Fake Antivirus: 5 software titles you should definitely NOT install

Bogusware, scareware or rogueware - whatever you prefer to call them, are all different names given to describe roughly the same thing: rogue security products that masquerade as the real thing.

According to numbers published by the Anti-Phishing Working Group (APWG), more than 485,000 rogue security samples were detected for 2009 - an astoundingly large figure, when you consider that is more than double the statistical total for 2008.

More so, June was a watershed month for malware: 152,197 examples of anti-malware products were analysed overall.  

The APWG estimates more than 200 gangs throughout the world are responsible for the bulk of rogue security software applications floating around the internet, although only 10 of these gangs are responsible for more than 77% of the rogue malware infections.

How they work

Generally, web surfers are prompted to download rogue security software via an advertisement that pretends to offer authentic anti-virus or spyware scanning tools. 

Other methods also include drive-by-downloads via infected websites and fake BitTorrent downloads carried over popular P2P networks.

In some cases, the extent of infection only extends to credit card fraud: users are asked to register for a lifetime product licence by entering their credit card details.  

But in other more sinister cases, fake malware products can install hidden Trojans onto the user's computer unsuspectingly and then log email actions, bank account passwords and other personal data by sending it covertly back to the gang operating the scam.  This data is often used in numerous identity and banking fraud schemes.   

Where will you most likely come across rogue security software?

At first, it was assumed that most of the software applications were only showing up on porn, P2P and warez sites. Now that's changing. In recent months, mainsteam websites such The New York Times came under attack for hosting an advertisement on its site that redirected readers to a fake anti-virus package. 

Google plays a key part in the dissemination of not-so-honest links. Fake anti-virus applications still routinely show up in the pretext of Google adwords and in search results when you ssearching out new anti-virus suites to download.  

Downloading antivirus products over Bittorrent or P2P can be just as dangerous - many so called genuine products (such as Norton 2009 for example) can contain Trojan horses that work in the same way to infect machines.

A quick Wikipedia search will often tell you plenty of things about your program of choice.  It comes down to a great deal of common sense, including downloading from trusted sites, reading reviews and taking some time to consider why a flashing ad is prompting you to install a mysterious antivirus scanner. If it's too good to be true, it probably is.

Removing and  cleaning rogue invaders

Not all mainstream software security packages will pick up and detect the latest scareware. This has much to do with the concept of polymorphic malware, a type of viral threat that constantly changes its own binary structure to evade detection, making it extremely difficult to be picked up by traditional signature based scanning.

As most rogue security titles are polymorphic by nature, their malware signatures are often dynamic, which makes it very hard for some antivirus software to detect. 

To keep one step ahead of the security companies, malware programmers regularly change their name and logo to keep up with the latest signature scanners. As a result, many of the same rogue software titles compete under different titles, names that sound much like the real thing including "MS Antivirus".

Smaller spyware scanners tend to do a good job specialising in removing the fakes and these include programs such as Malwarebytes Anti Malware and Spyware Doctor. Combo-fix is a bare-bones piece of freeware used for catching spyware and malware and is a effective free alternative to cleaning vulnerable machines. HijackThis can sometimes be used to delete registery information if spyware scanners cannot clean all aspects of an infection.

5 rogue security software titles to avoid:

1) SpySherrif

How it works:  This piece of malware does it best work by informing computers of false threats to their system. It's mostly found via web typo's (Toggle) and via infected software downloaded over P2P networks.

Threat value:  SpySherrif is extremely difficult to remove by traditional security scanners. In additional to credit card fraud, this piece of crafty spyware can block internet connections, create multiple administration accounts, stop critical programs from responding and block access to several useful websites that might be used to clean any malware infection.  

Also known as: System Security, SpywareStrike, SpyShredder and Spybot - just to name a few.

2)  WinFixer

How it works:  Frequently launches pop-ups that offer trial versions of anti-virus suites that can scan machines for non-existent infections. To remove the fake Trojan, users must purchase the program.

Threat value:  Used mainly to extort users through credit card fraud.

Also Known as: WinFixer goes by many names, titles that sound much like genuine security suites. These include WinAntiSpyware, AVSystemCare, WinAntiSpy and Windows Police Pro. There are among 20 other given names for WinFixer.

3) MacSweeper

How it works: Known as one of the first rogue security applications to target the Mac Operating systems. It's easy to catch too: web typos, drive-by downloads and piggyback downloads hidden in other applications.

Threat value:  This one has been busted by the big security firms already and there are instructions for removal available online. The usual credit card fraud aspect applies and encourages users to pay for a full trial version.

Also known as: KiVVi Software, Cleanator.

4) Green Antivirus 2009

How it works: Green Antivirus is unique because it places a spin on the traditional fake anti-virus suite, by adding a moral incentive to users. The fake program often promotes to donate $2 of each downloaded software title to a particular charity in need. This is done to make the software appear more legitimate.

Threat value: Credit card fraud warning.

Also know as: Green AV.

5)  MS Antivirus 2009

How it works: With a name bearing the false credentials of the biggest software company in the world, this particular rogue security suite is particularly well positioned to take advantage of number one branding. Works in same manner of other rogue security suites by offering to scan computer for free.

Threat value:  It's Microsoft OS dependent, so you'll need to be on a Windows machine to be a viable target. However, once downloaded, the malware can disable genuine virus scanners and make it difficult to remove.

Also known as: Extremely popular and ever changing its name, it's also known as Windows Antivirus, Win Antivirus, Antivirus Pro and Antivirus Pro 2009 - among many many others.