Written by Hyun Min Park - HAURI Virus Lab.

Today, let's get to know about Rogue program and how it is installed, how we can prevent its auto-installation.

Rogue program is what is called a Fake Anti-Virus, which causes a lot of inconvenience on user's PC use by pretending to normal Anti-Virus, and for the big issued-typical types of Rogue, there are AntivirusXP2008, Antivirus2009, AntiSpyware2009, TotalSecurity, HomeAntivirus2010, SystemSecurity, Antivirus2010 and etc.

Their characteristics are like,

1) Similar design of UI(User Interface)
: Rogue(Fake Anti-Virus) must pretend to be a normal Anti-Virus for inducing users to purchase, so usually they have similar design of nomral Anti-Virus UI.

2) Show fake/exaggerated or same scanning result all the time and induce users to purchase for fake security
: Most of users do not check the result if it is same or not on every scanning, thus Rogue takes advantage of the user's custom and induces users to purchase for fake repair.

3) Set option for auto-settle payment
: If users click for fake repair, Rogue induces them to purchase it by using option for auto-settle payment.

[PIC 1] Rogue(Fake Anti-Virus) features which have similar design of normal Anti-Virus UI.


[PIC 2] Rogue features


[PIC 3] Rogue that shows fake scanning result with warning signs.


Then, how Rogue spreads itself and infects user's PC?

1) Through the certain malicious codes
: A certain malicious code infects user's PC first, then it installs Rogue by downloading the fake Anti-Virus installer or shows fake Anti-Virus features for inducing its installation.

2) Infection via E-Mail attachment
: Usually this kind of E-Mails has socially issued contents with attachment of fake Anti-Virus installer.
If user downloads and executes attached installer, Rogue will be installed to user's PC. 

3) Induce installation as a sponsor type of Freeware/Bundle program
: Somtimes, sponsor programs are set as a default option for freeware/bundle program's installation, so Rogue takes advantage of this point for spreading itself out.

[PIC 4] Induce to install sponsor program on Freeware installation.

4) Install by using ActiveX
: This method is against the Spyware Standards Law, so installation by using ActiveX has been remarkable decreased recently.

5) ETC.
: Infect user's PC through movie clip file, messenger program, P2P program's Crack file and illegal copy. Also, Rogue could be installed through UCC shared site, Real-Time search keyword, issued blog, hacked website, and Zero-day Exploit.

[PIC 5] Induce to install fake Anti-Virus by using socially issued news.


[PIC 6] Induce to install fake CodecPack for movie watching.


Recently the spread way of malicious codes changes and evolves its technology gradually like below.

1) It spreads with worm and file virus, and it is installed with certain files which infect certain Windows System Files such as NDIS.SYS, NTFS.SYS and AGP440.SYS. By spreading itself with various types of virus files, the infection possibility is getting higher, and even users getting hard to repair their infected PC without Anti-Virus programs.

2) Same malicious code distributor(Same download link) creates variants of malicious codes continuously. Through this kind of ways, more variants of malicious codes have been created, so blocking the distributor URL is the most important thing to do first. Also, by setting the component files of downloaded fake Anti-Virus to compressed password, it is getting hard to detect the malicious codes. 

[PIC 7]Create variants of malicious codes from same distributor(same download link)

[PIC 8] Comparing the variant files of same distributor.


3) By modifying certain registry values, so it blocks execution of other process except fake Anti-Virus and induces users to purchase for fake repair. It blocks all other processes, so user getting hard to delete the fake Anti-Virus program. For solution, user can delete the fake Anti-Virus by recovering the certain registry value in system's Safe mode.

Then, what we can do for preventing damages from malicious code?

First, do maintain the latest Windows update all the time.

Second, use original Anti-Virus program and maintain the latest engine update for security.

Third, do apply security patche whenever it comes out for program's vulnerabilities.

Fourth, the most important thing is user's security awareness. Many malicious codes are installed without user agreement, but sometimes it happens through user's carelessness. When you install a certain program or ActiveX via web, read the program's policies carefully and check if the ActiveX is related to your job purpose.