Rogue Anti-Virus Program

A rogue anti-virus program is a type of computer parasite not unlike that of a Trojan horse virus. Rogue anti-virus programs are typically installed onto your computer system due to web-surfing activities and the acceptance of advertisements claiming that leaving the current website will leave a trace or bug infection that their product can remove.

Rogue anti-virus applications differ from Trojan viruses by utilizing scare tactics in order to intimidate you into purchasing their product. In the case that one has already been installed on your system, many infections are possibly installed along with it will not appear in any “Add or Remove Programs” menu.

Example of a Rogue Anti-Virus program interface

The Internet landscape is peppered with distributors of rogue anti-virus programs, thus making it hard for PC users to distinguish between the good anti-virus programs and the bad or rogue anti-virus programs. So what makes a program rogue? A rogue computer program is any program that is dishonest and on the surface offers one thing but in actuality does another, especially something that is harmful. 

Rogue anti-virus programs mimic the look and behaviors of legitimate anti-virus programs to fool unsuspecting PC users into trusting its offers. Rogues anti-virus programs offer to block or remove infections, when in fact they do the opposite. Rogue anti-virus programs stage a security breach and use fake alerts, scans, and reporting in hopes of scaring the victim into buying fraudulent software, much like rogue anti-spyware programs. However, while the victim eyes are busy absorbing the explosion on their screen (i.e. presentation of fake alerts, scans, and reporting), the rogue anti-virus program, courtesy of its engineer, a Trojan, wages an underlying attack.

Most rogue anti-virus programs are distributed as follows:

• Cybercriminals dedicate domains (i.e. websites) to promote the purchase of rogue anti-virus programs.
• By way of Trojan downloader. A Trojan Downloader can be camped on a compromised website and able to automatically download malicious files, i.e. rogue anti-virus program files, when a visitor lands on its page.
• Trojans are known to use guises that trick PC users into clicking and downloading poisonous files. Therefore, it is likely you or someone using your computer clicked on a fake Adobe Flash update or Windows security alert, for example, and unknowingly downloaded a rogue anti-virus program.
• A Trojan may be hidden behind a venomous link or attachment wrapped in an email spam communication.
• A Trojan may be hidden behind a humorous, salacious, or sensationalized tease/link planted on the friendly grounds of social networking platforms.
• Malware is often cloaked inside the download of freeware or shareware and true intent buried in a vague end-user license agreement.

Most rogue anti-virus programs behave the same:

Hidden (happening in the background)

• Trojan rigs the firewall so it reads its malicious program as non-threatening
• Trojan deactivates weaker anti-virus programs and security tools
• Trojan disables administrative controls like Task Manager and corrupts System Restore
• Trojan opens a two-way port and makes repeated connections to a command and control server to:
  • Report successful infiltration
  • Report implantation of malicious files and components
  • Survey system and:
    • Report what malicious files and components where already present on infected system
    • Gather system data that identifies vulnerabilities or information that could aid in future strategies and malicious attacks
  • Transmit stolen data:
    • Passwords, usernames, PINs, certificates, etc., stored in the browser cache
    • Email addresses stored in HTML files or on the hard drive
    • System log
  • Intercept the download of malicious programs:
    • Backdoor – used to give a hacker remote access and allow misuse of system resources to wage a DNS strike or mine Bitcoins, an underground currency
    • Keylogger – used to record keystrokes being entered into web-based forms, mainly of a financial nature

Visual (happening in the foreground)

• Victim overwhelmed with scary but fake alerts that all read critical in nature
• Interface of rogue anti-virus program appears seemingly out of nowhere and runs an unauthorized quick scan to confirm the intrusion
• Prompt suggest victim run a full scan to identify actual intruders, i.e. infections and location, i.e. file, folder, etc.
• If full scan is run, a list of scary infections will be reported/returned
• To remove found infections, victim will be required to purchase the full-version of the rogue anti-virus program

The above is typical behavior of most rogue anti-virus programs. Unfortunately, buying the rogue anti-virus program will not end the nightmare. In fact, by entering your credit card information you will be helping a cybercriminal possibly ruin your financial future. Unless you like throwing away your money and turning your computer over to a hacker, you will need to remove the rogue anti-virus program and associated files or components. However, removal may be easier said than done. Trojans and other malicious programs are known to use rootkit technology to mask and bury malicious files from persons or tools hoping to remove it. So while manual removal is not impossible, it will be hampered by obfuscation tricks, i.e. polymorphic coding and rootkits. 

Trojans are stealth and can make system changes comparable to that of an IT expert. One change will involve editing the registry and adding an auto run key that runs the malicious executable each time the operating system is booted. Another change, thanks to rootkit technology, involves masking file names so they read the same as legitimate operating system files. If you are not familiar with the operating system structure, you may not realize the malicious file is mapped incorrectly. However, if you delete the wrong file, you could corrupt your own hard drive and erase valuable data. Therefore, use of a professional antimalware solution containing an anti-rootkit component is highly recommended. A stealth antimalware solution can not only uproot hidden malware in the kernel or BIOS and remove without causing further harm, but too restored corrupted files, i.e. operating system files the Trojan hooked or injected with malicious code. 

In order to keep malware at bay, it will be important to keep an antimalware solution in effect at all times, keep software updated and patched, and follow safety guidelines when using the Internet. Otherwise, if you are using Microsoft Windows, you can expect a repeat performance at next and every boot thereafter.