The Changing Faces of Rogue Security Programs

One of the most common forms of malware today is the Rogue Security Program, or simply "Rogue." These programs pop up on the user's computer, usually at the time of Windows startup, and claim to have found problems on that computer.

Early rogues represented themselves as anti-virus programs and typically displayed a list of threats allegedly found on this computer. In many cases they would appear to be running a scan, complete with a moving progress bar and a count of malware items detected.

With those scan results staring the user in the face, the rogue then demanded payment for the "full version" of the program to remove those threats. The price varied, but was typically in the range of $39.95 to $79.95.

More recent rogues have taken a different approach. Instead of claiming to find malware on the infected system, they indicate that the hard drive is on the verge of failing. They frequently make that possibility seem more likely by removing the icons from the user's desktop and hiding all of their programs.

As you might suspect, the "full version" of their software will cure these ills and magically heal the user's failing hard drive. The price has remained in the same range as earlier rogues.

Regardless of the type of rogue and its symptoms, the outcome is the same. In most cases payment of this "ransom" would appear to clean the imaginary threats from the system. In fact, the computer remains infected and could display the same or similar symptoms again at any time.

But a fairly high percentage of the companies engaged in this behavior then proceed to "max out" the credit card offered in payment for this software and/or sell the card details to other criminals. If a debit card was used, the problems caused by this action may be especially severe.

Unfortunately, the problem of rogues is growing with every passing day. The main reason for this growth is the business model used by the organizations that produce these programs.

In addition to distributing their malware through their own channels, many authors of these programs also sell the original source code to other individuals who want easy entry into the rogue business.

The result is multiple variants of the same basic program, with different names, icons, and colors, but the same underlying code. As a common example, the rogue named Smart Fortress also shows up with only minor cosmetic differences as Live Security Platinum. One of the later variants is named System Progressive Protection.

The good news for you, as an IT support professional, is that you don't have to deal with nearly as many different threats as first appearances would indicate. Once you have developed a procedure for dealing with one specific strain of rogue, you will recognize its variants and know that the same procedure should work to remove them as well.