What Is Rogue Security Software?

Date First Published: 15th May 2023

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Article Type: Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 5/10

CONTENTS

Characteristics & Techniques
How Does Rogue Security Software Spread?
Signs Of Rogue Security Software
Examples Of Rogue Security Software

Learn more about what rogue security software is in this article.

Rogue security software is a type of malware that tricks users into thinking they have viruses or malware on their computers when they actually don't and misleads them with fake detections and alerts. Rogue security software uses intentional false positives and exaggerated warnings to convince users that their computers are infected with a virus and asks them to pay for a fake virus removal tool. Rogue security software is a type of scareware and a Trojan horse, since it disguises itself as antivirus software when it is actually malicious and scares users into downloading, installing, and purchasing a fake removal tool.

Characteristics & Techniques

Rogue security software is designed to look like something beneficial, but it is actually worthless and provides no real security. It uses scare tactics to persuade users to pay for the fake antivirus. This is because the most important goal to the rogue security software creator is to sell as many copies as they can. Rogue security software can also be distributed as clones of other fake antivirus programs, but with different names to maximise its spreading.

Some rogue security software creates a list of non-existent files and made-up threat names, whilst other rogue security software may randomly select files from the system, including valid clean system files. Choosing to delete these files will lead to serious issues, including system instabilities.

Most rogue security software includes dramatic notifications or warnings designed to create a sense of urgency or fear. They may automatically bombard the user with notifications near the taskbar, automatically open webpages in web browsers that informs the user that they are infected and have to pay for the antivirus, or even change the browser homepage or desktop background to a security warning.

How Does Rogue Security Software Spread?

Rogue security software often spreads by ads or popup windows that appear on a webpage and display notifications or warnings of problems on user's computers. Users that fall for this scam and click on the ad will be directed to the malicious website, which will download the file to install the software onto their computer.

After opening the malicious file, the rogue security software will install on the user's computer and they will become infected with it. After becoming infected, the rogue security software may perform all sorts of malicious actions and once it is installed, it can be difficult to remove. Therefore, prevention is much more important than removal. Fortunately, antivirus software can detect and block rogue security software before it infects your computer. For more information about what rogue security software can do, see the signs of rogue security software below.

Sometimes, rogue security software installs itself through a drive-by-download with no manual interaction which exploits vulnerabilities in web browsers and operating systems, but that is not as common now.

Also, it is not uncommon for links to rogue security software to appear in the list of search results when searching for antivirus software. Malware distributors have been using black hat SEO techniques in that they pushed infected URLs to the top of search engine results about recent news events. People looking for articles on these types of events on a search engine might find results that, upon being clicked, are instead redirected through a number of sites before arriving at a landing page that says that their computer is infected with a virus and offers a download to a trial of the rogue antivirus software. A 2010 study by Google discovered 11,000 domain names hosting fake antivirus software. This makes up for 50% of all malware delivered via internet advertising.

Signs Of Rogue Security Software

If you have a rogue security software installed, you may experience the following additional signs:

Continuous popup windows or redirects to pages showing a virus infection warning.
Your web browser homepage, settings, or desktop background have unexpectedly changed without your permission.
Disabled system tools, like Task Manager and Control Panel. In extreme cases, rogue security software may lock various aspects of your computer to make it harder to remove the rogue antivirus program.
Unrecognised programs and toolbars installed without your permission.
Malfunctioning legitimate antivirus programs. Some rogue antivirus programs can even detect legitimate antivirus programs and prevent them from running by terminating their processes.
Frequent crashes, blue screens, error messages, and shutdowns.
Unusually slow loading or booting times.
Lots of spelling, grammatical errors, and awkward phrasing in the rogue security program.
Your system registry and settings have been unexpectedly modified without your permission.
Automatic software updates and access to certain websites, particularly malware removal sites, and antivirus company sites, have been abruptly disabled without your permission.

Examples Of Rogue Security Software

Below are five examples of rogue security software:

SpySheriff - A malware that disguised itself as a legitimate anti-spyware program. It scared the user into purchasing the program after returning a list of fake threats and made itself difficult to remove since it nested its components in System Restore folders, blocked access to some system management tools, and blocked access to connect to the internet in any web browser. SpySheriff was hosted at both www.spysheriff.com and www.spy-sheriff.com, which ran from 2005 until their shutdown in 2008.
Antivirus XP 2008 - A fake antivirus that claimed to remove virus infections found on a computer running Microsoft Windows. The software frequently displayed popups that asked the user to purchase the software to remove non-existent viruses. There were over 30 clones of this fake antivirus software with slight variations that have been distributed throughout the web.
WinFixer - A scareware rogue antivirus that claimed to repair system problems on computers running Microsoft Windows if the user purchased the full version of the program. The claims on its webpages were never verified by any reputable source and most sources considered this program to be one that actually harms system stability and performance. The site went down in December 2008 after actions taken by the Federal Trade Commission.
ContraVirus - A rogue security software which disguised itself as a legitimate anti-spyware program. It used fake and exaggerated scan results to convince users into paying to remove non-existent spyware items. It was often downloaded as part of a Trojan horse, hijacked the user's browser, and installed a toolbar.
VirusHeat - A malware that disguised itself as a legitimate antivirus program. It was a form of scareware that tricked users into paying for the full version of the program using false warnings and popups. It also used exaggerated scan results to mislead users. When the scan was finished, a warning message popped up linking to VirusHeat's homepage where the user is asked to pay for the software. It was launched on 8th February 2008.