Rogue antivirus makes users an ‘offer they can’t refuse’

Rogue or fake antivirus is the digital equivalent of paying the neighborhood mafia “protection money” to make sure nothing bad happens to your business–the irony being that the only real threat to your business is the neighborhood mafia, and the only thing you have to be worried about is what they will do to your business if you don’t pay the “protection money”.

Let’s look more closely at the parallels.

1. Perceived threat2. Guardian angel

It all starts with seemingly random malicious attacks. For a local business, it might be a rock through the window, or a small fire. For rogue antivirus, the initial infection causes bizarre PC behavior to start hinting that maybe something isn’t quite right.

Then, the hero shows up. For local businesses, it’s representatives of the local mafia stopping by to express their concern and outrage, and offer to guard your business against malicious activity…for a fee. With rogue antivirus, an alert message will appear letting you know that a malicious threat was detected, and offering to eradicate it…for a fee.

3. An offer you can’t refuse

Many will ignore the initial threat as a minor one, and turn down the offer to help. Suddenly, instead of a rock through the window, or a small fire in a trash can out back, the business is robbed or ransacked, and people start getting hurt. With rogue antivirus, the infection escalates and the malicious software gets increasingly aggressive, with greater impact to your ability to use the PC. In either case, the “guardian angel” is sending a message that the offer to “help” was not an offer that was meant to be refused.

4. The payoff

Eventually, you pay for the protection you only really need to protect you from the “hero” offering the protection, and everyone is “happy”. With a neighborhood mafia, as long as you keep paying the “protection money”, your business remains protected–but the “hero” will keep increasing the fees associated with providing the “protection” service. With rogue antivirus, once you submit and pay for the “help”, the bad guys win. Your personal identification details like your name, address, phone number, and birth date will likely be captured, along with your bank or credit card details. If you register using the same username and password you use for other sites, the attacker may also have the keys to the kingdom to compromise your email and social networks, or possibly other credit card and financial accounts. 

How to avoid a rogue antivirus attack

Thankfully, it’s really not that difficult to recognize and avoid a rogue antivirus threat.

The first step is to have legitimate security software installed and up to date. If you’re using Microsoft Security Essentials, or a third-party security solution like McAfee, Symantec, or Webroot, odds are fair that the initial attempt to infect your PC with the rogue antivirus malware will be detected and blocked.

Unfortunately, many threats manage to avoid detection, or may be so new that your security software isn’t yet updated to identify them. That is why the second step is actually the most important. You must either A) be aware that you don’t have security software installed, or B) be aware of how your security software behaves and what a legitimate error message looks like.

If you don’t have security software installed, then any alert message warning you of a potential malware infection should be a major red flag. You should have security software installed, but if you don’t how is it possible that a threat was detected, and what software is presenting this mysterious alert message?

If you do have security software installed, you should know how it acts when a threat is detected, and you should be aware of what a legitimate alert message should look like. Threats that mimic Microsoft Security Essentials alert messages—especially ones that do it well—are particularly effective. The free security software is used on millions of Windows PCs, so a well-executed spoof can catch many users off-guard.

Regardless, the point where the rogue antivirus software asks for money is the point that you should run in the other direction. Whether you don’t have security software, or you’re using free security software, or you’ve installed commercial security software you’ve paid for, it should be an immediate and urgent warning sign if an alert message—no matter how authentic it may seem—requests additional payment to remove the threat.

A Microsoft Security Intelligence Report blog post contains a video animation that walks through how one of the more common rogue antivirus attacks works. Microsoft also provides steps for how to use the Malicious Software Removal Tool (MSRT) to remove such a threat.