By Tyler Moffitt
We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.
Here are the top 5 rogues reported this year
- System Care Antivirus
- Internet Security
- Disk Antivirus Professional
- System Doctor 2014
- AVASoft professional antivirus
-
System Care Antivirus
-
Internet Security
-
Disk Antivirus Professional
-
System Doctor 2014
-
AVASoft Professional Antivirus
How do I get these Rogues?
The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:
-
- Bright obnoxious colors to grab your attention
-
- Resemble taskbar notifications
Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.
How do they work?
- They drop their randomly named executables in hidden folders. This example is referencing System Care, but typically Appdata or Program Data are where they are dropped:
C:ProgramData106F63937B0D2FCB0000106F532F3ADE106F63937B0D2FCB0000106F532F3ADE.exe
C:UsersAll Users106F63937B0D2FCB0000106F532F3ADE106F63937B0D2FCB0000106F532F3ADE.exe
C:UsersYourUserFolderAppDataRoaming106F63937B0D2FCB0000106F532F3ADE.exe - They add registry entries that start up as soon as your computer starts up:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
“106F63937B0D2FCB0000106F532F3ADE”=”C:\ProgramData\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe” - They add registry entries to start their virus instead of any other executable and then report it as an infection:
[HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand] @=”C:\ProgramData\106F63937B0D2FCB0000106F532F3ADE\106F63937B0D2FCB0000106F532F3ADE.exe” - The end goal is to get you to click “fix” and bring you to this page:
Don’t give them your credit card information
How do I remove these Rogues?
If you have Webroot already installed, then you shouldn’t need to do anything as the real time protection will block the known threat as soon as it is dropped onto your computer. If you don’t have Webroot installed yet (but wish to get it installed so you can remove these Rogues), then all you have to do is boot into Safe Mode with Networking and then install Webroot SecureAnywhere and it will detect them immediately.
-
System Care
-
Internet Security
-
System Doctor 2014
New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday. If you happen to come across a new zero-day signature that doesn’t yet have a determination, then you should know about Webroot’s ability to remediate infections without a database determination. All you have to do is open your console, click the “System Tools” tab and then click “start” under Control Active Processes. You’ll then be presented with the screen below, which shows all the active processes that are running:
-
Start Control Active Processes
-
Block anything suspicious under the monitor column
Anything running under the “monitor” column should be scrutinized. If you find anything randomly generated like a new System Care variant (see below), then you would set it to “block” and then run a scan. Upon finishing the scan Webroot will remove the file and roll back any changes made by the malware.:
EXAMPLE C:ProgramData106F63937B0D2FCB0000106F532F3ADE106F63937B0D2FCB0000106F532F3ADE.exe
Webroot support is always more than happy to help with removal and questions regarding infections.
Tyler Moffit missed the most obvious rogue #security product of 2013… Webroot’s own SecureAnywhere was installed on tens of thousands of machines without the owners explicit permission or opportunity to read the T&Cs. The goal? To get your money!
@Nettechnews – I believe you are talking about the migration from Prevx to Webroot that occurred recently. I think this linked thread sums up that supposed issue very well. Webroot provided a long-overdue update to Prevx, which was well-received by the vast majority of our customers. http://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Stealth-install-of-Webroot-software/m-p/41898