Hamish O'Dea Microsoft
Over the past year we have seen a significant increase in reports of the type of malware commonly known as rogue security products, or simply 'rogues'. These programs, which display false alerts of system infection and ask for payment to 'clean' the system, have been around for years; however they have recently become more cunning, more sophisticated and more prevalent.
This paper examines what has changed in the rogue landscape in recent times and compares their evolution to that of other types of malware. We look at the ways that rogues are similar to other malware, from their distribution to the methods they use to evade detection, and how they react to large-scale elimination by Windows Defender and the Malicious Software Removal Tool (MSRT). We also examine what makes rogues unique and how they extend social engineering techniques beyond the point of getting the malware onto the system through to the user's interaction with the malware itself and beyond. We look at how rogues deal with the distinct challenges of having a recognisable brand and the ways they take advantage of a user's trust in their computing platform, from the operating system to the browser and even the search engine they use.
By analysing rogues in the same way as we look at other types of malware, we get a better idea of how they fit into the overall threat landscape. The rogue is usually the end product of a malware infection scenario - the final payload. As opposed to spam bots, backdoors or password stealers, rogues try to obtain money directly from the user. A rogue differs from most malware only in that it has a face.