In recent years, with the growth of malicious software and corresponding efforts to combat this malicious software with antivirus software, a new type of malicious software has emerged. This malicious software masquerades as real antivirus software and is often referred to as fake antivirus software, as rogue software or as “scareware.”
This fake antivirus software sometimes tricks a computer user into thinking that real antivirus software is present on his or her computer and that hitherto unknown malicious software has been detected by the fake software. The fake software may then deceive the user into purchasing an improved version of the fake software, into paying for the removal of malicious software which does not exist and will not be removed, or into installing other malicious software. Fake antivirus software has become a growing and very serious security issue with desktop computing in general.
The fake antivirus software usually relies upon some type of trick in order to get around installed antivirus software and to install itself onto the user's computer. For example, a malicious Web site may display a fictitious warning that the computer has been infected and encourage the user to purchase or install other fake software. Or, a user may be misled into installing a Trojan through a browser plug-in, through an attachment to an e-mail message, via shared software, via infected URLs in a search result, or via a fictitious online malware scanning service. Some fake antivirus software may not require any user action and instead installs itself via a download that exploits security vulnerabilities in the user's computer software.
The fake software usually has a professional-quality graphical user interface through which they convince users to connect to a bogus Web site in order to purchase or upgrade fake software, pay a fee, install more software, or generally take an action that is not necessary and is usually detrimental to the computer or its user. A hacker can steal a user's credit card or other confidential information via the purchase or transaction.
It can be difficult to detect and remove such fake antivirus software. A traditional file scanner is used to detect malicious software in general, but such a file scanner may not be able to detect fake antivirus software. The fake software uses a customized packer and may use polymorphism. Further, it may also add trash information to its file contents, all to avoid detection by a traditional signature-based file scanner. A behavior monitor of antivirus software also may have difficulty in detecting fake antivirus software. Because the behavior of fake antivirus software can be very similar to that of a normal software application the behavior monitor may not be able to detect the fake software. For example, the fake software may simply present a pleasant-looking graphical user interface that convinces the user to connect to a malicious Web site in order to purchase the fake software.
Furthermore, the fake software may change its contents, file name, installed path, installed registries, resource icon, or connected Web site URL, all in order to prevent detection by traditional file scanning or behavior monitoring. Due to these tricks and the potential similarity between fake antivirus software and a normal application, it can be very difficult to identify the fake software.
For these reasons, it is believed that current scanning and monitoring techniques can be improved in order to detect and classify software applications, and to remove fake antivirus software in particular. Accordingly, new techniques are desired.