Beware of Rogue Programs: Fake Malware Scanners and Registry Cleaners

It’s been five years since we first heard about the research on Rogue and Suspect Antispyware by Microsoft MVP and Director of Malware Research for Sunbelt, Eric L. Howes. Today, most rogue malware scanners are using false detection to rip-off and exploit the name of legitimate malware scanner programs. No trial version (forcing users to pay for the program) are usually offered and these programs are difficult to remove and will hijack the computer settings by changing the home and search pages.

Today’s rogue malware scanners are worse than those of the past because the online scammers will now attempt to infect computers in order to to push their fake programs. If a PC is infected with a Trojan or downloader, it will download the installer of the rogue malware scanners (and most will download fake files with fake malware scanners silently without the users' knowledge!). The user is tricked into paying for a fake anti-malware program to remove the fake security threats. Users will not only lose money but they are putting their financial and personal information at risk.

How many rogue malware scanners are there?

Unfortunately we lost count because the numbers of rogue anti-malware programs have increased so dramatically. The recent report by Anti-Phishing Working Group stated “rogue anti‐malware programs rose some 225 percent from 2,850 in July to 9,287 in December”.

It’s quite obvious that online scammers and malware creators are exploiting the name of trustworthy anti-malware programs and using the popular keywords in search engines. That’s one of the many tricks they are doing to put a user’s machine into halt and try to get their hard-earned money.

Some other tricks by scammers to spread rogue malware scanners:

• Spam on discussion forums to trick users in visiting a site that has fake malware scanners. CalendarofUpdates.com Forums received such rogue program spam a few days ago and it’s happening in many other discussion forums, newsgroups and blogs.
• Rogue malware scanners can be seen in TV commercials too! Example: FinallyFast.com and FinallyFast.com.au are currently running TV commercials. See the article at MalwareTreks for an explanation as to why FinallyFast is a program to be avoided.
• The bad guys are also running an affiliate program to spread the fake scanners as fast as they can. Brian Krebs of SecurityFix reported an example, TrafficConverter.biz. So be sure to be careful when searching information online and to avoid the rogueware affiliate networks that earn money by redirecting people to rogue sites (see the report at Finjan).
• Malicious banner advertisement is another method use by the scammers to redirect the browser to site that is serving the fake malware scanners. No need to click to be redirected because the malicious ad is coded to automatically redirect people to a rogue site.

Rogue malware scanners are not the only misleading applications to avoid. We’ve seen rogue registry cleaners and fake PC tune-up applications which will trick users in paying for the program to fix the non-existing issues on a computer.

Example of rogues PC Tune-Up and Registry Cleaners are Registry Great, FileFix Professional, Deus Cleaner, Registry Clean Fix, PCRaiser, The Registry Sentinel, Error Cleaner, Registry Doctor 2008, PC Turbo Pro, Registry Defender Platinum, WinPerformance, RegSort, Smart Fixer, and many more!

Tip: Windows include several system utilities that you can use to clean-up for temporary files or browsing history, to defrag the hard-drive and to fix any corrupted system files. If you need additional features you can use Revo Uninstaller, CCleaner or ATF Cleaner, Karen Cookie Viewer and Diskeeper. Whenever you are in doubt or you are planning to download or buy software, it's a good idea to go to a security forum and ask for advice. See too Brett Callow's article Should you Use a Registry Cleaner? These cleaners can and so cause problems - even the reputable ones - so think carefully before deciding to use one.

How to protect your computer and your wallet from rogue applications?

• Update all software (Windows, Office and 3rd party applications)
• Use an anti-virus program that will guard not only your computer files against infection, but will also protect you while you surf. There are a number of good free antivirus program available - Avast!, for example.
• Use a non-admin user account in Windows or enable User Account Control (UAC) in Vista
• Enable the security features in the browser. Example: Internet Explorer has SmartScreen Filter that will check a website or downloads for unsafe contents
• Delete spam and never install a spamvertized product. You can use ePrompter or Mailwasher.
• Use a two-way firewall protection
• Add extra layer of protection if your antivirus program or firewall do not block rogue and bad websites – HOSTS file, restricted sites, Web of Trust, SiteHound, and SiteAdvisor et al.
• Monitor the activity in your computer using WinPatrol
• If you are advanced user consider using Windows SteadyState, ShadowMode or Try&Decide.
• Backup regularly (consider storing your backup in external drive or by using online backup service)
• Always check if System Restore is running and working by creating a restore point before installing any application.
• Not all anti-virus programs will catch everything. Consider installing an on-demand anti-trojan or anti-malware scanner that is compatible to your existing protection (a-squared, for example)
• Do not download crack or pirated software or music. Most of these have Trojans that will infect your computer.
• Avoid visiting unwanted websites. Use a website rating product such as WOT, SiteAdvisor, LinkScanner etc so users in your home PCs will be warned before they click a link.

Removing rogue applications

Some months ago I decided to put some anti-malware programs into test by checking their detections to new and old rogue programs. The result was disappointing because not every malware scanner will try to detect all known fake scanners especially the old rogue products. I’m glad though that most of them have added the detections and understood that even old rogue malware scanners can still be pushed or easily to found on the internet (especially if a user misspells a keyword or visits some blogs or sites that are compromised).

The images on this page are examples of rogue website showing a fake message. The test system is using up-to-date antivirus by Avast with Web Shield, TeaTimer by Spybot-S&D and SmartScreen Filter in Internet Explorer 8.

If you will see a fake message on webpage or on your computer, do not pay for the program to remove the fake security threats. You should attend to it by running a scan using trustworthy scanners. If your antivirus failed to protect you against fake malware scanners, you should consider installing antivirus that has advanced protection or add extra layer of protection.

If you need help in removing any type of infection (worm, virus, spyware, adware, rootkit, Trojan, rogue applications), you can easily get help by going to security forums that offer HijackThis analysis. Do not simply trust any calls from tech support that you do not know - those are scammers. Example: supportonclick.com, Support on Click or supportonclick, are all offering remote computer support services and pretending that they are working from Malwarebytes Anti-Malware (a reputable security company).