Select Page

Rogue deception techniques continue to evolve

The unpleasant folks who make their living selling useless rogue security products continue to refine their techniques for deception.

The latest imitator is a new variant of the Fake Microsoft Software Removal Tool rogue that is popping up these days (literally) recommending that users purchase “Shield EC AV.”

(click to enlarge)

(graphic credit sUBs @ MR)

On the ShieldEC Antivirus purchase page, we even find a mono-color imitation of Microsoft’s Windows “flag” logo:

(click to enlarge)

Vipre detects the threat as Trojan.Win32.Generic!BT

In two years, we’ve seen the rogue creators move from a simple “technical” look of their graphic interfaces and purchase web sites to imitations of anti-virus products then on to the names and looks of more technical security applications.

The first rogues: create an official aura

Their first “demographic” seemed to be inexperienced Internet users who had heard about anti-virus products, but weren’t really that checked out on them (and certainly hadn’t purchased one.) The first rogues had names like Astrum Antivirus Pro (Dec. 2008), MalwareBell (Jan. 2009) and XP-Police Antivirus  (Jan. 2009). They projected an image of “anti-virus – security – very technical.”

Wave two: imitate the name or look of legitimate AV products

Soon, however, knowledge of the rogue security product phenomena became widespread and the rogue makers began naming their creations after legitimate anti-virus products in order to fool Internet users who might know a bit about security products:

Antivirus360 (Jan. 2010) was obviously an attempt to confuse a victim with Norton 360, Symantec’s popular anti-virus product.

A rogue that surfaced in February, named “Security Anti-Virus Suite” extensively plagiarized the umbrella logo and look of the web site of the legitimate Avira anti-virus product

In May, a rogue that called itself ByteDefender” was obviously picking up on the name of the legitimate product “BitDefender” .

Wave three: imitate the name and look of security tools used by administrators

The latest twist to the rogue GUI “look and feel” is an imitation of the names and design of more sophisticated security applications – those that might be used by system administrators or IT professionals. Home users, even knowledgeable ones, probably wouldn’t be familiar with these.

Last week we blogged about a rogue that called itself “Wireshark Antivirus.”
That’s clearly an attempt to confuse a victim who might do a Web search to check on the legitimacy of what is before him. Wireshark is a popular network analysis tool.

In June, Microsoft posted information about a rogue “SysInternals Antivirus” which obviously is trying to suck reputation from Microsoft’s SysInternals security suite.

Thanks Bharath.

Tom Kelchner