We can safely say that since we encountered our first rogue, they've always commanded a presence in the malware ecosystem. That was, until recently we observed a decrease in rogue activity. That's not to say they went away altogether – no, not at all – but towards the end of January we did see markedly fewer of them, with a period of about two weeks where we did not see any new undetected samples. That was, as I mentioned, until recently…

Shortly after that, we saw the reappearance of Rogue:Win32/Winwebsec, being distributed with a new branding of Disk Antivirus Professional. Since then we've seen an increase in rogue activity, which is, we assume, directly related to their most common distribution method these days: exploits.

 
 
To begin with, most rogues used social engineering to get themselves installed. Typically they would use Search Engine Optimization to direct users to visit a webpage that would display a fake antivirus scanner inside a browser window. This would inform the users that their systems were infested with all sorts of nasty malware, and that the only way to put this right was to download the rogue software. Over time, we also began to see rogues install themselves by exploiting vulnerabilities of unpatched systems. Rogue installation by exploit is now by far the predominant installation method, and it is now relatively rare to see social engineering used for installation of rogues.

We also recently observed an increase in the prevalence of Rogue:Win32/FakeRean, and the rogue-like fake hard disk optimizer Trojan:Win32/FakeSysdef, both of which were also being distributed by exploits. Since then, FakeSysdef yet again became inactive, even though FakeRean also was dormant for a while before becoming active again last weekend. We've noticed this several times over the past few months for FakeRean; its distributors appear to have a "campaign" of several weeks where it is distributed at a very high volume, followed by a week or two where it is inactive. So it did not surprise us when FakeRean made its latest reappearance, as it had been something we were expecting.

Back in January, the likelihood of at least one of these rogues coming back made us wary about doing a victory dance about having solved the rogue problem, as tempting as it might have been. As it turned out, it would have made us look rather silly. (Actually, any attempt at dancing was always going to make me look silly, regardless of the correctness or otherwise of any victory dance predictions.)

Rogues are often distributed using an affiliate-based model, where third party affiliates are paid per installation to get the rogue installed on as many computers as possible. Often affiliates will switch which rogue they are distributing, depending on which is the most profitable for them. Distributors will often ship malicious files using their own custom obfuscation to hinder detection by antivirus vendors. Late last year, some variants of Winwebsec and FakeRean were sharing the same obfuscation techniques, implying that at least one group of affiliates was distributing both of these at the time. More recently, these particular obfuscation techniques have been used only for Winwebsec, suggesting that the affiliates in question have moved to exclusively distributing the one rogue.

Winwebsec, meanwhile, continues to be prevalent, and has since changed its branding twice more, firstly to AVASoft Professional Antivirus, and recently to its current incarnation – System Care Antivirus. Winwebsec terminates all other running processes on the system, apart from those with file names on a specific whitelist. In some cases, you may be able to run a file that you would otherwise be unable to by making a copy of this file, giving it a name that is on the whitelist. You can find the whitelist in the AVASoft Professional Antivirus description. You should take care, however, not to overwrite any existing file with this new copy, as many of the files on the whitelist are system files that are essential for your computer to run correctly.


 
Commonly, we've seen exploit kits such as Blacole being used to distribute these rogues, as well as exploits of vulnerabilities in third party software such as Java. The best way to make sure you're not vulnerable to these exploits is to keep this software up to date, so don't forget to download the latest software updates for all of your software. You might also want to use a complete antivirus solution, such as Microsoft Security Essentials, to protect you from these rogues, and other malware you may encounter.

David Wood
MMPC Melbourne