Scareware: Rogue Security Software

Have you ever been in a situation like this? You are surfing on the internet and suddenly a window pops up telling you that something is wrong with your computer:

Don’t think it’s just WinAntivirus Pro 2006! There are hundreds of other variations, such as Winfixer, Antivirgear, Antivirus Gold / 2008 / 2009, Drive Cleaner, IEDefender, MACsweeper, MS Antivirus, MS Antispyware, SpySheriff, Systemdoctor, TheSpyBot, SpywareStormer…

Another message might look like this:

When this happens some clients start to panic; they suddenly realize that they haven’t updated their Antivirus protection lately. Some decide update their Antivirus software right away. To do this, usually a new screen comes up, and asks for payment for another year of subscriptions. However, the user doesn’t know that the pop up screen is offering Antivirus software, but not the one the user had and wants to update. It calls itself something like “VirusProtectPro,” and looks authentic. It shows a lot of symbols that look impressive, and comments that make the user think he is buying great Antivirus software. All the user needs to enter is his credit card information, and $39.99 or more will be deducted from a bank account.

The problem is that the buyer isn’t getting what he wanted, and he definitely won’t want what he gets. It’s a piece of software that might initially stop the popups that lured him into buying this program, but it might not do anything else. It doesn’t really protect the user from other attacks. On the contrary, it will most likely create more problems and will ask the unwitting user to buy more protection.

Just what is going on with scareware?

Let me quote this definition from Wikipedia: “Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent malware. Rogue software will often install a trojan horse to download a trial version, or it will execute other unwanted actions.” (http://en.wikipedia.org/wiki/Rogue_software)

I found another name for this kind of infection, “Scareware.” Why? It scares you by showing you infections or problems you don’t have, just to get you to download and pay for their products. You might say that you are not easy to scare, and that you have a MAC and MACs don’t get infected! Well think twice, for you might see the following screen even in Firefox:

You might say now “So what? I click on cancel and ‘Voila’ the problem is resolved!”
Hopefully this will work, but lately, it doesn’t seem to make any difference if you click “cancel” or “ok” or even the little “x” at the right hand corner in windows. The malicious software will be downloaded and installed, and will bug you over and over again with popups and requests to buy the software.

How can you protect your computer from scareware?

The less protection you have, the more likely these con artist programs can infect your computer. Make sure you have a non-rogue Antivirus software installed, such as Norton, McAfee, Avast, Avg, Trend micro, Kaspersky or NOD32. Be aware that you should only have one Antivirus software installed at a time, otherwise those programs mess up windows and/or fight about the files to be protected and get in the way of each other. Some clients tell me proudly that their computer came preinstalled 5 years ago with, for example, Norton, and they were running scans every day. What they weren’t aware of was that Norton needed to be updated on a yearly basis. The result is that the protection on this computer is only good for viruses that came out 4 years ago. But what about the thousands that have been added in the last years? Unfortunately, even if your computer anti-virus software is fully updated, it could still get infected by a virus. As I tell people all the time, if their computer is hit with the first wave of a new kind of a virus, it might get infected because the “immunizing” Antivirus software might not know what to do with it. Even if it notices the infection, it is might be incapable of removing it, because it melted together with a system file. In this case, Windows will not allow the Antivirus software to touch or remove the infection. Sometimes you download the infection together with so-called Trojans. They got their name from the Trojan Horse, because by downloading one thing, the computer is unaware that it is downloading something else that is hidden inside. For example, you download a “free” game or music and/or video file. Once you start installing and playing the game, the hidden malicious software will get installed as well.

What should you not do when you notice an infection?

Don’t panic! If you already paid the money to buy one of these rogue programs, I would recommend calling your credit card company right away. Hopefully, they can give you your money back. The problem for the banks is that the companies behind these scams often use false or foreign addresses. During a recent internet search, it looks like the owners of these companies’ domain names/websites are in the Ukraine, Poland or the Honduras. There are lawsuits out there to shut down these companies, but these companies are slippery fish to catch.
Some people try to restore their computer in the hopes of getting rid of the viruses. This sounds like a good idea, but in my experience, restoring the computer to a status of some days or weeks ago doesn’t remove all the infections. On the other hand, you might suddenly notice that Windows is having other problems and that any software you installed recently is gone.
Some clients go to the extreme measure of using computer recovery software (sometimes offered on bootup of the PC) to install Windows itself. While the non-destructive method usually will not remove all infections, the destructive one will do the job. It will remove all viruses and you will have a clean system. But now the client is upset because the data is gone. Well, it was wiped out along with the viruses! If this is fine with you, good; if not, I have tools that might be able to recover a good amount of the data.

How can you minimize the damage?

Some tech blogs recommend disconnecting the internet right after this popup comes up. As mentioned before, do not try to click yourself out of the popup! Usually the download will be triggered anyway. By quickly unplugging/disabling the network connection or disconnecting the modem, a download will not be possible anymore. (But you can’t know if it might have happened already). Some sources say that pressing Alt-F4 on a PC will minimize the damage.
At some point a backup of your data (while offline) might be a good idea. Some data might be infected, but later on, when your system is clean again, you can cleanup the data files. My recommendation is to bring the computer to a computer specialist. Rogue security software programs are tricky and tough, and it’s really hard to remove them completely. If you simply try to uninstall the rogue software program, it usually results in an error message, or it tells you it is uninstalled (but is still on your computer).

However, if you really want to risk doing your own surgery, then, without going into full detail, here are a few procedures you can try.
You should:

1. try to stay offline
2. remove temporary files
3. check/trim your startup files
4. run a full system scan with your existing Antivirus
5. run the free tool Spybot Search&Destroy (free) from
   www.safer-networking.org
   
6. run hijackthis from Trend micro (free software) but be careful, because wrong handling might damage Windows
7. run the housecall free online scan from Trend Micro (now you have to be online)

In my experience, the nastier versions of this scareware need a professional manual removal of the infected files. Otherwise, the tools say that they removed the “evil,” but after the next reboot or a few days later, everything is back and the partially dormant infection reawakes. Very spooky.  

If you have questions or comments, feel free to contact me at askthedok@dokklaus.com.