The third generation of WiniGuard gets a new clone every 48 hours
A new rogue security product called IGuardPC, that we added to detections today, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever detected by Sunbelt researchers.
The WiniGuard family began in September of 2008. Operators behind it have added variants that our researcher Patrick has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. Most of them are being caught by existing VIPRE detections.
The first generation of WiniGuard used the site winiguard.com. It was created Sept. 17, 2008, by the same group who probably began circulating rogues using macguard.net, which has the same IP address. WiniGuard installed five files.
SaveKeep, first found August 17, marked the beginning of the second generation. This was distinguished by the use of two files instead of five.
On Oct 17 the TREAntivirus rogue opened the third generation with a new GUI interface.
Today’s IGuardPC makes a total of 50 clones — the largest family we’ve ever found:
WiniGuard rogues by generations
Research by Patrick Jordan