Previous month:
November 2010
Next month:
January 2011

December 2010

Fake AV and Rogue Security Software: The Scareware Class of 2010

You're surfing the web. You land on a page that offers a free security scan.  Everyone's always talking about new viruses every day, how important it is to protect yourself against identity theft. The banner says the scan checks for the latest, most dangerous viruses and spyware, too.

Looks legit. The page you're on has lots of links to emerchants you're familiar with, too. Sounds good.



You click and wait as the software does its thing. 

Screenshots by InfoSpyware

What's this? Your  browser or Windows operating system begins to display popups or alerts claiming your PC is infected. Wow, good thing you happened upon this security software. Funny, though, everything seemed to be working just fine until...

Warning, Will Robinson!


You've just been snatched by a fake AV or rogue security software.

Fake AV and rogue security software are designed to convince you to download executable software onto your PC. Once installed,  they may install malicious files. Some of the common malware these criminals install -  Win32/FakeSpypro, Win32/FakeXPA, Win32/FakeVimes, Win32:FakeRean, or Win32/Winwebsec - are branded under multiple names and re-skinned to present a different look and feel to users.  Microsoft's Security Intelligence Report Volume 9 reports that "Some versions emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves." These packages may modify the Windows Registry, alter system files, or disable Windows services to affect the performance of your PC so that it appears to be analyzing your system. Some rogue security software stops services or software that your PC needs to operate properly to enhance this deception. The software then bombards you with false alarms (false positive reports of viruses, spyware, keyloggers, adware) or displays an intimidating list of detected issues to scare you.

You've been hooked. The only question left is...

How much is the ransom?

Ransom? That's right, ransom. Microsoft's Security Intelligence Report calls rogue security software "one of the most common methods that attackers use to swindle money from victims". Criminals get you to voluntarily infect your PC and then scare  you into purchasing the full version to remove the numerous problems the scan has discovered. In many cases, these scamware fix little or nothing even after you purchase the fully functional version.

Introducing... the Class of 2010

2010 may have been a breakout year for scareware and ransomware. I only had to visit a handful of reputable resource pages  (,, and antivirus vendors to identify sixty security software that have been reported as being fake, rogue, or malicious.  This is not an exhaustive list, of course, as criminals continue to introduce new variants in 2010 and are likely to do so in 2011.

What can you do if you suspect you're infected?

Removal instructions  for rogue security software are available from many reputable sites. has an extensive list of rogue and scamware. The site promotes its own free scanners but has positive reputations with Mcafee Site Advisor and Web of Trust.  WOT reports and remove as reputable resources as well (1, 2). These sites provide articles that explain in detail how to remove these threats.

Many of the articles at make a point to indicate whether the free version of MalwareBytes’s Anti-Malware detects and removes the fake antispyware. I use and trust this antimalware software and recommend it.

I've provided a resource page that links directly to removal instructions for my Class of 2010 from these sites.

What can you do to prevent being infected again?

Microsoft's Malware Detection Center offers common advice on nearly every page that reports rogue security software. If you are a frequent reader of my blog, much of the advice will be familiar:

  • Keep all your installed software patch current
  • Use up-to-date antivirus software and keep your definitions current.
  • Be suspicious of email attachments
  • Do not accept file transfers when instant messaging
  • Use caution when clicking on links to Web pages
  • Don't download or try software from Web pages without checking the site's reputation
  • Don't use unlicensed (pirated) software
  • Be skeptical! Don't fall prey to social engineering attacks

Adopt these good practices. Help reduce the roll call for the Class of 2011.

Phishers use subliminal messaging to make you open that email

The cleverest of phishers are good social engineers. Often, they borrow a page from broadcast media and publishers, who are very good social engineers. Phishers recognize that controversial or scintillating headlines convince a passerby to purchase a newspaper from a newstand, a couch potato to pause mid channel-surf, or  an Internet user to visit a web page . They use these same strategems when composing email message subject lines.

Whether in our home, office, automobile, airport lounge or elevator, we hear, read, watch or are passively exposed to some controversial or scintillating media broadcast every day. Even when we pay only part attention to this input, we often retain some element of the message. Phishers exploit this human behavior. Consider some  of subject lines from my cache of recent phish emails, below.

The first batch prey on concerns over health and healthcare:

Subject: Learn all about Medicare/Medigap coverage
Subject: FDA Alert. Do you use Paxil
Subject: Avandia Heart Attack Cases are Now Settling
Subject: Ease the worry with health insurance
Subject: Health warning for all Accutane users
Subject: Student health insurance. Find affordable plans
Subject: Do you suffer from Diabetes?
Subject: Big settlements for Avandia users

Subject: Get contact lenses online

Photo: George Eastman House


I've omitted another dozen subject lines that promote weight loss, virility, beauty/Botox, and Acai Berry for better health. I can recall a mainstream media commercial, print ad, or news piece covering each of these issues or fads, can you? Many of these subject lines target seniors or individuals whose healthcare needs may be worrisome enough to convince them they should read on. 

A second batch targets individuals who have economic worries:

Photo: onohoku

Subject: The bailout is working for homeowners in need
Subject: Our Loan services are low interest rate (2%) 
Subject: Quickly and easily qualify for an unsecured loan
Subject: A unique way out of debt
Subject: 2010 Credit Report - Credit Score Included
Subject: Compare term life carrier rates from top providers

Subject: Veteran Loans
Subject: CBS interview helps you get out of debt
Subject: Switch To A 15 Year Fixed Rate At 3.75%
Subject: Earn Cash in the New Year

Everyone who is reading this blog has some inkling of the world economic situation. No one of us is entirely unaffected and many of us have friends and family who are struggling financially. Phishers are betting that our good will trumps our common sense and that we'll click to learn more or pass the message along to someone who might.

Phishers love holiday seasons and celebrate by exploiting our giving spirit:

Subject: Letter From Santa For Your Child
Subject: More Values, Your Values - This Holiday Season
Subject: Christmas Greeting Cards! No registration! No fees!
Subject: 12 days, 12 great small biz gifts!
Subject: A better way to travel
Subject: Custom Santa Letters
Subject: Your WalMart Holiday Card
Subject: One-Day Deal: 50% Off Sweaters! Plus, Holiday Sale up to 50% Off

Photo: George Eastman House

If you shop online, you are probably receiving bulk solicited or direct mail from merchants. Phishers copy email sent by legitimate merchants and brands. They know money is tight and that in weak economies, bargain shopping is even more appealing so they try to convince you the deal is legit and too good to pass by.  

This is a small sample of what you should expect, and all of these were delivered in the past five days. Here are some suggestions to help you avoid falling prey to the subliminal messaging phishers employ in subject lines:

  1. Be suspicious of any unsolicited healthcare and health plan information delivered to your mailbox. Check the sending email address carefully. If you are a US resident, it's very unlikely that a legitimate health care professional is sending you mail from a foreign country email server such as or
  2. Avoid loan, credit card, insurance or other finance offer delivered to your mailbox, especially when rates quoted are sub-prime or terms are generous. 
  3. Ignore bargains or offers from merchants you have not used or granted permission to send you email. In the best case, these merchants are sending unsolicited bulk email; in the worst case, the mail is from phishers, not merchants. Again, check the sending mail address carefully. Read the entire email address. Phishers may embed the name of a merchant or brand in an email to convince you the message is legitimate.

These good practices are complements to, not substitutes for, the every day measures you should take to avoid being phished. You'll find some common sense guidelines at Stop Think Connect and other antiphishing measures here.