Threat Research & Response Blog
We’ve seen some particularly nasty malware recently that has prompted me to think about how people react to scare tactics and fear appeals. The kind of malicious software I’m thinking of in particular here is generally referred to as ‘rogue security software’, and it displays false and misleading messages regarding malware infections in order to convince affected users to perform a particular recommended action, which would normally involve ‘cleaning’ their machine in a particular way.
This software uses fear appeals in order to accomplish its intended purpose. A fear appeal is a persuasive message that attempts to scare a reader into changing their attitude, (which may result in performing a particular action or refraining from performing a particular action, for example) by presenting negative consequences that will happen if the reader does not comply with the recommendation contained in the message. Fear appeals are often used legitimately for public service announcements, and have been found to be particularly successful in the area of community health (for example, in anti-smoking advertising).
In order for these types of appeal to be successfully persuasive, they must convince the reader that the reader is vulnerable to the presented negative consequences, and that the recommended action will alleviate the purported threat. Rogue security software makes these types of appeals successfully and persuades convincingly.
Rogue security software is software that pretends to be a legitimate security application (such as an antivirus or antispyware scanner), but in reality, is nothing of the kind. These increasingly common malicious applications often appear to be very similar to well-known security products cosmetically and may use interfaces that attempt to mimic legitimate applications, by using similar (if not the same) icons, colours, fonts and graphics, hence attempting to take advantage of existing trust relationships that users may have with particular security software brands. The Windows Security Center is commonly targeted in this way.
Unsurprisingly, this type of malware exists for the same reason as most other malware, and that is, of course, to make money for its distributors, either directly or indirectly. Often, rogue security software displays numerous fake infection alerts and scan reports that dishonestly attempt to convince users that their machine is infected. Often these reports target clean, widely distributed system or application files (such as calc.exe or notepad.exe) meaning that these attackers don’t have to perform any kind of real scanning at all, as the file reported as being infected is highly likely to already exist on the targeted machine. They may not even report infections regarding particular files – just random, scary, fake infections that are not associated with particular files or locations.
Now, displaying a fake infection alert seems innocuous enough, however, the malware distributor’s intention is usually made clear enough by the action suggested by the malicious application in order to remediate the bogus infection. Often, the suggested action is either to pay a fee to a particular organization in order to purchase a remedy for the bogus infection, or to download and install an additional application that will remedy the infection (or both). So in effect, this software is used to perpetrate fraud, using a tactic similar to extortion, by indirectly threatening the user with unsavory consequences should they not ‘pay up’, or may be used to accomplish further system compromise by scaring the affected user into installing an application of the attacker’s choice.
Giving your credit card number to shady characters (i.e. criminals) in order to clean your machine from a non-existent infection using a non-existent scanner, not to mention opening your machine up to further system compromise by downloading and installing an application of a shady character’s choice is a really bad outcome. Users that have found themselves falling prey to this kind of intimidation have made themselves vulnerable to all sorts of additional trouble that only starts with being ripped off the so-called 'fee' for buying an imaginary product. In the wild, we have recently seen some of these applications associated with the worst of malware – malware that uses rootkits, malware that steals data, malware that uses whatever resources are available to it on the affected machine in order to make money for the shady characters behind it (often related to spam).
So, why am I telling you this and what can you do about it? It’s not like this type of malicious application is anything new – malware authors have been distributing this kind of software for years. However, by consciously recognizing this type of manipulation you can take steps to avoid its persuasive influence, before your machine gets compromised.
Be very wary of messages that deliberately try to scare you into performing a particular action. Gratuitous numbers of exclamation marks (!!!) and the use of dramatic, emotive language should start ringing some alarm bells for a canny user. (You'll notice I'm giving you this information without the use of such devices, even though I am warning you about a particularly nasty and insidious threat.)
Legitimate security software companies are unlikely to try to scare you into paying for their products, and they won't report infections just by virtue of you visiting their web sites.
If you're concerned about the veracity or legitimacy of a particular antivirus scanner, it's a good idea to check if the product in question has received any industry-recognized certification. Virus Bulletin VB100 is a good place to start, but there are other industry-recognized testing and certification bodies that are good for this kind of verification, such as AV-Comparatives for example.
So, the next time a dialog, web page or application attempts to scare you - ask yourself whether this is a legitimate and reasonable appeal - and think twice before performing the suggested action (and think three times if only one possible action for remediation is not only suggested, but virtually insisted upon).
183 Microsoft Team blogs searched, 87 blogs have new articles in the past 7 days. 205 new articles found