, security experts recommend that both enterprises and users employ the latest protection from security risks.  Users and enterprises are also advised to follow best practices for protection and mitigation. Specifically, users should invest in and install only proven, trusted security software from reputable security vendors whose products are sold in established retail and online stores. Best practices for protection and mitigation as outlined in the report include:

• Avoid following links from emails, as these may be links to spoofed or malicious websites. Instead, manually type in the URL of a known, reputable website.

• Never view, open, or execute email attachments unless the attachment is expected and comes from a known and trusted source. Be suspicious of any emails that are not directly addressed to your email address.

• Be cautious of pop-up windows and banner advertisements that mimic legitimate displays. Suspicious error messages displayed inside the Web browser are often methods rogue security software scams use to lure users into downloading and installing their fake product. 

As the increasing danger posed by many of the security threats on the Internet today, given the sophistication of many of these scams and the challenges of mitigation, experts from Symantec believes that a hybrid approach to protecting against rogue security software scams is necessary. While actions such as whitelisting and blacklisting can improve protection, they are just one measure against the numerous URLs that have been detected hosting rogue security applications.
Adhering to a few simple rules can help protect systems from rogue antivirus programs: check whether the vendor has an official site and technical support, ignore programs which first scan a computer and then demand money for activation, ignore messages about infection that appear randomly while surfing the Internet and finally, install a reliable IT security solution from a legitimate antivirus vendor.

Conclusion

Since rogue antivirus programs are very easy to create and also the distribution system is very effective, hence, unethical hackers can make large profits in a short period of time. Criminals are motivated with these reasons and always seeking opportunity to create a mess. But never the less, following and practicing of basic rules can protect a user from to be trapped.

—By: Tanu Srivastava, ‘InfoSecurity’ Bureau.