The modern rogue - malware with a face
Hamish O'Dea Microsoft
Over the past year we have seen a significant increase in reports of the type of malware commonly known as rogue security
products, or simply 'rogues'. These programs, which display false alerts of system infection and ask for payment to 'clean'
the system, have been around for years; however they have recently become more cunning, more sophisticated and more
This paper examines what has changed in the rogue landscape in recent times and compares their evolution to that of other
types of malware. We look at the ways that rogues are similar to other malware, from their distribution to the methods
they use to evade detection, and how they react to large-scale elimination by Windows Defender and the Malicious
Software Removal Tool (MSRT). We also examine what makes rogues unique and how they extend social engineering
techniques beyond the point of getting the malware onto the system through to the user's interaction with the malware
itself and beyond. We look at how rogues deal with the distinct challenges of having a recognisable brand and the ways
they take advantage of a user's trust in their computing platform, from the operating system to the browser and even the
search engine they use.
By analysing rogues in the same way as we look at other types of malware, we get a better idea of how they fit into the
overall threat landscape. The rogue is usually the end product of a malware infection scenario - the final payload. As
opposed to spam bots, backdoors or password stealers, rogues try to obtain money directly from the user. A rogue differs
from most malware only in that it has a face.