Since its release in 2007, ESET Smart Security has received many accolades for its antimalware, antispam and firewall functions.  However, we have recently been the recipient of a very dubious honor; a rogue antivirus program which masquerades as our own software.

The Rogues Gallery

Rogue antivirus is a loose family of programs that claim to scan a computer for malware and then display fake warnings indicating that the system has been severely compromised.  These alarming messages are an attempt to frighten and trick the recipient into entering their credit card number into a web site in order to “purchase” a full version of the software which will remove the “threats” it detected.
While it is common for legitimate antivirus vendors to provide free trial versions, all reputable vendors offer some form of free removal capability or support before asking for a credit card, since the foundation of building a good relationship with a new customer is based on trust, rather than scaring them.

Rogue antivirus programs can reach a computer in various ways:  Spam messages that contain a link or an attached file and malicious web sites that have been optimized to appear first in search results through blackhat SEO search engine optimization) are two popular techniques.  They are also regularly spread through bots, Trojans and other forms of malware to make commissions through criminal affiliate sales networks.  The means of distribution vary quite widely, as do the names displayed by and symptoms of these fraudulent virus fighting programs.

Smart Security, Dumb Name

This article provides a description of a particular rogue antivirus named Smart Security. Needless to say, ESET Smart Security is not related to this particular rogue antivirus in any way other than name.  As a matter of fact, we detect it as Win32/Injector.DDH  along with some of the other variants containing similar names such as MySecurity Engine, MySecurityShield and so forth.  When run, this particular sample of malware displays the following window:

If any of the elements of this screen look familiar it is because they were heavily influenced by—if not outright stolen from—various Microsoft products and technologies.

When the Smart Security rouge antivirus program runs, it makes file and registry changes to the system like dropping or placing a copy of itself  on the hard disk in C:Documents and SettingsAll UsersApplication Data{random folder}{roguefilename.exe} under Microsoft Windows XP and modifying the registry to ensure that it is run whenever Windows starts. It modifies the hosts file so that certain search websites and websites providing other fake antivirus programs cannot be accessed—perhaps an attempt to block access to competing rogue antivirus programs

A Trailing Journey

This malware not only claims to provide antivirus scanning capabilities but also features like anti-phishing protection, autorun manager and malware eliminator.  Of course, to access any of these non-existent functions one most purchase the full version:

To make it more realistic the software provides “live chat” with a representative who offers to resolve any issues. The representative even provided a dedicated cleaner program to remove malicious software from the machine. Unsurprisingly, it is a downloader for My Security Shield, which ESET detects as a variant of Win32/Adware.VirusAlarmPro.

The support representatives will even walk you through removing your currently-installed antivirus software in order to replace it with their fake one!

Once they have your credit card number, though, the fun begins:  Rogue antivirus companies routinely bill credit cards for more than their “advertised” price (often just below twice the stated price, for some reason).  If you dispute the charge on your credit card company, their customer service representatives will repeatedly tell you a credit has been issued and to check back in a few days.  This is, of course, a scam:  No credit is issued, and this is just a delaying tactic to ensure more than thirty days pass so that a dispute cannot be filed with the credit card company.

However, the worst part is just beginning.: Once the company has your credit card data, they are free to use it and sell it on the black market, where it can be used for everything from purchasing stolen goods and services to facilitating identity theft.

Fighting back – Here’s How

Rogue antivirus programs are largely successful not because of technical means, but because of social engineering.  They prey on computer users’ fears of computer viruses, worms, data diddlers, killer programs and other scary-sounding threats which may not, in fact, even exist.  Every day, thousands of people are scammed by rogue antivirus programs like this so-called “Smart Security.”  If you have become a victim, though, there are steps you can take to reclaim your computer and your credit card:
1.    Contact your bank and dispute the charge with them.  Request that your credit card company cancel the old card and issue a new one.
2.    Contact your local police department and file a report.  Even though the crime may have occurred on the Internet, filing a report with your local police is the best way to assure that the crime gets reported and investigated.  In the United States, a report can also be filed with the Internet Crime Complaint Center, which serves as a clearinghouse for cybercrime
3.    Keep your operating system and popular applications up to date and patched.  This helps ensure that security holes in these are quickly closed.
4.    Use only security software from a reputable vendor.  Companies like ESET provide free trial versions that not only detect but remove malware, and offer free technical support as well.
For more information about staying safe online, I would suggest visiting the Securing Our eCity web site.  While some of the information is specific to San Diego, it contains a lot of valuable advice on protecting yourself from cybercriminals, and unlike rogue antivirus popups, won’t ask for your credit card number.

Regards,
Tasneem Patanwala
Malware Researcher

P.S. A special thanks to Aryeh Goretsky for the superb editing.