MISCELLANEOUS

ROGUE SECURITY SOFTWARE

SHORT HISTORY LESSON

Exact date of the first rogue antivirus is not really known, however the first to create some real havoc amongst PC users was Spy Wiper which appeared in late November 2003. Security analysts of that time called it a super rogue. Spy Wiper was indeed a nasty product. It was changing the consumers’ home pages, changed their search engines and triggered a barrage of pop-up ads.

According to the FTC, the spyware also installed additional software, including spyware that can track the computer use of consumers. As a result of the spyware and other software the attackers installed, many computers malfunctioned, slowed down, or crashed, causing consumers to lose data stored on their computers.After having created all the troubles for the user, the spyware offers a solution: the CD-ROM tray on computers opens and a message appears “FINAL WARNING!! If your cd-rom drive(s) open…



You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Spyware programmers can control your computer hardware if you failed to protect your computer right at this moment! Download Spy Wiper NOW!”. Spy wiper, and it’s successor Spy Deleter, are adware sold by Seismic Entertainment Productions Inc., Smartbot.Net, Inc., and Sanford Wallace, three companies that got sued by the FTC (Federal Trade Commission) because it had reason to believe that the law has been violated, and it appears to the Commission that a proceeding is in the public interest. The judge has ordered the operators to give up to more than $4 million in ill-gotten gains. Of course other similar incidents have followed after the ice had been broken: – on March 11th, 2005 the FTC took action against MaxTheater, a company producing SpywareAssassin. This product was being sold since July 2004. on June 23rd, 2005 FTC filed a lawsuit against Trustsoft, the company behind SpyKiller 2005, an “anti-spyware” product that has been at large since at least June, 2004 on August 3rd, 2005 FTC announced that it had settled a complaint against Advertising.com, the company behind SpyBlast.Some of the methods used by these applications to promote themselves were: – falsely claiming to have scanned users’ PCs remotely and detect “spyware”


– using high pressure sales tactics through pop-ups and spam to compel users to buy the application selling an “anti-spyware” product that falsely detects “spyware” on users’ PCs

– selling an “anti-spyware” product that fails to remove a substantial amount of “spyware” from users’ PCs

– Active X “security warning” installation box, with a hyper link describing the product as “Personal Computer Security and Protection Software”.An interesting example for the last spreading method listed above is SpyTrooper, a rogue antispyware program that appeared in the second half of 2005. This is the same application as Brave Sentry, DIARemover, MalwareAlarm, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpywareNo, Spyware-Stop. It looks like the illustration in Img 2.0. and the warnings users get from the browser looks like Img 2.1. It is also using fake Microsoft’s Windows Security Center websites and warns users of W32.Sinnaka.a infection. (see Img 2.2)




SpyTrooper-Control-Panel

Img2.0: SpyTrooper Control Panel
















SpyTrooper-ActiveX-fake-alert


Img2.1: SpyTrooper ActiveX fake alert. The scam is the more ridiculouswhen you browse the website with a different browser then Internet Explorer.


 




Img2.2: Fake Microsoft Security Center warning of infection