Archive for the ‘Rogue software’ Category

New rogues coming

May 5th, 2008

Those rogue apps, although looking legit are scams which you need to stay away from.

 


The fine art of rogue scamming

May 1st, 2008

Riding the wave of spyware and privacy, malware authors are making a lot of money.

The recipe is pretty simple: use scare tactics and sell a “magic” program that will solve all the troubles.

Today we are taking a classic example of IE Antivirus, the latest rogue software. After browsing a couple of known bad sites, I found myself subject to many annoying pop-ups. They all seem to tell me that my PC is in great danger and, as good samaritans, they also show me the cure: IE Antivirus.




I am glad to hear that most credit cards are accepted, and that I will benefit from a full money back guarantee.




However, I am a little worried about the cost, around $70… I’m thinking there are a lot of well known programs out there a lot cheaper than that, but there must be a reason for this one to come right to me.
Also, I can get their Alpha wipe cleaner for a very small one time fee.

The total charge is now around $80.


It’s hard to tell how many people will purchase the product, but it’s fair to say that those scams are very profitable. It’s sad to think that way but that’s how the world goes on.

Your best choice to eradicate these pests is to clean your PC with a real, trustworthy program. Maybe not just one, but several as not all may be able to detect the Trojan responsible for it. Malware authors will design thousands of variants of their Trojan in order to evade regular anti virus detection.

Our job in the SWAT team is to find all those threats before you do so that we can protect your PC before you even get infected. There are many ways to find those things. We like to replicate regular end user behaviour by making extensive use of our honeypots and other system traps.

JSegura


Malware authors have trouble with spelling and grammar

April 28th, 2008

We have seen so many different rogue programs these past couple of years. They try real hard to look legitimate using fancy graphics and Microsoft Windows’s style. Most of them actually look much nicer than some of your popular applications.

There is one simple reason behind that: to gain the trust of the user. Many people that I know have been duped that way, downloading and buying a totally bogus anti spyware program that claims to remove all those annoying pop ups.

But in the SWAT team, we have a good eye for details. At least, I have a thing for spelling mistakes: they simply bother me. Also, it may be a hint there is something dubious about the program.

So here are a few examples we have encountered.

Figure 1: Allert / Alert

 

Figure 2: 7 dangerous infection / 7 dangerous infections

 

Figure 3: Malaware Removal / Malware Removal

 

Figure 4: Most Jeopardy threats. Does that make sense?

 

Figure 5: operation system / operating system

 

Figure 6: pervent any unathorised / prevent any unauthorized

 

Figure 7: how many registries are there?

 

Figure 8: that one has to be the best :)

 


Figure 9: “YOUR’RE”  - The ‘R’ Spanish style ;-)

And the list goes on…


New rogues from well known domain

April 21st, 2008

It’s a story we’ve heard before… Fake warnings of spyware infections… Well branded products to the rescue… PC-Antipsyware & PC-Cleaner.
But let’s check out the registrar for antispyware-reviews.biz, just out of curiosity.

ESTDOMAINS! Ah, now that makes sense. These guys are well known for their bad practices and the rogue anti-spyware programs they host. Stay away from those at all costs!





If you happen to be already infected, do not get lured to buy the rogue product. Many people fall for those scams by giving ourt their credit card number.
Instead, proceed to remove it using legitimate software. If you are not sure about the choice, ask your friends or anybody you can trust.


Rogue Software

March 31st, 2008

Rogue software has taken advantage of the publicity and fears around Spyware and Adware and relies on convincing or forcing people to buy the product in exchange of getting rid of the problem.
Rogue software is nothing less than a big scam, playing with people’s fears and claiming all sorts of things as long as your purchase their so-called product, because in most cases there is no problem to cure on the PC.

In our SWAT department we have seen countless applications that fit this description.
Some of them are pretty basic and not very well designed at all, while others are very professional looking. Overall, we are impressed by the efforts put into the advertising and how well crafted some of these programs are. Although we feel very sorry for the victims, we can’t help but have a smile when we see a variant of a popular rogue software with just a new logo, but the exact same user interface. Or when the Help section is written so poorly that we wonder
which nationality the programmer was.

From our experience, we can say these applications basically target two markets:
illegal pornography and virus/Adware/Spyware infections.

There are other rogues (registry cleaners, and other utilities) but they are not as common. We can distinguish two means of installation:
through banners or pop-ups… and forced installations brought by a Trojan Downloader.

Pop-ups and other banner ads:
Advertising is done on all sorts of websites. Even some sites, which you’d think are legitimate let it happen. For example, a popular ecard website would generate a pop-up for DriveCleaner on its main page. The pop-up claims that the user’s PC in infected with a dangerous Worm. Although this is totally untrue, a small percentage people will actually believe it and follow the instructions on screen and end up paying money as well as giving their credit card number to a totally non trusted entity.



Figure 1: pop-up for DriveCleaner

Another type of pop-up is frightening the user that porn material is on his computer. Notice the “Teen (underage?)” in Figure 2 to scare of possible jail consequences.



Figure 2: pop-up for porn content



Figure 3: pop-up for Privacy Protector

Going one step further, we have noticed instances of pop-ups looking very much like a real Microsoft Windows XP interface.



Figure 4: Pop-up using Microsoft Windows XP style

Lastly, let’s mention that rogues are not affected by the language barrier. We found Winativirus Pro localized
in about 10 different languages.

Forced Installations:
This is actually the part that makes our day in SWAT, when a totally unwanted program gets forcefully installed and keeps bugging the user to register. When pop-ups are no longer effective, pushing rogue software though exploits
becomes lucrative. A compromised website, or a fake video codec may bring the user many unwanted programs, and very often rogue software will be there.
In the case of a web-based infection, visiting a malicious website will trigger a drive-by download. The threat can download additional malware, and rogues are known to piggy-back with other programs.

Although most malware will run silently (keylogger, stealing Trojan…), it is in the interest of the rogue program to catch the user’s attention. Warning messages, pop-ups, change of desktop wallpaper etc.



Figure 5: A warning from BraveSentry



Figure 6: the current wallpaper gets replaced with a pitch black screen

All these techniques contribute to the sense of panic the user is going to experience. Getting rid of the software manually can be a daunting task. Not only did the program
come totally uninvited, it will stay on the PC like flees would on a dog. This is because, malware present on the computer will check periodically for the presence of the unwanted components, and if not there, will reinstall
them.
Some people will decide to buy the rogue software because they can’t take it any longer. This is obviously a bad decision, as most rogues have absolutely no back-end
programming, which basically means there is nothing more than a pretty user interface with big buttons and colours. The product is a fake and totally incapable of doing anything.

Conclusions:

There is no end in sight for rogue software. The list will keep on growing because there is money to be made. The names and logos will change but the same scams are still going to affect many users.



Figure 7: Message from winfixer.com and the infamous rogue called Winfixer… Software out of stock???

Jerome Segura

Location

You are currently browsing the archives for the Rogue software category.




Pages




Archives




Categories
 
 
 

© 2008 ParetoLogic Inc.