Welcome to Part 1 of our 3 Part series on Rogue Antivirus & Antispyware Fraudware. In order to keep the size of the article to a readable minimum, we have placed thumbnail images up within the article. If you would like to view the full size image, simply click the thumbnail and it will load without taking you away from the article.

Fake Scan Running in Fake Security Center

One of the newest, and fastest spreading, trends in spyware, fraudware, and viruses is the rogue anti virus / anti spyware program. These rogue programs are not legitimate antivirus / antispyware programs and they attempt to scare the user into purchasing their product using fake alerts, scans, and pop ups to make you believe your computer is infected by numerous viruses. They use deceptive advertising, and the installation of malware and trojans to sell their product.

System Tray Balloon Pop Up Warning

Unlike many previous viruses that were spread for fame or ‘fun’, these rogue programs generate millions (if not billions) of dollars for their creators and for that reason, their creators have the resources to spend on developing and constantly updating these programs in ways we often did not experience in previous viruses:


1. They devote considerable resources into making their product’s graphics look nearly identical to legitimate programs such as Windows Security Center or other reputable antivirus / antispyware programs, as shown below:

Real Windows Security Center

Fake Windows Security Center

Notice the “Click here to get your Antivirus 2009 license” message that I have pointed out with an arrow in the Fake Security Center... that is a common theme with rogue antivirus / antispyware programs: opportunity after opportunity to register their product. Clicking this link or clicking the “Recommendations…” button will take you to their distribution page which will further infect your PC while also displaying numerous deceptive advertisements and taking you to shopping cart where you can purchase their product and download the full version.

2. They make their product very difficult to remove and often include rootkits and backdoor trojans that reinstall the product as soon as you reboot your PC or connect to the internet.

3. They constantly update their distribution method for spreading their software. One of the newest ways that we have encountered with our clients is through custom emails. The rogue program initially sends out benign tracking cookies to monitor your internet history. As these tracking cookies are not making harmful changes to the system, they often go unnoticed by your resident antivirus and antispyware programs. These tracking cookies quietly upload your browsing history to the parent sites who generate custom emails based off where you have been lately. One client had been tracking a package from UPS and received an email stating “There is a problem with your shipment, click here for more information” and as soon as he clicked the link, he was immediately infected by Win Antivirus Pro 2007. The email was an exact clone of other emails he had received from UPS, but came from a slightly different domain.

4. They purchase thousands upon thousands of look-a-like domains to help propagate their scam and to further deceive the PC users. They often set up these sites with information regarding their own or competitors viruses and spend money to get high search engine rankings under specific terms so that when people are researching their infection they click on a ‘contagious’ site and infect themselves further. They also use these domains to imitate legitimate sources; for example, someone might register ‘ups-package-tracking(dot)com’ in attempts to deceive people into thinking an email came from ‘ups(dot)com’. Note: currently ‘ups-package-tracking(dot)com’ is an unregistered domain; however for this example we have spelled out the ‘ .com’ in case that domain is ever registered by a purveyor of rogue software so that this article does not link to their site. The thing to remember is that you need to look very closely at where an email is coming from or where a link is taking you too; and always check the suffix. Irs(dot)gov is the legitimate Internal Revenue Service site; however, “system(dot)irs(dot)net” is NOT the Internal Revenue Service and in fact one of our clients received an email from that very source that said the following:

“After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $863.80.

Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here.

Regards,
Internal Revenue Service”

They clicked the word ‘here’ which was a hyperlink to a website with the .nl suffix (a Netherlands domain)that installed Win Antispyware 2008 onto their system. Note: We have withheld the actual address of the hyperlink from this article for our readers’ safety.

To be fair, the email contained images that were linked directly from the actual Internal Revenue Site (without their permission of course) that made it look extremely official.

Fake Infection Pop Up

There are many versions of these rogue antivirus / antispyware programs, and we will list a number of them for you here: WinAntivirus, WinAntivirus Pro, WinAntiSpy, WinAntiSpyware, WinFixer, Antivirus 360, Total Security, Antivirus Agent Pro, Malware Defender, WinPC Defender, Anti-Virus Number 1, Anti-Virus-1, Antivirus 2010, Personal Antivirus, General Antivirus, and Internet Antivirus Pro. This is by no means a full listing and all of the above come in ‘yearly’ versions dating back to 2005 i.e. 2005, 2006, 2007, 2008, 2009, 2010. While there are many variations, they all display similar properties. Most of these programs state they are legitimate applications but are actually clones of legitimate products. They typically use highly aggressive and unscrupulous tactics that include Trojans, adware, and fake security alerts and scans. Many claim to have won awards from major publications or review sites. Whatever method they choose to use, the goal is simple, scare you or deceive you into purchasing their software.

Fake Alerts & Pop Ups

Many of these programs install themselves onto your computer through Trojans such as Vundo. Vundo can be ‘picked up’ by clicking an .exe file or downloading a cleverly disguised version uploaded to legitimate sites such as sites that allow screen saver downloads, video game mods, ‘free’ programs, or adult sites. Some sites install this malware simply by visiting their site if your java and other updates are not current. Many sites hide the .exes and self extracting files in their links or within the links contained in emails as described above. Also many embed the links to the full malware program within the pop up warnings that are generated through web page hijackers or locally on the computer. Once you click on one of these alerts it downloads the full software to your computer. Once the malware has been installed, it will be configured to run automatically every time you start your computer. Once started, they will scan your computer for infections that will not be removed until you purchase the software. These infections, typically do not exist, or were planted by the malware itself.

Rogue Antivirus Registration

Should you choose to purchase the rogue antivirus, it will scan and ‘remove’ the infected items; however, in reality, it will actually simply disable the warnings for a period of time. It is not uncommon for these warnings to stop for a period of around six months until they begin displaying the warnings again and messages stating that the program has been corrupted and will need to be reinstalled. Of course you would have to pay again to reinstall the product in most instances. Additionally, once you purchase the malware, you are prompted to install the full version which installs reinstallation scripts, back door Trojans, and rootkits throughout your system. On a recent system we worked on, our client had downloaded the full version and installed it and we found initialization hooks, reinstallers and virus code in over 2000 locations on the PC; some of which even replaced legitimate Windows system files.

The icing on the cake is that once the programs disable their own virus warnings, they typically generate different warnings such as Privacy warnings, Firewall Warnings, Registry warnings that indicate non viral infections of the computer that also can be fixed by purchasing additional software from the company.

Under NO circumstances should you purchase ANY of these fraudware products.

In part two of this series, we will look at the various warnings that pop up through images compiled by Home PC Patrol in our history of combating this fraudware with our clients. By familiarizing yourself with the warnings and fake alerts and the subtle differences between the fake warnings and the real products they seek to replicate, you can give yourself the advantage of recognizing this virus before it completely infiltrates your system.