You click and wait as the software does its thing.
|Screenshots by InfoSpyware|
You've just been snatched by a fake AV or rogue security software.
Fake AV and rogue security software are designed to convince you to download executable software onto your PC. Once installed, they may install malicious files. Some of the common malware these criminals install - Win32/FakeSpypro, Win32/FakeXPA, Win32/FakeVimes, Win32:FakeRean, or Win32/Winwebsec - are branded under multiple names and re-skinned to present a different look and feel to users. Microsoft's Security Intelligence Report Volume 9 reports that "Some versions emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves." These packages may modify the Windows Registry, alter system files, or disable Windows services to affect the performance of your PC so that it appears to be analyzing your system. Some rogue security software stops services or software that your PC needs to operate properly to enhance this deception. The software then bombards you with false alarms (false positive reports of viruses, spyware, keyloggers, adware) or displays an intimidating list of detected issues to scare you.
You've been hooked. The only question left is...
How much is the ransom?
Ransom? That's right, ransom. Microsoft's Security Intelligence Report calls rogue security software "one of the most common methods that attackers use to swindle money from victims". Criminals get you to voluntarily infect your PC and then scare you into purchasing the full version to remove the numerous problems the scan has discovered. In many cases, these scamware fix little or nothing even after you purchase the fully functional version.
Introducing... the Class of 2010
2010 may have been a breakout year for scareware and ransomware. I only had to visit a handful of reputable resource pages (PCTools.com, malwarehelp.org, removevirus.org) and antivirus vendors to identify sixty security software that have been reported as being fake, rogue, or malicious. This is not an exhaustive list, of course, as criminals continue to introduce new variants in 2010 and are likely to do so in 2011.
What can you do if you suspect you're infected?
Removal instructions for rogue security software are available from many reputable sites. Webtoolsandtips.com has an extensive list of rogue and scamware. The site promotes its own free scanners but has positive reputations with Mcafee Site Advisor and Web of Trust. WOT reports malwarehelp.org and remove virus.org as reputable resources as well (1, 2). These sites provide articles that explain in detail how to remove these threats.
Many of the articles at Malwarehelp.org make a point to indicate whether the free version of MalwareBytes’s Anti-Malware detects and removes the fake antispyware. I use and trust this antimalware software and recommend it.
I've provided a resource page that links directly to removal instructions for my Class of 2010 from these sites.
What can you do to prevent being infected again?
Microsoft's Malware Detection Center offers common advice on nearly every page that reports rogue security software. If you are a frequent reader of my blog, much of the advice will be familiar:
Keep all your installed software patch current
Use up-to-date antivirus software and keep your definitions current.
Be suspicious of email attachments
Do not accept file transfers when instant messaging
Use caution when clicking on links to Web pages
Don't download or try software from Web pages without checking the site's reputation
Don't use unlicensed (pirated) software
Be skeptical! Don't fall prey to social engineering attacks
Adopt these good practices. Help reduce the roll call for the Class of 2011.