This is the first of a two-part post.

Fear can be a great motivator for getting someone to act on the receipt of a message (think public health messages regarding smoking, or wearing sunscreen). Add some deception in there, and you have a powerful tool of illegitimate influence that can be used to get people to act in ways that are not in their best interest. Unsurprisingly, the same folks that bring you malware are the same folks that have no problem at all using illegitimate and deceptive fear appeals to get you to do something that they want that might not be so great for you. This post contrasts two types of malware that rely on fear, deception and technology in order to accomplish their ultimate goal. One type is increasing in prevalence, and another is on the way down (but certainly not out).

A number of years ago, the MMPC published a blog post on the use of fear appeals and how they were used to persuade (or scare) users into taking a particular action of the malware creator’s choice. Here’s the definition of a fear appeal from that post:

A fear appeal is a persuasive message that attempts to scare a reader into changing their attitude, (which may result in performing a particular action or refraining from performing a particular action, for example) by presenting negative consequences that will happen if the reader does not comply with the recommendation contained in the message. In order for these types of appeal to be successfully persuasive, they must convince the reader that they are vulnerable to the presented negative consequences, and that the recommended action will alleviate the purported threat.

Having discovered the beauty of simple English and brevity (sometimes) we can translate that for you – a fear appeal is a message that tries to scare you into doing something.

Rogue security software makes these types of appeals successfully and persuades convincingly. If you haven’t heard of - or been affected by - rogues, you’re lucky (and unusual), as they have been one of the most pervasive malware threats on our radar for several years. Rogues are a prime example of malware that uses fear appeals to force your hand. A common scenario you might face when encountering a rogue on your computer follows:

  • You see a scanning interface on your screen, pretending to scan the file system (the scanning interface may appear while browsing the Internet or could be inadvertently downloaded).
  • Upon completion of the scan, a large number of infections are reportedly found on your computer.
      

     
  • A barrage of warnings related to these supposed infections are intermittently displayed to you in the form of dialog boxes and alerts popping up on your desktop or coming from your taskbar.
  • Attempts to launch applications are thwarted by the rogue which blocks the applications from being launched and displays an alert, warning that the application is also infected.
  • System security and firewall applications are usually targeted by the rogue as it attempts to terminate their processes, services and/or modify their registry entries, making it extremely difficult to remove the rogue from the computer.

Rogue security software often imitates real security software, and uses names that mimic or are very similar to legitimate security scanners. On more than one occasion we have read frustrated and angry comments from users who were being tormented by rogues that imitated our own Microsoft Security Essentials or Windows Defender and thought that we were to blame.

Of course, there is a point to all of these invasive and fear mongering tactics deployed by rogues, which is ultimately to force you to pay a fee using your credit card in order to "activate" the supposed security scanner and remove the reported infections.

Rogue:Win32/Winwebsec, a rogue still in circulation and being actively updated by its creators, is an example of a rogue that contains all of these functionalities. Win32/Winwebsec, along with Win32/FakeRean, are two rogues that are still actively out in the wild, but on the whole, we have seen a steady decrease in the number of rogues in circulation in 2012.

The prevalence of rogue families wax and wane and the composition of the big rogue picture has been reasonably dynamic as can be seen when we look at the numbers broken down by family for most of 2012.

With a few notable exceptions (namely the Korean rogue OneScan), rogues have focused on English-speaking populations, with most reports of these malware coming from the US. In order to be successful, a rogue needs to convince an affected user to pay a fee. Their use of deception is generally complex and comprehensive, and consists of multiple deceptive messages targeted to a user through several computer-mediated channels in the form of fake interfaces, web sites, and dialogs. The technology they use is generally basic and mostly limited to the presentation of the message (HTML and JavaScript, for example). The messages need to be convincing because the rogue won’t succeed if the affected user won’t hand over their credit card details. While there is no reason to believe that we won’t see more localized versions of rogues in the future, there would be extra cost involved in localizing these elaborate deceptions. And of course, malware writers generally only do the minimum possible in order to accomplish their goals so while English populations continue to provide rich pickings then localization remains an unnecessary development. We’ll see…

However, rogues aren’t the only badware in town using fear appeals. In the last year, we’ve seen the rise of a new threat whose success also relies on persuading affected users to act on the receipt of a deceptive message in order to avoid an unpleasant consequence. This new(ish) badware goes by the unfortunate name of ransomware (unfortunate because the term is a little undull and emotive, but it is descriptive). Ransomware literally holds your computer ransom. It locks your computer by locking the screen and displaying an image and/or message or by encrypting files, thus stopping you from accessing the files. It then requests that you pay a ransom so that you can use your computer again.

You can find detailed information on ransomware here and in the second part of this blog post, due to be published in the coming days.

 

Amir Fouda, Heather Goudey and Ray Roberts
MMPC