Seeing how Kurt over at anti-virus-rants doesn’t yet have a definition for this, and I’ve just blogged about such a situation, I thought I take a shot at it.
The definition of a rogue anti-spyware/anti-malware usually includes the following items: it is program which claims to be an anti-spyware / anti-malware product, however
- It has low or no detections, ever for very well known malware (for example if it claims to be an anti-malware product, but doesn’t detect eicar anti virus testfile, you should be very suspicious – unfortunately there isn’t an equivalent file for anti-spyware products).
- It has a very high false positive rate. With rogue software it is not uncommon to have tens or even hundreds of “detections” on a freshly installed copy of Windows.
- Many clones. It is not uncommon for such a product to have tens or even hundreds of variants with different names, different websites and different looks (“skin”), but the same underlying binary. Supposedly this is done so that complaints about one product doesn’t influence the revenue stream that much (so if I’m diligent enough and do a search about product “Foo” before buying, I won’t find the complaints about product “Bar”, which is essentially the same, but it has a different name). Some companies have tried to defend this method by saying that “their affiliates are free to customize the product and sell it under any name they like”, but this just seems a weak argument (if the product were any good, it stands to reason that you wouldn’t want to dilute the brand name).
- Practically non-existing customer support and no way to get your money back – unfortunately this is very hard to find out in advance.
These products balance on the border of legitimate and illegitimate. It seems that they are doing as much deception as possible, while technically staying inside the law. They started out (and a small minority still does) by working together with other malware groups (the “Fake Video Codec” aka “Zlob” is a good example for this). They would infect the computer and start showing messages (which can have different forms: plain message boxes, icons in the taskbar with balloon messages, Windows Security Center look alikes, etc) saying that “the computer is infected” and urging (directly or indirectly) to download and purchase a particular product (by indirect motivation I mean that they didn’t name the product in the message, but you were redirected to the particular website when you clicked it).
The next step was to downsize the malware operation (because it directly broke several laws) and they started to employ the “fake window” technique described earlier (showing an animation which is supposedly “scanning the harddrive” and “finding infections”). Parallel to this, they started buying flash advertisements on different ad networks, but with a twist: the ad was not directly for the product, rather for something completely different (deodorants, airplane tickets, etc). However, inside of it there a little piece of actionscript code which would result in a browser window with the site of the rogue program to pop-up whenever a user viewed such an ad (for more details you can read the Spyware Sucks blog). They were (are) even including targeting, meaning that a given subset of IPs will/will not see the popups (this makes convincing the business owners that they have a problem that much harder – since they don’t see the popup if their address is blacklisted).
Some companies went even further with the process of trying to appear a legitimate operation. They eliminated the false positives almost entirely and started to have some (weak) detection. Usually these “detections” are pulled from public sources like the CastleCops CLSID list. They still maintain their affiliate system (and blame their affiliates whenever things go wrong) and the “multiple brands / skin for one product” system. In parallel with this they started threatening AV companies which detect them with legal action. And, by the letter of the law, they are right: their product (even though it is substandard) doesn’t do any malicious actions. And the clients pay them willingly and money is not “stolen” from them.
What does the future hold? Most companies focusing on creating rogue products will become more and more “legitimate”. This will reduce their profits, but also make them very difficult to prosecute. Most AV companies will stop to detect them because of legal threats.
Of course there are multiple such companies out there, being at different steps of this “evolutionary process”. So you can still find malware advertising rogue anti-malware, fake scanning windows, flash redirects and so on. What I described here is the general trend amongst them.
What can you do? Educate yourself and your surrounding about the problem. When buying a product, make sure to check out what respected review organizations have to say about them. If they don’t mention it, be suspicious. If you don’t know where to look, put the product name into your favorite search engine. Look for user opinions. If only the product site comes up (or other sites trying to sell you the product), again, be suspicious. If you want to get a little more technical, go to sites like DomainTools and plug in the domain of the product. Look at the results. Suspicious signs are:
- the domain is only recently registered
- the given company owns a portfolio of domains with similar names (like “foo-antispy”, “bar-antispy”, etc)
- the given server hosts several such domains.
For more information take a look at Spyware Warrior’s criteria for including a program on the rogue-list or at the Wikipedia page about the subject.
Update: The Sophos blog published a good description themselves. Two key points they make which I forgot to mention:
- The user interface / website of these programs is often very professional looking, you can’t use that as a clue
- At this time all the AV products (event the for pay ones) allow you to download a free trial which detects and cleans malware. Be very suspicious of any product which claims to detect malware but refuses to clean it until you purchased the “full version”.