Fake antivirus – What you should know about Rogue Security Software

The Internet has come of age, and unfortunately so too has malicious software and related infections. Viruses, Trojans and other kinds of malware have all played their part and as the Internet has evolved and grown, so have they. The evolution of rogue security software is as interesting as that of human evolution: from simple windows installer-based malware to recent web exploits, fake warnings and blue screens

Today, the malware industry is a billion dollar concern, and new variants of rogues as well as other new threats are emerging constantly. The main strategy lies in the use of social engineering to scare users into purchasing the author’s fake products, which then gives the victim a false sense of security. Two notable examples of early rogue security programs are winfixer and XPAntivirus.


XPAntivirus appears to be a normal security program. It even pretends to have an uninstaller. The user installs the program, unaware that it’s not legitimate, and the malware then enters their machine. Now let’s look at how this rogue security software has evolved further over time.

XP Police Antivirus installer   

The malware industry has completely overhauled its strategies over time and the result is frightening. Fake installers, like those pictured above, are rarely used anymore as rogue security software has become such a well-known malware category that malware authors usually opt for silent installs.

Many rogue security programs target Microsoft’s own security initiatives, namely the Security Center (more explained below), Windows Defender, Microsoft Security Essentials, and even sales of counterfeit Windows Vista/7 DVD packages (or OEM products). The graphical user interface pictured below attempts to mimic the genuine product, although anyone who is familiar with the real MS Security Essentials will notice that this is a rather poor imitation.

XP Police Antivirus installer

Anyone who uses Windows has almost certainly come across the Security Center while trying to configure their Firewall or the options for Windows Automatic Updates. Over the years the Security Center has remained a popular means of attempting to fool computer users even though the Windows version in use may no longer include the Security Center.

The following is an example of a Protector rogue security software variant using an XP Security Center imitation on a computer running Windows 7. The result is less convincing than it would be if the computer was actually running XP. To highlight the differences, the legitimate Action Center (which replaces the XP Security Center in later versions of Windows) is displayed alongside.

Windows Advanced Security Center - of course a fake

If the user follows the advice given by the various rogue scanners (always a variant of: “to fix all problems click here to purchase the full version”), they will be redirected to either the product’s download or registration page. Which look surprisingly professional and would easily fool an unsuspecting user.

Unfortunately, many end users are fooled by social engineering. The malware industry relies heavily on this technique, promoting rogue security software in such a way that the end user is convinced their PC will be protected by using it. Take the following examples, for instance:

XP AntiSpyware 2010 Rogue Security Software
 XP Deluxe Protector Rogue Security Software warning

It’s very easy for an end user who simply uses their computer for email, online shopping or browsing to be tricked by these flashy and in-your-face prompts, and that’s where user awareness should come into play. The creators of these rogue security products are always developing new methods of tricking users.

The method of infection has also evolved over time. If we look at earlier infections they were usually caused by either an uninformed user installing the software manually or via thirdparty bundleware. The earlier versions of XPAntivirus and SpySheriff had product related websites which the user would stumble upon or be redirected to as part of either consenting to an installation or a bundled installation.

This process has evolved dramatically and steadily. The malware industry is well integrated, and quite a few different malware types such as Java exploits, Trojan downloaders and rogue security software come together to comprise a complete chain of infection. For example, there have been instances within the last year such as the CNN or MSNBC website-related infections malware like cbeplay and also Trojan downloaders that have all downloaded rogue software at the end of their infection chain.

The initial attack vector involves the use of exploited or hacked websites containing infected code, where the user is fooled into clicking on links or prompts. Another prevalent method is through spam mail, where once a user follows a link, they are infected with a Trojan downloader or redirected to a Java exploit, which in turn tricks them by displaying balloon message warnings disguised as Windows taskbar prompts:

Or even browser prompts such as:

As we mentioned earlier, the early forms of rogue security software didn’t use these types of tricks as bait, but as the malware industry has grown it has obviously recognized the huge potential for exploiting a user’s ignorance when it comes to security and is now trying to milk it to its full extent.

An interesting change was also the introduction of rogues that no longer claimed a computer was infected, but instead tried to convince the user that their hardware/software had become corrupted. Of course the solution remained the same: purchase the product and all would be well.

File Restore Rogue Application

Scaring someone into believing their data might be at risk proved effective and some rogue security threats went as far as changing the file attributes of all personal files to ‘hidden’ so it appeared the files were no longer there. Computer users suddenly found themselves with an empty desktop and documents folder. Some rogues took it a step further and actually moved all start menu shortcuts to a temporary folder. Well-known examples of this are Smart HDD or SystemFix.

Over the years many new rogue security programs have surfaced. But on the other hand a lot of existing ones have been re-used repeatedly, some in more cunning ways than others. While the amount of rogue security infections is slowly decreasing in favor of other forms of infection (Ransomware
or Bitcoin malware for example), clones of existing families are still used – usually with the only change being the “product” name. As long as rogues continue to be actively distributed, end-users are likely to fall prey to them.

To this end we are continuously improving Emsisoft Anti-Malware (EAM). Rogue security software will be detected by the File Guard in most cases. Even if a new variant surfaces, Emsisoft Anti-Malware’s “Behavior Blocker” will raise an alert, as the threat will come under scrutiny due to its malicious behavior. Therefore you will always be aware of what is happening on your system and your PC will be protected in the best possible way. We want to ensure that our customers can enjoy the benefits of the Internet today and in the future with peace of mind and without worrying about cyberthreats such as rogue security software.


Have a nice (malware-free) day!

Your Emsisoft Team

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial


Arief Prabowo

What to read next