Rogue Apps – Catch Me if You Can

Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:

Those who are spreading this particular rogue app hold onto some of the associated domains for up to 24 to 48 hours. Once this domain goes down, another new domain becomes active, which will look almost the same as the original but now with a new name. However, the functionality of all of these clones is essentially the same. Digging further into this scam we found that the owner of domains related to WiniGuard has registered some 60,000+ domains in his name.

At the time of writing this blog, some of them were still active:

Of course, these sites do not provide the software for free. Users are misled to pay for a “subscription” to these fake products in order to remove purported spyware from their machines. The “detections” alleged to be found by these products are bogus and are displayed in an alarmist fashion as an attempt at scaring users into divulging personal information, providing credit card details, and often downloading further malicious software.

The following list is only a selection of the latest names of rogue apps from the WiniGuard family—there are many more out there and new variations are constantly being created:

•    WiniGuard
•    WiniBlueSoft
•    WinBlueSoft
•    Winishield
•    WiniFighter
•    SafeFighter
•    SaveKeep
•    Savedefense
•    SaveArmor
•    BlockDefense
•    SystemCop
•    QuickHealCleaner
•    SecurityFighter
•    SecurityVeteran
•    SecuritySoldier
•    SafetyKeeper
•    SaveSoldier
•    Softsafeness
•    SecureWarrior
•    TrustCop
•    TrustNinja
•    TrustWarrior
•    TrustSoldier
•    TrustFighter

At Symantec we come across many such campaigns for distributing fake antivirus software, such as this recent example. We recommend that users make themselves aware of these scams, which typically show exaggerated warnings, fake scan reports, and redirect users to fraudulent antivirus or Internet security websites.

We also advise users to be cognizant of these scams and always purchase software from legitimate vendor’s websites. Symantec detects this particular misleading application as WiniGuard, and advises customers to ensure that their antivirus software and definitions are kept up to date. Please download the Symantec Report on Rogue Security Software for further information on misleading applications.