Rogue security products use false advertising, drop malware and often have a similar name or appearance to legitimate security software.

Scareware has already mimicked the Windows Security Center. This one mimics Microsoft Security Essentials and calls itself “Security Essentials 2010”.

Microsoft Malware Protection Center.

As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.

Screen-shots and more information at the MMPC Threat Research & Response Blog.

Microsoft detects the imposter as Trojan:Win32/Fakeinit. Encyclopedia here

http://certifiedbug.com/blog/category/scareware-rogues/

Certifiedbug.com

Rogue-Security Essentials 2010

Rogue security programs usually pop up a screen informing users that their PC is infected with malware. The user, understandably alarmed by the nonstop pop-ups which suddenly appear on their frozen screen, will often click to make a purchase and download the “fake” software which claims it will remove the infection. In a nutshell that “is” the infection and a lucrative business for criminals.

According to researchers at Symantec the authors of Live PC Care have taken things to the next level. The free trial version of Live PC Care includes a yellow online support button. Clicking on that button connects the potential victim with so-called “support agents” who will answer questions about the product via instant message.

Fake AV & Talking With The Enemy

http://certifiedbug.com/blog/category/scareware-rogues/

Certifiedbug.com

Fake Antivirus adds “Support”

Sunbelt Blog: New rogue borrows massively from AV company sites

Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.

It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!

Article

Certifiedbug.com

System Adware Scanner 2010, rogue with fake credentials

Press Release December 11, 2009.

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you can’t click a link to go to the real site to review or see recommendations. Cyber criminals use botnets—collections of compromised computers—to push the software, and advertisements on websites deliver it. This is known as malicious advertising or “malvertising.”

Once the pop-up warning appears, it can’t be easily closed by clicking the “close” or “X” buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.

Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggers—hardware that records passwords and sensitive data—being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.

Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.

If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at www.ic3.gov.

Pop-Up Security Warnings Pose Threats

http://certifiedbug.com/blog/category/scareware-rogues/

Certifiedbug.com

FBI warns consumers about rogue security programs

S!ri, a well known and respected malware fighter in the security community, wrote that some webmasters (cleaner affiliates) regularly use the screenshots that he made after analyzing a rogue, in their own blog posts.

The cleaner affiliates write about the dangerousness of the rogue and link to a “Free” Scan or “Free” Removal tool which may not be free at all.

So I decided to MAKE a picture of a new rogue that does NOT exist: Secure Shield. I post the picture and wait for the “serious” guys.

Those guys are inventing files, folders and keys name.

Secure Shield fake rogue

Certifiedbug.com

Cleaner affiliates gotcha

While performing a search I saw the red warning circle given by Web Of Trust (WOT) to sites they have rated dangerous.

Normally one should stop there people but I was digging. In a clean, uninfected virtual machine I opened the url which took awhile to load its nasty stuff and then the popups began.

“Don’t close this window if your want you PC to be clean”

Certifiedbug. September 6, 2008.
http://certifiedbug.com/blog/2008/09/06/smartantivirus2009-rogue-security-program/

Harry Waldon has a nice article Malware Close Encounters – Close Pop-ups using Task Manager to safely exit which could help users to exit a pop-up install before too much damage is inflicted.

Certifiedbug.com

Rogue-Personal Antivirus

The Russian Business Network affiliate involved has established a front company, autonomous system AS48669 NTCOLO-AS NTCOLO, and has been allocated 510 unique IP addresses. AS48669 consists of 105 malware domains, 19 domain name servers, 8 mail servers and 3 fraudulent payment processors.

List of current IPs Secure Home Networks

Certifiedbug.com

advancedprotectionscanner.com et al-rogues deployed

Redirect from gotscan.com to user4scan.com. <– Do not go to either.

Received typical scareware warnings, rogue was not detected by my anti virus program. The installer repeatably failed, popping up the same windows and freezing the browser.

Domain Name: USER4SCAN.COM
IP Location: Germany – Berlin – Berlin – Netdirekt E.k
Registration Service Provided By: SELLOUT.NAME
Creation Date: 12-Mar-2009
Expiration Date: 12-Mar-2010
Domain servers in listed order:
ns2.dnsexit.com
ns1.dnsexit.com

Domain name: gotscan.com
IP Location: Germany – Berlin – Berlin – Netdirekt E.k
ICANN Registrar: BIZCN.COM, INC.

Edit to add:
SELLOUT.NAME
ICANN Registrar: Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com
Created: 2006-11-08
Expires: 2009-11-08
Updated: 2009-02-03

Certifiedbug.com

Drop for Rogue ‘Internet Antivirus Pro’ Gotscan, user4scan

Scareware Spyburner becomes XpyBurner.

From EULA.

C. Some of our products may be unsuited to run with other software. We have the right to uninstall incompatible products. We will notify our customers before uninstalling such products. A customer cannot claim a refund if the reason is a requisition or removal of conflicting software.
Coexistence of some products may lead to many unsatisfactory effects as well as to slow the customer’s system. That is why the usage of XpyBurner requires the uninstallation of products which represent a risk to the system.

Uh huh…

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration Service Provided By: ERDOMAIN.COM
Registrant: PrivacyProtect.org

DIRECTI doesn’t appear to be cleaning up its act.
Spyware Sucks: I just knew I’d find DIRECTI in there somewhere…

Certifiedbug.com

New Rogue XpyBurner

An interesting thing we noticed is that the Rogue did not attempt to scare us into purchasing it, rather telling us that the computer was secure after the scan. The Rogue authors are probably doing this to keep a high amount of Rogue installations active for the purposes of data theft or for hire services.

PandaLabs Blog:

http://pandalabs.pandasecurity.com/archive/New-Rogue_3A00_-Total-Defender.aspx

Certifiedbug.com

New Rogue-Total Defender