A quick guide to Rogues - what they are, what they do and how to avoid being infected with a Rogue.
- What is a Rogue?
- What a Rogue Does
- How a Rogue Infection can Occur
- Detecting and Removing a Rogue
- How to Avoid a Rogue Infection
A legitimate and reputable antispy/antivirus program is a necessary tool for most modern computer users, and is used to protect their computer system from malicious or unwanted programs.
Less reputable antivirus/antispyware products also claim to detect and remove malicious software, but due to their behavior, may be considered substandard, fraudulent or downright malicious.
Most of these dubious products use various underhanded methods to exaggerate their effectiveness. For example, the product may inflate the number of infections present on a system, display excessive, 'alarmist' or false infection notification messages, or misrepresent common system files as malicious.
At the most extreme, these products may themselves install malware onto a system, which they may or may not subsequently remove.
Due to their misleading and often malicious nature, F-Secure classifies such programs as Rogues.
The most visible symptom of a rogue infection is when the installed product displays excessive messages prompting the user to scan their computer system for infections, or to pay for a 'full version' of the product that will remove found infections.
In some instances, the scan may be started even without the user's authorization. In the more extreme cases, no scan is actually performed - instead, an image file is displayed that simply mimics a real scanning screen.
Once the scan is performed, infection notification messages are displayed. Often, these are coached in alarming terms. They may report more infections than are present, misrepresent legitimate system files as malicious, or fraudulently claim infections are present even on a clean system.
Image 3: Rogue:W32/XPAntivirus's infection notification message
Even though the scan has been performed, many rogues claim to be 'trial versions'; actual disinfection would require the user to fork out money to purchase a 'full version' of the product. If the user does so, the full product may disinfect the system; or not.
A rogue may be installed onto a computer system in a number of ways:
- User installed
- Voluntarily installed directly from website / link
Rogue products are designed to appear legitimately professional and trustworthy; in many cases, they mimic or even outrightly copy the design of a reputable legitimate product. These rogues are promoted on their own websites or via affiliate partners. Users unfamiliar with the nature of these products may therefore assume they are safe and voluntarily download and install them.
- Voluntarily installed (social engineering)
Rogues may also be maliciously distributed using social engineering tactics that trick users into installing the program. Most commonly, users are directed (either through 'poisoned' search engine results or malicious links sent out in spam) to a malicious site that displays what appears to be a video. To see the promised video, users are requested to download a file, alledgedly the 'video', or a 'codec', or similar. In reality, the user ends up downloading and installing the rogue onto their machine.
- Voluntarily installed directly from website / link
- Involuntarily installed
A number of trojan-downloaders silently install rogue products onto an infected computer.
- Driveby download
While browsing the Internet, an unsuspecting visitor to a malicious or compromised website hosting a specially crafted exploit may be silently infected with a rogue if their computer system has unpatched vulnerabilities susceptible to the exploit. This type of 'behind the scenes' infection is known as a 'driveby download'.
At the time of writing, driveby downloads tend to exploit vulnerabilities in Java and the web browser.
Rogues can be problematic to detect and eradicate, for both users and legitimate antivirus programs. As the profit-generating nature of rogueware gives their operators a strong financial motive for keeping their products undetected, rogueware operators and legitimate antivirus vendors have spent the last few years in a constant game of 'cat and mouse', with one side continuously tweaking their products to evade detection, and the other following suit to counter the changes.
For users, the first line of defense is an up-to-date antivirus product with the latest virus definitions installed. Traditional signature-based detections are able to identify most of the known, existing roguewares available, preventing them from being installed.
These definitions are updated frequently to keep up with the many new variants constantly being produced by rogueware operators, so keeping the antivirus program's virus definition database up-to-date is essential. Note: if you suspect a rogue is installed on your system and it is not detected, please send a sample to the F-Secure Labs via Sample Analysis System (SAS).
Dealing with vulnerabilities
If a vulnerability exists on the computer system however, even an antivirus program with the latest updates may not be able to identify or prevent a rogueware's installation. These vulnerabilities may be in the operating system or an individual program installed on it, such as the web browser or email program.
Keeping such software up-to-date with the latest security patches is therefore crucial in protecting the system against rogueware infections. Information about the latest vulnerabilities found in popular programs is available in Vulnerability Protection.
Many rogueware operations use server-side polymorphism to evade traditional signature-based detections, as it makes every downloaded progam a unique binary file.
To counter this, antivirus programs also incorporate heuristic analysis, which examines the behavior of the programs themselves on the system and looks for suspicious actions - such as making suspect system changes or interfering with other programs - to identify the rogue and remove it.
Removal tools and scripts
In the most extreme cases however, the rogue may be able to gain sufficient control of the system that it prevents an antivirus program from removing it, and even prevents the user from browsing a known antivirus vendor's site for removal instructions.
In such instances, users may need to use a separate removal utility program or script in order to remove the rogueware.
The following tips provide a helpful guideline for avoiding a rogue infection:
- Use a reputable antispy / antivirus product.
Most legitimate antispy/antivirus products are regularly reviewed by established computer / technology publications or websites, which can independently evaluate their performance and features. Choose a product that meets your requirements.
- Ensure your web browser, Java installation and other installed programs use the latest patches/security updates.
Please refer to the program vendor's site for further details.
- Limit / uninstall Java
If you do not regularly use Java, consider uninstalling the Java plugin in from the web browser you regularly use for surfing and maintaining it on a separate browser for the few occassions you need it.
Alternatively, you may even uninstall Java. For more discussion on this, read Labs Weblog post: Java Considered Harmful.
- Practice safe web browsing habits
There are numerous steps you can take to avoid malicious/compromised sites when browsing online, such as:
- Carefully evaluate any pop-up messages displayed by a website before clicking OK
- Ensure you know what program you're downloading from a site before doing so
- Run an antivirus scan on the downloaded file before installing it, etc, etc.
- Check a website's safety rating
If you're uncertain whether a site is malicious, check the site with a reputable website safety assessment service, such as F-Secure's Browsing Protection Portal; most known antivirus vendors have similar services available.
An antivirus or antispyware application that does not provide the functionality claimed, and may not work at all. Rogues are often promoted by deceptive or fraudulent means.