Top 5 Fake Security Rogues of 2013


By Tyler Moffitt

We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.

Here are the top 5 rogues reported this year

  • System Care Antivirus
  • Internet Security
  • Disk Antivirus Professional
  • System Doctor 2014
  • AVASoft professional antivirus

How do I get these Rogues?

The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:

Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.

How do they work?

  • They drop their randomly named executables in hidden folders. This example is referencing System Care, but typically Appdata or Program Data are where they are dropped:
    C:\ProgramData\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe
    C:\Users\All  Users\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe
    C:\Users\YourUserFolder\AppData\Roaming\106F63937B0D2FCB0000106F532F3ADE.exe
  • They add registry entries that start up as soon as your computer starts up:
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    “106F63937B0D2FCB0000106F532F3ADE”=”C:\\ProgramData\\106F63937B0D2FCB0000106F532F3ADE\\106F63937B0D2FCB0000106F532F3ADE.exe”
  • They add registry entries to start their virus instead of any other executable and then report it as an infection:
    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=”C:\\ProgramData\\106F63937B0D2FCB0000106F532F3ADE\\106F63937B0D2FCB0000106F532F3ADE.exe”
  • The end goal is to get you to click “fix” and bring you to this page:

 

Don't give them your credit card information.

Don’t give them your credit card information

How do I remove these Rogues?

If you have Webroot already installed, then you shouldn’t need to do anything as the real time protection will block the known threat as soon as it is dropped onto your computer. If you don’t have Webroot installed yet (but wish to get it installed so you can remove these Rogues), then all you have to do is boot into Safe Mode with Networking and then install Webroot SecureAnywhere and it will detect them immediately.

New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday. If you happen to come across a new zero-day signature that doesn’t yet have a determination, then you should know about Webroot’s ability to remediate infections without a database determination. All you have to do is open your console, click the “System Tools” tab and then click “start” under Control Active Processes. You’ll then be presented with the screen below, which shows all the active processes that are running:

Anything running under the “monitor” column should be scrutinized. If you find anything randomly generated like a new System Care variant (see below), then you would set it to “block” and then run a scan. Upon finishing the scan Webroot will remove the file and roll back any changes made by the malware.:
EXAMPLE C:\ProgramData\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe

Webroot support is always more than happy to help with removal and questions regarding infections.

2 thoughts on “Top 5 Fake Security Rogues of 2013

  1. Tyler Moffit missed the most obvious rogue #security product of 2013… Webroot’s own SecureAnywhere was installed on tens of thousands of machines without the owners explicit permission or opportunity to read the T&Cs. The goal? To get your money!

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s