Threat Research & Response Blog
As Vinny mentioned in his post, the data in our recently released Microsoft Security Intelligence Report (SIR) clearly shows what we've been seeing in our day-to-day research over the last six months or so - rogue security software is getting more prevalent. As well as the raw data, the SIR includes some of our research into how rogues evolved over the second half of 2008. In addition to becoming more widespread, we saw rogues get more sophisticated and aggressive.
There were two families that really exemplified the state of rogues in 2H08 - Win32/FakeSecSen and Win32/FakeXPA. These rogues were found on over 1.5 million computers each over the six month period. Win32/FakeSecSen cloaked itself in many disguises, with names like "MS Antivirus", "Vista Antivirus 2008" and "Windows Antivirus 2008" combined with user interfaces that often imitated the look of the Windows Security Center.
Win32/FakeXPA took this idea a step further, introducing a complete imitation of the Windows Security Center, tailored to the version of Windows it was run on, as well as fake "blue screen" crash messages, all of which insisted that the rogue (which called itself "Antivirus 2010" in some cases) should be registered.
Vinny talked about the number one threat we saw worldwide - Win32/Renos - a threat that was found on 4.4 million distinct computers. Behind this huge number was an increasingly sophisticated array of malware distribution techniques including spam, exploits targeting browsers and third party add-ons like Adobe flash, and multiple levels of redirection through compromised web sites. These were often combined with social engineering techniques including fake online scanners and product pages that were increasingly convincing at selling the rogues as legitimate applications.
You can find more details on rogues in the SIR. In particular, it includes a description about the legal fight against the people who distribute these applications.