Watch out for Fake Protection Programs

Watch Out for Fake Protection Programs

Recently, there has been an increase in “scareware” rogue anti-virus alerts. They claim to remove bogus virus infections found on a computer running Microsoft Windows, if a user purchases the full version of the software. The infections they mention are false, and in fact the warning comes from the true infection itself. (usually a Trojan horse)

These false protection programs are known under a number of names. Some examples of these are XP Antivirus, Antispyware Soft, Vitae Antivirus, Windows Antivirus, Win Antivirus, Antivirus Pro, Antivirus Pro 2009, Antivirus 2007, 2008, 2009, 2010, and 360, Internet Antivirus Plus, System Antivirus, Spyware Guard 2008 and 2009, Antivirus XP Pro,Spyware Protect 2009, Winweb Security 2008, System Security, Malware Defender 2009, Ultimate Antivirus2008, Vista Antivirus, General Antivirus, AntiSpywareMaster, Antispyware 2009, XP Antispyware 2008 and 2009, WinPC Defender and Anti-Virus-1. These are only a few of the countless examples. Every calendar year, the name is updated to the present year, to look fresh and current. The names are meant to be confused as a knock-off of valid legitimate programs.

More recently, malware distributors have been utilizing SEO (Search Engine Optimization) poisoning techniques by pushing infected URLs to the top of search engine results about recent news events. Typically, the earlier (or higher) a site appears in the search results list, the more visitors it will receive from the search engine. People looking for articles on such events on a search engine may encounter results that, upon being clicked, are instead redirected through a series of sites before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program.

Each variant has its own way of downloading and installing itself onto a computer. Usually, they show up in a “pop up or banner on a seemingly legitimate website or search engine list. They are made to look professional and functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to "purchase" it. In a typical installation, it runs a scan on the computer and gives a false spyware report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware ‘found’ and the user has to either click on a link or a button to remove it. Regardless of which button is clicked -- "Next" or "Cancel" -- a download box will still pop up.

This deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase this product. Often any button on the screen will open and install an executable file, bypassing the legitimate protection on the user’s system. If the user decides not to purchase the program, then they will constantly receive pop-ups stating that the program has found infections and that they should register it in order to fix them. This type of behavior can cause a computer to operate slower than normal. Often, the user will be unable to go to any other website, and will be “hijacked” to the infection programs site. These infections will also occasionally display fake pop-up alerts on an infected computer. These alerts pretend to be a detection of an attack on that computer and the alert prompts the user to activate, or purchase, the software in order to stop the attack. Once installed, the rogue security software may then attempt to entice the user into purchasing a service or additional software by:

Alerting the user with the fake or simulated detection of malware or pornography.
Displaying an animation simulating a fake system crash and reboot.
Selectively disabling parts of the system to prevent the user from uninstalling them. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.
Installing actual malware onto the computer, and then alerting the user after "detecting" them. This method is less common as the malware is likely to be detected by legitimate anti-malware programs. Often, the legitimate program does not see this intrusion until a scan is run. By this time, the damage is already done. Sometimes, when running a legitimate scan, the infection piggybacks onto the scan, spreading itself throughout the system.

Below is a screen shot example of what may show on your computer: