Tips and Tricks

5 Things you didn’t Know About Rogue AV

For about three years, Rogue Antivirus has been one of the most important businesses for cyber-criminals. No wonder why these rogue applications are so popular, since all these cyber-crooks have to do is to design an eye-candy interface, build a product that lacks any kind of functionality and sell it at prices that, sometimes, are higher than what the user would pay for a genuine product.


However, their increased presence on the market has made users more suspicious and more difficult to trick into installing the product. At the same time, a number of large-scale class actions against Rogue AV distributors made them pay extra attention to what they promise versus what they offer. This material is a recap on some of the most interesting techniques found in rogue antivirus software cyber-crooks are using to pass their creations as genuine or at least “demonstrative” products.

1. The “Typical Scan Simulation” scenario

Some of the rogue antiviruses out there learnt that false claims of infection will likely weight a lot should they be brought to court and took a safer approach. Instead of lying their customers that they are infected, they state that they may be infected and that the report is a “typical scan simulation” – an “advertisement” on what the product can really do, should it be registered.

Rogue AV scan

Uncertain scan results. Multiple hints that this is not a real scan.

2. The minimal-functionality Rogue AV

Not all rogue antivirus utilities are created equal, although they are equally annoying, dangerous and ineffective, not to mention that they cost money. Back in 2009, we came across one of the many faces of the Antivirus XP that featured the same rogue-ish interface, annoying popups and misleading infection reports, but had a file called 1295395580.uvd. A closer look on the respective file revealed that it was an actual signature database with one record.

Eicar Sig

One-record virus database – world’s most ineffective “antivirus”.

Inside the file, there was the MD5 signature for the harmless and extremely popular EICAR “virus”, a test file that has been signed by the entire AV industry for users to test if their antivirus product works without having to use real malware. The unregistered version of the Antivirus XP would not detect the EICAR file; however, if registered, it would detect and delete the e-threat. This is just one example of rogue AV that has a grain of functionality, although it is absolutely rudimentary and useless.

3. The Rogue AV that “borrows” from legit antivirus solutions

Another type of rogue antivirus we’ve stumbled upon is the System Security family that adds insult to injury. Not only that they trick users into installing and purchasing it using the good-old fake alerts and apocalyptic warning messages the size of a desktop, but they also steal parts of legit antivirus solutions from well-known vendors. The sample we analyzed comes with bdc.exe, the BitDefender Console Scanner cyber-crooks “borrowed” from the BitDefender suite of products.

Don’t expect the rogue AV to use the console scanner to clean your computer. The only reason it is delivered with the rogue AV is to make detection and removal harder for other antivirus vendors, which will be unable to sign everything because there is also a legit file that will trigger *a lot* of false positives. And with every minute the rogue antivirus evades detection, more innocent users fall for the scam and end up buying a useless piece of software.

Rogue BDC

Mixing rogue AV with legit products make AV vendors waste more time on analysis and removal

4. Impersonation of genuine products

All rogue antivirus products are based on deception. The more the user thinks they are actually antivirus solutions, the bigger the probability of them actually purchasing the solution. Back in mid-May 2010, we reported on Bytedefender, a rogue antivirus impersonating BitDefender Internet Security 2010. This fake AV was hosted on typo-squatted domains resembling “bitdefender” and with page layouts similar to the BitDefender website at that time.  BitDefender is only one of the products impersonated by this family of rogue AV, as we detected clones for most of the top 10 worldwide antivirus vendors.

ByteDefender rogue

Designed to deceive: taking advantage of others’ visual identity.

5. The antivirus uninstaller

Most rogue antivirus products tamper with the system’s security settings in one way or another, be it that they block access to the Task Manager, to the Registry Editor or disable the Windows Firewall. Some of them are even instructed to kill a list of processes associated with antivirus solutions, should they be found on the system, but chances are that the self-protection mechanisms of legit antivirus solutions would prevent them from doing it. The only viable chance of success involves convincing the user to manually remove the antivirus prior to installing the rogue AV.

CoreGuard uninstall rogue

Example of Rogue AV that tries to convince users to remove a legit antivirus solution

This is an essential step prior to installing the rogue AV files, since they are easier to detect by a legit antivirus solution than the polymorphic or commercial-grade installers used by this kind of malware.

Bottom-line, fake antivirus products try to lure computer users into installing them by pulling an impressive number of stunts. More than that, some of these infections are extremely difficult to remove, intrusive, persistent and they will end up eating you a lot of money. If you need an antivirus solution, don’t install anything that flashes in front of your eyes. Instead of installing the first utility promising you to solve all your troubles, point your browser to an independent antivirus reviewer such as AV Comparatives. If you are still undecided, we’d gladly offer you a 40-day trial version of BitDefender Internet Security to keep you safe until you make up your mind.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.