Category Archives: Rogue Security Products

Software which attempts to convince a victim to pay for it through deceptive displays of information and technical trickery, most often by masquerading as antivirus or some other form of security software.

MacProtector: Rogue of the Week

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

MacProtector and Mac Guard logosThis week, we turn our attention temporarily away from the never-ending stream of rogue security products on the Windows platform and take a closer look at the Mac OS analogue, MacProtector (aka Mac Security, Mac Defender, MacGuard, and–if history serves–soon to be many, many other names).

There’s been a lot of press coverage of these rogues — including a video blog post by us — in the past few weeks, so we thought it was high time we took a deeper dive.

Even though Webroot doesn’t offer an automated removal solution for the Mac, there’s good news for most Mac users — with only a little bit of effort, it’s fairly rudimentary to simply delete the rogue .app and be done with it. In this case, the Activity Monitor (Apple’s GUI process monitor, located by default in the Utilities folder inside the Applications folder) is your best friend.

The program appears as a stub .mpkg installer, which means that the application that installs the program isn’t a container with the full program stuffed inside. The installer drops an app named avRunner.app into the Applications directory, then executes it.

Continue reading

Rogue of the Week: Windows Recovery

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Word from the AMR group last week was that there weren’t many changes from the previous week; Many of the same rogue antivirus previously reported in this blog continue to plague the Internet.

This week I decided to focus on a rogue that’s recently become a problem. It goes by the name Windows Recovery, though it’s also been called Ultra Defragger or HDD Rescue by other AV vendors. Bottom line, it’s still a fraudulent program which relies on deception and trickery to convince a victim to fork over some cash for a “fix.” It’s just not a rogue antivirus; Call it a rogue system utility. Fortunately, the damage caused by this rogue is actually relatively straighforward to manually clean up.

The gist of this rogue’s deception comes down to trying to convince the victim that their computer hard drive has experienced some sort of major malfunction. To accomplish this, the rogue does a lot of sneaky stuff: For instance, it flags all files on the boot drive with the “hidden” attribute, then uses registry tricks to prevent Windows from displaying any hidden icons.

It also moves any shortcuts that point to programs (both from the start menu and on the desktop) into the Temp folder, effectively neutering the utility of the Start menu. (We have a free tool that can fix this.) And it uses the Registry to disable the user’s ability to open the Task Manager, changes the system wallpaper (and prevents you from changing that wallpaper), and hides the entire desktop from view. (And we have another free tool that can fix this, too.)

Continue reading

Antivirus Center: Rogue of the Week

Posted on by

By Andrew Brandt and Brenden Vaughan

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Our Advanced Malware Removal group reported seeing several cases of a rogue called Antivirus Center this past week. The rogue isn’t new – we began seeing samples of it last year – but has re-emerged as a threat.

This rogue is characterized by a close mimicry of some aspects of Microsoft’s free Windows Defender product, including the use of a program icon that looks like a castle, as well as some distinctive characteristics of its active file components. For example, the rogue’s application consistently uses a naming convention that looks like a long string of random alphanumeric characters, with a .dat extension, located in the Application Data folder of the “All Users” profile. As we’ve written before, no programs should run from the Application Data folder, so anything in that location is automatically suspect.

That said, it’s still going through the same stupid rogue AV motions, with all the exaggerated detections and predictably hilarious bad grammar we’ve come to expect. Read on for more details.

Continue reading

ROTW: “Total Security” and Antivirus IS

Posted on by

By Brenden Vaughan and Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

This week, our support and advanced malware removal (AMR) team did not have a lot of new data to report about rogue security products. The most commonly encountered infection continues to be one of the rogues we reported about last week.

While we may refer to it as XP Total Security, it actually chooses one of a series of names at random, based on the operating system on the victim’s computer. Last week’s post contains a more comprehensive list of these names. As previously reported, you can remove the rogue by scanning (with our product, not theirs) while the computer is in Safe Mode.

Its main executable has a random, three-character filename, and gets installed into a random, three-character folder inside the Application Data folder for the user who is currently logged on at the time of the infection. The rogue’s install location is:

 %UserProfile%\Local Settings\Application Data\<random>\<random>.exe

AMR reported seeing another rogue called Antivirus IS. While this is the first time they have mentioned it, Brenden believes it is a bit older, and has been floating around since late last year. Its logo is a blue shield with a single red diagonal stripe; its tagline, “Innovative protection for your PC,” is utter nonsense.
Continue reading

Rogues of the Week: XP Total Security & MS Removal Tool

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been said that sunlight sanitizes almost everything it shines on. Beginning this week, and every week from now on, we’ll focus a concentrated beam on the rogue antivirus programs our support staff and Threat Research team have been working to remediate.

Rogues have a tendency to switch up their names, user interface, and other outward characteristics, while retaining most of the same internal functionality — and by functionality I mean the fraudulent tricks these forms of malware use to make it difficult for someone to identify them as malicious or remove them from an infected computer. It’s not as though the charlatans behind these scams (or their parents) ever made anything that was actually useful or desirable.

So for our inaugural Rogue of the Week post, we bring you notes on MS Removal Tool and XP Total Security, courtesy of Threat Research Analysts Brenden Vaughan and Stephen Ham.
Continue reading

Korean Rogues’ Slapfight Bonanza

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The other day, Threat Reseacher Dan Para sent along the video clip below, which gave us all a good laugh. Dan had been researching a Korean-language Trojan downloader, but when he ran the file, he didn’t expect the downloader to retrieve not one…not two…but three separate rogue antivirus products.

The most amusing thing about the video is that these three rogues — named Smartscan, Antiguard, and Bootcare — decided to duke it out amongst themselves to be front-and-center on the desktop. But each time one of the apps would bring itself to the front, both of the others would respond in what can only be generously described as a slap fight. The results were, well, you can see for yourself.

In addition to pushing one another out of the top position, each vied with the other to concoct outrageous numbers of detections on what was, ostensibly, a clean testbed system. Antiguard reported 215 items of concern, while Smartscan reported 225 “detections” and Bootcare reported 245. Like their English-only counterparts, these rogues require you to make a purchase to clean up these purported problems.

Shipping Confirmations Back on the Radar

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

After a prolonged absence, waves of Trojans distributed as Zipped email attachments have been showing up in our spam traps for a few weeks. The spam messages employ the same hackneyed shipping confirmation pretext as many previous iterations of this scam. This technique’s emergence as a common malware distribution method correlates with the emergence of Trojan-Downloader-Tacticlol.

The messages claim to come from various express shippers, including DHL, UPS, and FedEx, as well as one that may have originated in a malware guy’s imagination: Post Express. And even though the distribution method mimics those used by Tacticlol, the payloads haven’t been limited to that Trojan. This time around, the files belong to a wider variety of malware, including not only several new variants of Tacticlol but also Trojan-Downloader-Karagany, Trojan-Relayer-Highport, and SpyEye.

The Trojans’ icons look like Office documents or Acrobat PDFs, which serve to further convince victims that the file isn’t dangerous. The email attachments — Zip files with names such as tracking.zip, Post_Express_Label.zip or DHL_tracking.zip — aren’t dangerous unless you open the attachment, extract the Trojan, and execute it. But once you do, you’re in for a world of trouble.

Continue reading

Google Results Tarnished Again to Push Rogues

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been a few months since Google implemented new ways that it displays search results, and in that time, it’s been difficult to find the kinds of hijacked search results we saw in huge numbers a year ago. But if you thought the search engine manipulators were laying down on the job, you’d be wrong.

A new campaign seems to have hijacked Google search terms of not just products or words, but of people’s names, towns, and phrases in both English and Spanish to lure victims into a trap. One of our Threat Research analysts stumbled upon the new scheme while searching for information about a friend. We were surprised to find that the top four results of that search led directly to that dreaded Sarlaac Pit of malware, the rogue antivirus fakealert.

At first, visiting the four top links in our searches led to the same fakealert. After an hour passed, however, the pages started to shake things up, leading to fakealerts that mix up their appearance. One screen displays something that looks like an alert from the Windows Security Center in Windows Vista; Another generates a dialog that looks like the Security Center alert from Windows 7. Still others take on the now-classic faux-Windows Defender appearance.
Continue reading

New Year’s Drive-By Brings a Recursive Rogue

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

On the morning of January 2nd, still bleary eyed, I checked my email to find a charming notification informing me that I’d received an electronic greeting card. Yay! I thought to myself: The first targeted malware of 2011 plopped right into my lap.

I immediately pulled up my research machine, browsed to the URL in the message (don’t try this at home, kids), and found my test system swamped in malware. After classifying the files and their source URLs into our definitions — I didn’t want this to happen to you, after all — I turned the computer back off and slept until Tuesday, when I resumed my analysis.

As it turns out, the payloads delivered by the drive-by download are as common as sand at the beach, but some of the techniques used by the malware’s distributor to obfuscate the true nature of the executable payload files (which may have been stored on what appears to be a hijacked, legitimate server running Joomla) are fairly novel, and also a bit ridiculous.

Continue reading

10 Threats from 2010 We’d Prefer Remain History

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.

Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.

Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.

Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.

Continue reading