In recent years, with the growth of malicious software and corresponding efforts to combat this malicious software with antivirus software, a new type of malicious software has emerged. This malicious software masquerades as real antivirus software and is often referred to as fake antivirus software, as rogue software or as “scareware.”
This fake antivirus software tricks a computer user into thinking that real antivirus software is present on his or her computer and that hitherto unknown malicious software has been detected by the fake software. The fake software may then deceive the user into purchasing an improved version of the fake software, into paying for the removal of malicious software which does not exist and will not be removed, or into installing other malicious software. Fake antivirus software has become a growing and very serious security issue with desktop computing in general.
The fake antivirus software usually relies upon some type of trick in order to get around installed antivirus software and to install itself onto the user's computer. For example, a malicious Web site may display a fictitious warning that the computer has been infected and encourage the user to purchase or install other fake software. Or, a user may be misled into installing a Trojan through a browser plug-in, through an attachment to an e-mail message, via shared software, via infected URLs in a search result, or via a fictitious online malware scanning service. Some fake antivirus software may not require any user action and instead installs itself via a download that exploits security vulnerabilities in the user's computer software.
Once installed, the fake antivirus software attempts to convince the user to pay a fee, purchase additional software, install more software, or generally take an action that is not necessary and is usually detrimental to the computer or its user.
It can be difficult to detect and remove such fake antivirus software. A traditional file scanner is used to detect malicious software in general, but such a file scanner may not be able to detect fake antivirus software. The fake software uses a customized packer and may change its user interface layout periodically. Further, it may also add trash information to its file contents, all to avoid detection by file scanner. A behavior monitor of antivirus software also may have difficulty in detecting fake antivirus software. Because the behavior of fake antivirus software can be very similar to that of a normal software application the behavior monitor may not be able to detect the fake software. For example, the fake software may simply present a pleasant-looking graphical user interface that convinces the user to connect to a malicious Web site in order to purchase the fake software.
For these reasons, it is believed that current scanning and monitoring techniques are not extremely useful in detecting and removing fake antivirus software. Accordingly, new techniques are desired.