Rogue Software

March 31st, 2008

Rogue software has taken advantage of the publicity and fears around Spyware and Adware and relies on convincing or forcing people to buy the product in exchange of getting rid of the problem.
Rogue software is nothing less than a big scam, playing with people’s fears and claiming all sorts of things as long as your purchase their so-called product, because in most cases there is no problem to cure on the PC.

In our SWAT department we have seen countless applications that fit this description.
Some of them are pretty basic and not very well designed at all, while others are very professional looking. Overall, we are impressed by the efforts put into the advertising and how well crafted some of these programs are. Although we feel very sorry for the victims, we can’t help but have a smile when we see a variant of a popular rogue software with just a new logo, but the exact same user interface. Or when the Help section is written so poorly that we wonder
which nationality the programmer was.

From our experience, we can say these applications basically target two markets:
illegal pornography and virus/Adware/Spyware infections.

There are other rogues (registry cleaners, and other utilities) but they are not as common. We can distinguish two means of installation:
through banners or pop-ups… and forced installations brought by a Trojan Downloader.

Pop-ups and other banner ads:
Advertising is done on all sorts of websites. Even some sites, which you’d think are legitimate let it happen. For example, a popular ecard website would generate a pop-up for DriveCleaner on its main page. The pop-up claims that the user’s PC in infected with a dangerous Worm. Although this is totally untrue, a small percentage people will actually believe it and follow the instructions on screen and end up paying money as well as giving their credit card number to a totally non trusted entity.

Figure 1: pop-up for DriveCleaner

Another type of pop-up is frightening the user that porn material is on his computer. Notice the “Teen (underage?)” in Figure 2 to scare of possible jail consequences.

Figure 2: pop-up for porn content

Figure 3: pop-up for Privacy Protector

Going one step further, we have noticed instances of pop-ups looking very much like a real Microsoft Windows XP interface.

Figure 4: Pop-up using Microsoft Windows XP style

Lastly, let’s mention that rogues are not affected by the language barrier. We found Winativirus Pro localized
in about 10 different languages.

Forced Installations:
This is actually the part that makes our day in SWAT, when a totally unwanted program gets forcefully installed and keeps bugging the user to register. When pop-ups are no longer effective, pushing rogue software though exploits
becomes lucrative. A compromised website, or a fake video codec may bring the user many unwanted programs, and very often rogue software will be there.
In the case of a web-based infection, visiting a malicious website will trigger a drive-by download. The threat can download additional malware, and rogues are known to piggy-back with other programs.

Although most malware will run silently (keylogger, stealing Trojan…), it is in the interest of the rogue program to catch the user’s attention. Warning messages, pop-ups, change of desktop wallpaper etc.

Figure 5: A warning from BraveSentry

Figure 6: the current wallpaper gets replaced with a pitch black screen

All these techniques contribute to the sense of panic the user is going to experience. Getting rid of the software manually can be a daunting task. Not only did the program
come totally uninvited, it will stay on the PC like flees would on a dog. This is because, malware present on the computer will check periodically for the presence of the unwanted components, and if not there, will reinstall
them.
Some people will decide to buy the rogue software because they can’t take it any longer. This is obviously a bad decision, as most rogues have absolutely no back-end
programming, which basically means there is nothing more than a pretty user interface with big buttons and colours. The product is a fake and totally incapable of doing anything.

Conclusions:

There is no end in sight for rogue software. The list will keep on growing because there is money to be made. The names and logos will change but the same scams are still going to affect many users.

Figure 7: Message from winfixer.com and the infamous rogue called Winfixer… Software out of stock???

Jerome Segura

This entry was posted on Monday, March 31st, 2008 at 9:12 am and is filed under Rogue software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Rogue Software

Comments: