protect yourself from fake antivirus

Propagation

Rogue security software mainly relies on social engineering in order to defeat the security built into modern operating system and browser software and install itself onto victims' computers.^[1]

Most have a Trojan horse component, which users are misled into installing. The Trojan may be disguised as:

• A browser plug-in or extension (typically toolbar)
• An image, screensaver or archive file attached to an e-mail message
• Multimedia codec required to play a certain video clip
• Software shared on peer-to-peer networks^[2]
• A free online malware scanning service^[3]

Some rogue security software, however, propagate onto users computers as drive-by downloads which exploit security vulnerabilities in web browsers or e-mail clients to install themselves without any manual interaction.^[2]

Operation

Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

• Alerting the user with the fake or simulated detection of malware or pornography.^[4]
• Displaying an animation simulating a fake system crash and reboot.^[1]
• Selectively disabling parts of the system to prevent the user from uninstalling them. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.
• Installing actual malware onto the computer, then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs.

Some rogue security software overlaps in function with scareware by also:

• Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.^[4]
• Scaring the user by presenting authentic-looking pop-up warnings and security alerts, which may mimic actual system notices.^[5] These are intended to leverage the trust of the user in vendors of legitimate security software.^[1]

Sanction by the FTC and the increasing effectiveness of anti-malware tools since 2006 have made it difficult for spyware and adware distribution networks—already complex to begin with^[6]—to operate profitably.^[7] Malware vendors have turned instead to the simpler, more profitable business model of rogue security software, which is targeted directly at users of desktop computers.^[8]

Rogue security software is often distributed through highly-lucrative affiliate networks, in which affiliates supplied with Trojan kits for the software are paid a fee for every successful installation, and a commission from any resulting purchases. The affiliates then become responsible for setting up infection vectors and distribution infrastructure for the software.^[9] An investigation by security researchers into the Antivirus XP 2008 rogue security software found just such an affiliate network, in which members were grossing commissions upwards of $USD150,000 from tens of thousands of successful installations per month.^[10]

Law enforcement

In December 2006, the Washington Attorney General announced that it had reached settlement in a suit against Secure Computer LLC, the White Plains-based vendor of the Spyware Cleaner rogue security software, under the Computer Spyware Act passed by the Washington State Legislature in 2005. Secure Computer, under consent decree, agreed to pay more than $USD75,000 in restitution to consumers.^[11]

In December 2008, the US District Court for Maryland—at the request of the FTC—issued a restraining order against Innovative Marketing Inc, a Kiev-based firm producing and marketing the rogue security software products WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.^[12] The company and its US-based web host, ByteHosting Internet Hosting Services LLC, had their assets frozen, were barred from using domain names associated with those products and any further advertisement or false representation.^[13]

Law enforcement has also exerted pressure on banks to shut down merchant gateways involved in processing rogue security software purchases. In some cases, the high volume of credit card chargebacks generated by such purchases has also prompted processors to take action against rogue security software vendors.^[14]

Partial list of rogue security software

The following is a partial list of rogue security software, most of which can be grouped into families. These are functionally-identical versions of the same program repackaged as successive new products by the same vendor.^[10][15]

Advanced Cleaner[16] AlfaCleaner[17] AntiSpyCheck 2.1[18] AntiSpyStorm[19] AntiSpyware 2009[20] AntiSpywareExpert[21] AntiSpywareMaster[22] AntiSpywareSuite[23] AntiSpyware Shield[24] Antivermins[25] Antivirgear[26] Antivirus 2008[27] Antivirus 2009[28] Antivirus 2010 (also known as Anti-virus-1)[29],[30] Antivirus 360[31] Antivirus Pro 2009[32] AntiVirus Gold [33] Antivirus Master[34] Antivirus System PRO Antivirus XP 2008 [35] Avatod Antispyware 8.0 [36] Awola[37] Brave Sentry[38] BestsellerAntivirus[39] Cleanator[40] ContraVirus[41] Doctor Antivirus[42] Doctor Antivirus 2008[43] DriveCleaner [44] EasySpywareCleaner[45] Errorsafe[46] Green Antivirus 2009[47] IE Antivirus (aka IE Antivirus 3.2)[48] IEDefender[49] InfeStop[50] Internet Antivirus (aka Internet Antivirus Pro, distributed by plus4scan.com)[51] KVMSecure[52] MacSweeper[53] MalwareCrush[54] MalwareCore[55] MalwareAlarm[56]

Malware Bell (a.k.a. Malware Bell 3.2)[57] Malware Defender (not to be confused with the HIPS firewall of the same name)[58] MS Antivirus[59] MS AntiSpyware 2009[60] MaxAntiSpy[61] Netcom3 Cleaner[62] PCSecureSystem [63] PC Antispy[64] PC AntiSpyWare 2010[65] PC Clean Pro [66] PC Privacy Cleaner[67] PestTrap [68] PerfectCleaner[69] Perfect Defender 2009[70] PersonalAntiSpy Free[71] Personal Antivirus PAL Spyware Remover[72] PCPrivacy Tools[73] PC Antispyware[74] PSGuard[75] Rapid AntiVirus[76] Real AntiVirus[77] Registry Great[78] Safety Alerter 2006[79] SaliarAR[80] SecurePCCleaner[81] Security Toolbar 7.1[82] Smart Antivirus 2009[83] SpyAxe [84] Spy Away[85] SpyCrush[86] Spydawn[87] SpyGuarder[88] SpyHeal (a.k.a SpyHeals & VirusHeal)[89] SpyMarshal[90] Spylocked [91] SpySheriff[92] SpySpotter[93] SpywareBot (Spybot - Search & Destroy knockoff)[94] Spyware Cleaner[95]

SpywareGuard 2008[96] Spyware Protect 2009[97] Spyware Quake [98] SpywareSheriff (often confused with SpySheriff)[99] Spyware Stormer[100] Spyware Striker Pro [101] Spyware Protect 2009[102] SpywareStrike[103] SpyRid[104] SpyWiper[105] System Antivirus 2008[106] System Live Protect [107] SystemDoctor[108] System Security[109] Total Secure 2009[110] TrustedAntivirus[111] TheSpyBot (Spybot - Search & Destroy knockoff)[112] UltimateCleaner[113] VirusHeat[114] VirusIsolator[115] Virus Locker[116] VirusProtectPro[117] VirusRemover2008[118] VirusRemover2009[119] VirusMelt[120] VirusRanger[121] Virus Response Lab 2009[122] VirusTrigger[123] Vista Antivirus 2008[124] WinAntiVirus Pro 2006[125] WinDefender (not to be confused with the legitimate Windows Defender)[126] Windows Police Pro Windows Protection Suite[127] WinFixer[128] WinHound[129] WinSpywareProtect[130] WinWeb Security 2008 [131] WorldAntiSpy[132] XP Antivirus[133] XP AntiSpyware 2009[134] XP-Shield[135] Zinaps AntiSpyware 2008[136] Winpc Defender [137] Spyware Protect 2009 [138] Winpc Antivirus [139] Personal Antivirus [140] Security scan 2009 [141]