Rogue Security Software:
They are malicious software that claims to be security software. It tricks users that have installed it to pay a sum of money to be really protected (which they will not be). Most often it pretends to be antivirus and antispyware programs.
Rogues Security Software mainly relies on social engineering to reach out and infect user machines. The various methods this malware could reach you is as an attachment to email, through a non-trusted toolbar/browser plug in you download, multimedia codec fraud to play video files, peer-to-peer software/free media downloads.
FakeAV Icons to look out for:
Some Rogue Security Software will come in some typically suspicious looking icons and if you find unknown files with these icons on your hard disk, proceed with caution. ( Refer Attachement for reference)
How to find once infected?
Typically once infected, Rogue security software will start prompting messages and pop-up on the machine that can hardly be missed. Some go to the extent of have prompts that cannot be minimized and will stay resident on the screen over all other windows. Most of them display a fake stand-alone scan window (Refer attachement for Reference).
What damage can it do to you?
Besid the annoyances, the fake system warnings, slowing the computer down and ask users into paying for its fake protection, the new rogues are observed to download other complex malware. Recently they have been known to download Trojan Droppers which in turn drop rootkits on the machine which are very difficult to clean/remove.
What to do once infected?
It is advisable that in the event of a Rogue Security Infection that is not detected by your trusted Antivirus Software then the machine needs to be pulled out of the network and avoid of any internet access until cleaning is performed. This will prevent the further download of any other malware. The issue then needs to be reported to the IT helpdesk/personnel so that they can work with the Antivirus support staff in collecting the malware samples to be added into detection/removal. The machine can be re-introduced into the network once the cleaning is performed.
In general the fake malware infection load into the user profile under below directory locations.
- C:\Users\<User Name>\AppData\Local
- We can look for some junk file names like Fdadge3azy.exe , also we can look for startup items and running process.
- Hijackthis tool can be used to collect the log and can be reviewed to locate the infection on the infected machine.
- The file can be submitted to the respective vendor for detection/removal if it is not available with the current signature.
- Unwanted Toolbars & applications should be blacklisted from the environment along with the device control to avoid such fake infections into the enterprise environemnt.