Last-minute presentation: Recent rogueware

Kurt Baumgartner PC Tools

   download slides (PDF)

Fraud can distract the marketplace from effective products. Snake oil is a part of traditional Chinese medicine and turns out to have some merit as a concentrated source of EPA, an arthritis and joint inflammation pain reliever, due to Chinese watersnake oil content. When Clark Stanley and other Western characters started selling various rattlesnake oil knockoffs and ineffective versions of oil liniments, an era of hucksterism boomed. The stain of the 'snake oil seller' unfortunately remains on the American vernacular.

We are reliving a peak in the security marketplace's appearance of snake oil peddlers. Booming demand for effective software security products provide opportunity for all, so peddlers are back in strength, repackaging faux security software with pretty images, false claims and alarming advertising. What is new about rogue anti-spyware this year?

This group has effectively evaded AV/anti-adware technologies over the past year and is working to stay ahead of defences. The software hucksters actively developing and peddling fake AV solutions reworked distribution schemes, which in turn, are reflected in implementation details of the distributed software. These software components fill a user's system with intimidating 'fakealert' pop-ups, co-opted Sysinternals humour, and other messages engineered to convince the user to hand over a credit card number to pay for help with inaccurately reported problems.

As the accelerating volumes of morphing malware and advances in AV scanner evasion over the past few years helped drive the need on a global scale for behavioural-based technology, this rogueware poses new problems for programmatic behavioural analysis. Some of the groups recently have added arguably beneficial components to their changing software, and some no longer perform blatantly malicious behaviours. The situation is no longer black and white. The prevalence of driveby exploits delivering unwanted Vundo installs of yesterday is waning and being replaced with subtler methods of delivery and behaviour.

We will survey multiple fakealerts, including the much publicized MonaRonaDona scam, and dive into the low-level details of binders and downloaders that have risen in popularity. We will examine some effective obfuscation methods and ridiculously non-beneficial behaviours that the Vundo authors implemented to keep ahead of well-known AV scanner detection, and then move on to the schemes of today. Following the trends of the rest of the adware market, many rogueware software components exhibit much lesser malicious behaviour implemented in software hacks, and no longer dramatically affect system stability and security along with immutable system changes. The implementations change, snake oil remains.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.