For many years attackers have used rogue security software, also known as fake antivirus software or “scareware”, to fool computer users into installing malware and/or divulge confidential information.  These programs typically mimic the general look and feel of legitimate security software programs and claim to detect a large number of nonexistent threats while urging users to pay for the “full version” of the software to remove the threats.  Attackers typically install rogue security software programs through exploits or other malware, or use social engineering to trick users into believing the programs are legitimate and useful. Some versions emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves (some examples of this below).

Figure 1: False branding used by a number of commonly detected rogue security software programs

Rogue security software initially targeted English speaking users primarily in the United States, but over the past six years we have seen attackers using this type of attack in many countries around the world in languages other than English, such as Korean.

Figure 2: Countries or regions with the most rogue detections in the first half of 2012 (SIRv13)

Figure 3: Trends for the most common rogue security software families detected in the first half of 2012, by quarter  (SIRv13)

Part of the reason that rogue security programs continue to be successful is that they are very convincing.  Do you think you could tell the difference between a real security program and a rogue security program? 

If you are up for it, take the Microsoft Malware Protection Center’s “Real Vs. Rogue” challenge

This new app features an interactive quiz that uses images of actual rogue security software to test whether you can tell the difference between legitimate antivirus software and rogue security software.  Together with the videos we published on rogue security software, this is a great free tool for organizations looking to educate their computer users on common threats found on the Internet today.
Tim Rains
Trustworthy Computing