I hate rogues. I don’t mean the World of Warcraft character class; I’m talking about rogue security software. In case you haven’t heard the term before, this is software that tells you that your system is crawling with bad stuff (for free!) and then offers to remove it for you (that’ll cost you). Of course the stuff they report is completely bogus; they are incapable of finding any real malware. What’s more they can be very insistent, repeatedly displaying popup warnings that make it virtually impossible to use your machine unless you pay to “register” the program. Apart from extorting money from innocent people, which is bad enough, this behaviour adds to the amount of FUD (fear, uncertainty and doubt) in the online community. As a virus researcher who’s spent more than ten years fighting real malware, this annoys me.

Some even trade on the reputations of legitimate software vendors to help sell their scam. One such rogue that we’ve been seeing in high numbers is something we call Win32/FakeSecSen, and is this month’s addition to the Malicious Software Removal Tool (MSRT). FakeSecSen is a classic example of a rogue security scanner. It is distributed in a variety of different ways. One is through web sites that might look like this:

FakeSecSen Sample Website

Another way is via malware that downloads the rogue directly. It is quite common for links to both the rogue web sites and the rogue downloaders to be distributed via spam.

An interesting, but not unusual, characteristic of Win32/FakeSecSen is that it uses many different disguises. As well as further contributing to the level of FUD and making them harder to keep track of, this might broaden their appeal to a wider audience – while one person may be convinced by something called “Ultimate Antivirus”, another would be more likely to install “Vista Antivirus 2008”. It may even lead to the same person being duped by the same rogue more than once. Here’s a list of names Win32/FakeSecSen has gone by recently:

Micro Antivirus 2009
MS Antivirus
Spyware Preventer
Vista Antivirus 2008
Advanced Antivirus
System Antivirus 2008
Ultimate Antivirus 2008
Windows Antivirus
XPert Antivirus
Power Antivirus
Ultra Antivirus 2009

Each of these variants uses slightly different file and directory names, but underneath they are virtually identical. The most significant difference is immediately apparent when you run a couple of them:

FakeSecSen Sample UI 1

FakeSecSen Sample UI 2

FakeSecSen Sample UI 3

The makers of this rogue have gone to significant effort to make it easy for them to change the look of their interface. Most of the interface elements are represented using GIF and JPEG images stored inside the file’s resources; in other words, it is “skinable”. For more examples of FakeSecSen’s various “skins”, have a look at our encyclopedia entry.

You may notice that some of FakeSecSen’s skins look similar to the Windows Security Center. This is no coincidence. FakeSecSen even goes as far as adding its own imitation Security Center applet to the control panel, usually called “MS AV”, which just launches the fake scanner.

Some say imitation is the sincerest form of flattery, but for anti-malware providers like Microsoft, the trust and confidence of our customers is vital and we hate to see anyone taken in by this sort of thing. So please use a real anti-malware product - check with an independent testing authority, like Virus Bulletin or AV-Test.org to make sure it’s legitimate.

- Hamish O'Dea