Imitation is not always the sincerest form of flattery

Since its release in 2007, ESET Smart Security has received many accolades for its antimalware, antispam and firewall functions.  However, we have recently been the recipient of a very dubious honor; a rogue antivirus program which masquerades as our own software.

The Rogues Gallery

Rogue antivirus is a loose family of programs that claim to scan a computer for malware and then display fake warnings indicating that the system has been severely compromised.  These alarming messages are an attempt to frighten and trick the recipient into entering their credit card number into a web site in order to “purchase” a full version of the software which will remove the “threats” it detected.
While it is common for legitimate antivirus vendors to provide free trial versions, all reputable vendors offer some form of free removal capability or support before asking for a credit card, since the foundation of building a good relationship with a new customer is based on trust, rather than scaring them.

Rogue antivirus programs can reach a computer in various ways:  Spam messages that contain a link or an attached file and malicious web sites that have been optimized to appear first in search results through blackhat SEO search engine optimization) are two popular techniques.  They are also regularly spread through bots, Trojans and other forms of malware to make commissions through criminal affiliate sales networks.  The means of distribution vary quite widely, as do the names displayed by and symptoms of these fraudulent virus fighting programs.

Smart Security, Dumb Name

This article provides a description of a particular rogue antivirus named Smart Security. Needless to say, ESET Smart Security is not related to this particular rogue antivirus in any way other than name.  As a matter of fact, we detect it as Win32/Injector.DDH  along with some of the other variants containing similar names such as MySecurity Engine, MySecurityShield and so forth.  When run, this particular sample of malware displays the following window:

If any of the elements of this screen look familiar it is because they were heavily influenced by—if not outright stolen from—various Microsoft products and technologies.

When the Smart Security rouge antivirus program runs, it makes file and registry changes to the system like dropping or placing a copy of itself  on the hard disk in C:Documents and SettingsAll UsersApplication Data{random folder}{roguefilename.exe} under Microsoft Windows XP and modifying the registry to ensure that it is run whenever Windows starts. It modifies the hosts file so that certain search websites and websites providing other fake antivirus programs cannot be accessed—perhaps an attempt to block access to competing rogue antivirus programs

A Trailing Journey

This malware not only claims to provide antivirus scanning capabilities but also features like anti-phishing protection, autorun manager and malware eliminator.  Of course, to access any of these non-existent functions one most purchase the full version:

To make it more realistic the software provides “live chat” with a representative who offers to resolve any issues. The representative even provided a dedicated cleaner program to remove malicious software from the machine. Unsurprisingly, it is a downloader for My Security Shield, which ESET detects as a variant of Win32/Adware.VirusAlarmPro.

The support representatives will even walk you through removing your currently-installed antivirus software in order to replace it with their fake one!

Once they have your credit card number, though, the fun begins:  Rogue antivirus companies routinely bill credit cards for more than their “advertised” price (often just below twice the stated price, for some reason).  If you dispute the charge on your credit card company, their customer service representatives will repeatedly tell you a credit has been issued and to check back in a few days.  This is, of course, a scam:  No credit is issued, and this is just a delaying tactic to ensure more than thirty days pass so that a dispute cannot be filed with the credit card company.

However, the worst part is just beginning.: Once the company has your credit card data, they are free to use it and sell it on the black market, where it can be used for everything from purchasing stolen goods and services to facilitating identity theft.

Fighting back – Here’s How

Rogue antivirus programs are largely successful not because of technical means, but because of social engineering.  They prey on computer users’ fears of computer viruses, worms, data diddlers, killer programs and other scary-sounding threats which may not, in fact, even exist.  Every day, thousands of people are scammed by rogue antivirus programs like this so-called “Smart Security.”  If you have become a victim, though, there are steps you can take to reclaim your computer and your credit card:
1.    Contact your bank and dispute the charge with them.  Request that your credit card company cancel the old card and issue a new one.
2.    Contact your local police department and file a report.  Even though the crime may have occurred on the Internet, filing a report with your local police is the best way to assure that the crime gets reported and investigated.  In the United States, a report can also be filed with the Internet Crime Complaint Center, which serves as a clearinghouse for cybercrime
3.    Keep your operating system and popular applications up to date and patched.  This helps ensure that security holes in these are quickly closed.
4.    Use only security software from a reputable vendor.  Companies like ESET provide free trial versions that not only detect but remove malware, and offer free technical support as well.
For more information about staying safe online, I would suggest visiting the Securing Our eCity web site.  While some of the information is specific to San Diego, it contains a lot of valuable advice on protecting yourself from cybercriminals, and unlike rogue antivirus popups, won’t ask for your credit card number.

Tasneem Patanwala
Malware Researcher

P.S. A special thanks to Aryeh Goretsky for the superb editing.

Author , ESET

  • toxinon

    where is the Fake Smart Security window?

    • Randy Abrams

      The images are the fake.

  • Katherine

    I read your blogs every time a new one comes out, and the more informative information you have for us, the more I question the morals of these fake companies.  I just wonder what these so-called support people get out of helping folks uninstall their current and legitimate antivirus, only to give them a fake one!  I mean, since you folks at Eset have dealt with a lot, have you ever thought of asking them and getting a bit of information from them?  just curious.  But I was wonderin if this is a rogue, why do you detect it as Win32/Injector.DDH?  Wouldn't it make sense to use adware or rogue in the name so that the user is aware of what's going on?  Again, just a curiosity. 
    Thanks, and keep up the good work!

    • Randy Abrams

      In some cases the detection is based upon generic behaviors that are common to lots of malware. That’s why sometimes something will be detected and blocked, but the name of the threat does not describe the application as rogue AV.

  • smoosh

    You should add that another way to lessen the impact of buying things on the internet is to use a debit card or debit service that is seperate from your main bank account.

    • Tasneem Patanwala

      Getting your money back after disputing a purchase takes some time until the refund comes through so its convenient when it is the credit limit taking a hit instead of the checking account.

  • Randy

    Interesting article and thank you. I feel pretty safe with ESET however, but will keep the links for further use if needed and pass them on to friends.
    Thanks again,
     Dallas Oregon

  • Dr.Partha Sarathi Ray

    Wonderful article indeed…will help me a lot though I firmly believe on my ESET product and I can confidently suggest to anyone to have it…Keep up your good work.

  • M Paley

    How do you remove Fake AV once it get in?

    • David Harley

      Well, in this instance, we certainly have detection for the samples we’ve seen. Detection or, where necessary, removal of all fake AV is a bit of a marathon topic for a blog comment. Perhaps we can get back to that one.

  • Lisa

    I have Eset Smart Security and somehow the rogue 'Vista Securiry 2011' got on to my other computer and wiped everything. I'm using another malware remover to get rid of the virus as I could not find anything on this site to help me out besides this blog… which doesn't say anything to help me either.

  • frank

    Great but I have done all you ask and stil can't get rid of it. It wont let me restore etc so how do i do most of what you recommed!!!!!

    • David Harley

      Frank, I don’t know what you’re referring to here.

  • reading through your blog I had been qualified to remove spyware from my mobile computer and restore my system without any loss of records. I can’t explain to you how delighted I am for your aid. Thanks so much!

    Do you concur that McAfee anti-spyware is garbage now? It doesn’t seem to function anymore and the price tag is going up each year. I really aren’t happy with it in the least.

Follow us

Copyright © 2017 ESET, All Rights Reserved.