Rogue security software is a form of computer malware that deceives or misleads users/victims into paying for the “fake”, or simulated, removal of malware, and/or, in some cases, removal of malware intentionally introduced by the rogue security software itself. In recent years, rogue security software has become a growing and serious security threat to computing systems and communication networks and it is estimated that currently a full 15% or more of all malware is a form of rogue security software.
Herein, malware includes, but is not limited to, any software and/or code designed to infiltrate a computing system without the owner's informed and/or explicit consent.
Rogue security software typically relies on social engineering in order to defeat the security built into modern operating systems, browser software, and security systems, and install itself onto users'/victims' computing systems. Most rogue security software has a Trojan horse component which users/victims are misled into installing onto/into their computing systems. The Trojan horse may be disguised as, but is not limited to: free online malware scanning services; a browser plug-in or extension (typically toolbar); an image, screensaver, or archive file, attached to an e-mail message; a multimedia codec allegedly, or actually, required to play a certain video clip; software shared on peer-to-peer networks; and/or any other examples of the seemingly ever-evolving number of Trojan horse devices. In addition, some rogue security software is propagated onto a user/victim computing system as drive-by downloads which exploit security vulnerabilities in web browsers or e-mail clients to install themselves without any manual interaction by the user.
Once installed, the rogue security software typically generates multiple malware alerts notifying the user/victim of the fake or simulated detection of malware, pornography, or any other undesirable files, on the user's/victim's computing system and/or displays an animation simulating a fake system crash, and/or reboot of the user's/victim's computing system. In some instances, the rogue security software includes detailed malware alerts and/or message boxes that list specific files that purportedly are the malware, are infected with the malware, and/or contain the malware. In some instances, the rogue security software alerts the user/victim to performance problems or the need to perform essential housekeeping on the user's/victim's computing system. In some cases, the rogue security software will hold the user hostage by refusing to allow him or her to remove or fix the phantom problems until the “required” software is purchased and installed, and/or by the simulated system reboots and/or lockups.
As noted above, the rogue security software typically attempts to scare, or annoy, the user/victim into taking a desired action, such as paying out money to “fix” the problem, by presenting authentic-looking pop-up warnings and security alerts. These pop-up warnings and security alerts often very accurately mimic legitimate system and/or security system notices to leverage the trust of the user/victim in vendors of legitimate security software, and/or operating systems, and/or web-sites, and/or businesses.
As result of this “marketing model” used by rogue security software, e.g., to scare and/or annoy the user/victim into taking the desired action, one very common feature, or behavior, associated with rogue security software is that the pop-up warnings and security alerts are generated fairly often, i.e., at a high repetition frequency, such as multiple times per hour.
Once the rogue security software has alerted, and/or scared, the user/victim into believing their system has been infected with malware, typically via the frequently generated pop-up warnings and security alerts, the user/victim is then usually enticed to pay for malware removal services offered through the rogue security software to remove the fake, simulated, or intentionally introduced, malware. Often the user/victim is then asked to provide credit card, or other payment, information to pay for the malware removal services. In some cases, the user/victim is merely charged the stated amount for the malware removal services, and therefore only the stated amount is effectively stolen from the user/victim. In other cases, the user's/victim's payment information is used to steal lager amounts from the user/victim and/or to achieve identity theft.
Traditional methods of detecting rogue security software using legitimate security systems is a fairly time intensive and resource consuming process that is largely reactionary in nature. For instance, currently, an infected consumer of the security system first contacts the security system provider and/or provides a sample of the suspected rogue security software. Then, currently, researchers associated with the security system typically download the suspected rogue security software itself and analyze the suspected rogue security software. Currently, once the suspected rogue security software is analyzed, if it is indeed found to be rogue security software, a sample of the rogue security software, or features/code defining the rogue security software, is added to a rogue security software signature database and further instances of the rogue security software are thereby, in theory, identifiable and stoppable.
As described above, current methods for detection of rogue security software using currently available legitimate security systems is, at best, a time intensive and resource consuming reactionary process that uses samples of the rogue security software itself to identify future instances of specific rogue security software. This means that, using currently available security systems, even in a “best case”, scenario, identified rogue security software is provided significant time and opportunity to infect more systems, and create more victims, before an adequate defense is created and implemented.
To actual current situation is even worse than described above because the methods used by perpetrators of rogue security software have become quite sophisticated and the perpetrators of rogue security software have become quite adept at changing the characteristic and operational parameters associated with the rogue security software, such as names, version data, and web-pages, and/or Graphical User Interfaces (GUIs), to avoid detection, or respond to detection, of the rogue security software by various legitimate security systems. Consequently, while, in the past, attackers mass-distributed a relatively small number of rogue security software versions, today they are generating and distributing millions of randomly-generated variants of rogue security software, that are often released as frequently as every few minutes, and sent to just a few targeted users at a time before the next set of variants are generated and distributed. As a result, currently, each user is potentially infected by a unique variant of rogue security software. Thus, traditional definition/signature based approaches to identifying and blocking rogue security software do not scale well to meet this challenge, nor are they particularly effective.
In addition, any text-based methods of detecting rogue security software, such as creating definitions or signatures based on the text of the generated alert and/or warning, can also be ineffective because the warnings may be generated in any language, be made to mimic actual warnings, and are also subject to multiple, and rapidly changed, variations.
As a result of the situation discussed above, rogue security software is currently a very serious threat that, thus far, has proven extremely difficult to detect and block using currently available legitimate security systems.