One type of threat that we have been warning customers about for the past several years is called rogue security software, also known as “scareware”. Rogue security software is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions. Rogues typically mimic the general look and feel of legitimate security software programs and claim to detect a large number of nonexistent threats while urging users to pay for the “full version” of the software to remove the threats.

We included a deep dive into Rogues back in 2007 when we published the Microsoft Security Intelligence Report volume 2 (SIRv2) that focused on the second half of 2006 and since then we have published deep dives on Rogues in a couple of other volumes of the SIR. Fast forward to the findings on the threat landscape in SIRv10, focusing on the second half of 2010, and Rogues are still being used by attackers in large numbers.

Figure below: Some of the “brands” used by different versions of one rogue security software family called Win32/FakeXPA

clip_image002

Attackers typically install rogue security software programs via several attack vectors including:

1. Via unpatched vulnerabilities using exploits

2. Via other malware that has previously compromised the system. For example, a threat called Win32/Renos has been linked to the distribution of Rogues for some time. Renos is a Trojan downloader that the Microsoft Malware Protection Center (MMPC) removes from millions of systems around the world every six months, thus making it easier to understand why we see Rogues in such large numbers too.

Figure below: Other threats found on computers infected with Win32/InternetAntivirus as reported in SIRv7

clip_image004

3. Using social engineering to trick users into believing the programs are legitimate and useful. To do this, some versions emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves.

You might be tempted to think that Rogues only infect home systems versus managed systems, such as those managed in an enterprise. While this is predominantly true, the MMPC is cleaning Rogues on domain-joined systems too.

Figure below: Top 10 families detected on domain-joined computers in 2010, by percentage of domain-joined computers reporting detections

clip_image006

To see exactly how one of these Rogues uses social engineering to infect systems, this short video shows you how a computer is infected by FakePAV, one of the most prevalent Rogues found in the second half of 2010, and demonstrates how to terminate its process.

Please see SIRv10 and www.microsoft.com/security/antivirus/rogue.aspx for more information/videos about rogue security software.

Tim Rains

Director, Product Management

Trustworthy Computing Communications