Security practitioners exhort users to install antivirus software and firewalls, and patch their systems. After hearing this for years, users are conditioned to perform these simple checks and respond quickly when they see warnings that their system's security is not up to date. Rogue security software packages prey upon this conditioning and offer malware authors a foothold onto workstations around the world.
If you have any reason to doubt the widespread nature of this threat, consider a few facts disclosed in the 2009 Symantec Report on Rogue Security Software:
- More than 250 distinct rogue security software packages exist in the wild.
- During the one-year period ending June 2009, Symantec received reports of 43 million installation attempts
- Most of the major sources of these attempts have been in the wild for more than a year, yet they continue to successfully propagate
Once users are tricked into installing rogue security software, it can act in a manner similar to other malware: It could deliver a Trojan horse, extort cash from the user, or leverage the compromised system as a member of a botnet.
Users duped by social engineering attacks
Before we can prevent the installation of this software, we must first understand the way it propagates. The majority depend upon users to mistakenly install them in an attempt to improve the security of their system. They do this with straightforward social engineering attacks via spam, email phishing scams, or drive-by downloads delivering Web banner pop-ups designed to look like system error messages. Consider the example shown below:
This is clearly designed to mimic the style of error messages shown by legitimate security software and prompt the user to click the "Remove Threat" button to diligently remove the security risk. Unfortunately, clicking that button will install the rogue security software on the user's system, causing additional security warnings over time. Most likely, one or more of these will prompt the user to purchase yet another fake security software package or a security "update" that will do nothing other than pause the false alarms generated by the original package.
The best protection against these attacks comes from computer security awareness training programs. Make sure users understand that your organization's IT department provides all of the security software they need, and there is no need to download or install any software that promises additional help. Also, train them to contact your IT support staff immediately if they receive any type of security warning or suspect their system has been compromised.
You should also consider running Web content filtering software on your network. Filtering software checks Web requests against a list of known malicious sites before users receive the content. Those that are known to attempt rogue security software installations may be blocked.
How to remove rogue security software
Unfortunately, awareness training campaigns and content filtering software aren't always effective and some attacks will be successful. You'll inevitably come across a system generating a large number of pop-ups and will, in many instances, interfere with the proper operation of your normal antivirus software. In my career, I've seen many cases where the standard antivirus packages (Symantec, McAfee and AVG) have all been brought to their knees by rogue security software. Here's a simple process to follow to remove rogue security software and clean up an infected system:
Start the infected computer in safe mode.
In your browser's Internet Options control panel, check the proxy settings and either disable the use of a proxy or ensure that the proxy specified belongs to your organization. Rogue security software uses these settings to prevent the download of legitimate security software updates and insert paid advertisements into your Web browsing.
From a USB drive, run a scan using the Malwarebytes disinfection utility. This package, free for personal use and available at a nominal cost for business use, is the only package I've seen that reliably removes the vast majority of rogue security software.
- After completing the scan and removing the rogue software from your system, reboot and carefully monitor the system for any unusual activity.
This procedure will restore most systems to normal working order. That said, once you've been the victim of rogue security software, the only way to be truly confident your system is pristine is to rebuild it from scratch. You may wish to consider this approach if the system is used with sensitive data.
Rogue security software poses a particularly insidious threat to the security of computer systems, as it leverages the awareness efforts security professionals have promoted for years to encourage users to think about computer security. To counter this threat, you'll need to remind users that they should always seek professional help when they suspect a security problem on their computer. Further, be sure to have the tools and procedures to respond to an infection at the ready.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
Send comments on this technical tip: firstname.lastname@example.org.