A quick guide to Rogues - what they are, what they do and how to avoid being infected with a Rogue.
What is a rogue?
F-Secure classifies antivirus software that uses misleading, fraudulent or outrightly malicious messaging as Rogues. These programs typically show fake or excessive infection reports, identify legitimate files as malicious and/or in the most extreme cases, install malware themselves.
A common tactic used by 'free' or 'trial version' rogues is to claim that a fee (either to 'register' or get the ‘full version') is required in order to remove the infections reportedly found. If the user does pay for this service, the program may actually remove any malware present; in other cases however, no real removal happens and the rogue simulates a successful cleanup by displaying fake or misleading scanning and report screens.
Rogues are also often distributed using misleading ads, which are displayed on websites the user visits. These ads claim that the user's device has been infected and direct the user to install the rogue to deal with the infections. These ads are intended to pressure and scare the user into installing the rogue.
Image 1: Rogue:W32/XPAntivirus's infection notification message
A common tactic used by rogues that claim to be 'free' or 'trial version' is to say that a fee (either to 'register' or get the 'full version') is required in order to remove the infections reportedly found.
More malicious ways
Another way rogues can trick users into installing them is by ‘baiting and switching'. In this type of social engineering attack, the user is promised a file they actually want – maybe a video or image in a zipped file – but when they download and install the program, it turns out to be a rogue.
Some malware silently install rogues on a user's system as part of their payload. Malicious (or compromised) websites may also exploit vulnerabilities in the devices of visitors to the site to silently install a rogue, in an attack known as a driveby download.
Once installed, rogues can vary in the quality of service provided. The program may actually be able to find and remove any malware present. Poorer programs are unable to find the malicious files, identify legitimate system files as harmful, or claim threats are present where there are none.
In the most fraudulent cases however, no real scanning or removal happens; the rogue simulates a successful cleanup by displaying fake or misleading scanning and report screens.
Image 2: Scanning screens displayed by Rogue:W32/WinAntivirus
Image 3: Scanning screens displayed by Rogue:OSX/MacDefender
Spotting a rogue
Rogues can be difficult to identify and remove, as they often mimic the appearance of reputable antivirus software. For most users, the simplest way to verify if a program is a rogue is to look for reviews of the product on reputable software review sites. Most reputable antivirus programs will also automatically detect and remove rogues. Finally, to avoid being affected by driveby downloads, make sure to keep any installed programs updated to close any existing vulnerabilities.