Category Archives: Scareware Rogues

Rogues use deceptive advertising and/or malware to scare people into purchasing software

Microsoft Malware Protection Center: rogue v ransomware

Making the most of fear and deception – rogue v ransomware (part 1)

Fear can be a great motivator for getting someone to act on the receipt of a message (think public health messages regarding smoking, or wearing sunscreen). Add some deception in there, and you have a powerful tool of illegitimate influence that can be used to get people to act in ways that are not in their best interest. Unsurprisingly, the same folks that bring you malware are the same folks that have no problem at all using illegitimate and deceptive fear appeals to get you to do something that they want that might not be so great for you. This post contrasts two types of malware that rely on fear, deception and technology in order to accomplish their ultimate goal. One type is increasing in prevalence, and another is on the way down (but certainly not out).


Scareware Industry lull

Another great article from Brian Krebs.

Fake Antivirus Industry Down, But Not Out

Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

Fake anti-virus attack on Twitter

Graham Cluley

Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack.

If you make the mistake of clicking on one of the malicious links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems.

FakeSysdef-Diary of a scamware

Malware that has already passed through various iterations.

Microsoft Malware Protection Center.

Initially it was “System Defragmenter”, then “Scan Disk” and now it’s called “Check Disk”. While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical “errors” and other “problems”.

As the name suggests, this malware imitates a hard disk defragmenter. It will pretend to scan your computer for problems such as: it “checks” if your hard disk is working correctly, “defragments” it, and even checks the health status of your RAM and GPU (Graphic Processor Unit). Of course, once you start checking for problems using this ‘program’ it is going to “find” a bucketful of them:

* Bad sectors
* RAM fragmentation
* Registry errors
* Very high CPU/GPU temperature
* RAM failures

Story and screenshots:

Rogue-Security Essentials 2010

Rogue security products use false advertising, drop malware and often have a similar name or appearance to legitimate security software.

Scareware has already mimicked the Windows Security Center. This one mimics Microsoft Security Essentials and calls itself “Security Essentials 2010”.

Microsoft Malware Protection Center.

As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.

Screen-shots and more information at the MMPC Threat Research & Response Blog.

Microsoft detects the imposter as Trojan:Win32/Fakeinit. Encyclopedia here

Fake Antivirus adds “Support”

Rogue security programs usually pop up a screen informing users that their PC is infected with malware. The user, understandably alarmed by the nonstop pop-ups which suddenly appear on their frozen screen, will often click to make a purchase and download the “fake” software which claims it will remove the infection. In a nutshell that “is” the infection and a lucrative business for criminals.

According to researchers at Symantec the authors of Live PC Care have taken things to the next level. The free trial version of Live PC Care includes a yellow online support button. Clicking on that button connects the potential victim with so-called “support agents” who will answer questions about the product via instant message.

Fake AV & Talking With The Enemy

FBI warns consumers about rogue security programs

Press Release December 11, 2009.

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you can’t click a link to go to the real site to review or see recommendations. Cyber criminals use botnets—collections of compromised computers—to push the software, and advertisements on websites deliver it. This is known as malicious advertising or “malvertising.”

Once the pop-up warning appears, it can’t be easily closed by clicking the “close” or “X” buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.

Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggers—hardware that records passwords and sensitive data—being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.

Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.

If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at

Pop-Up Security Warnings Pose Threats

Cleaner affiliates gotcha

S!ri, a well known and respected malware fighter in the security community, wrote that some webmasters (cleaner affiliates) regularly use the screenshots that he made after analyzing a rogue, in their own blog posts.

The cleaner affiliates write about the dangerousness of the rogue and link to a “Free” Scan or “Free” Removal tool which may not be free at all. :-x

So I decided to MAKE a picture of a new rogue that does NOT exist: Secure Shield. I post the picture and wait for the “serious” guys.

Those guys are inventing files, folders and keys name.

Secure Shield fake rogue

Rogue-Personal Antivirus

While performing a search I saw the red warning circle given by Web Of Trust (WOT) to sites they have rated dangerous.

Normally one should stop there people but I was digging. In a clean, uninfected virtual machine I opened the url which took awhile to load its nasty stuff and then the popups began.

“Don’t close this window if your want you PC to be clean” :roll:

Certifiedbug. September 6, 2008.

Harry Waldon has a nice article Malware Close Encounters – Close Pop-ups using Task Manager to safely exit which could help users to exit a pop-up install before too much damage is inflicted.