Video Screencast Help
Security Response

We will, we will – mislead you.

Created: 10 Oct 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:45:42 GMT
Kevin Savage's picture
0 0 Votes
Login to vote

In the ever-expanding world of misleadingapplications, you might wonder how each new application can stand outfrom the crowd and get itself noticed. Browsing the Web sites of someof these applications shows that most employ some form of socialengineering to persuade potential customers to purchase their products.This social engineering ranges from the subtle language of persuasionto bold warnings concerning your personal and online safety.

The most common social engineering used on these Web sites tells usthat just about every online activity is certain to bring spyware andother unwanted pests to your door. Downloading music from the web seemsto be the biggest culprit in this area:


IM chatting, online banking, and email activity are also frequently cited as being certain sources of spyware:


Applications that claim to protect your online privacy often targetfrequenters of adult orientated Web sites. One such applicationpromises to hide your “personal preferences and addictions” to protectyour reputation and avoid any potential blackmail scenarios:

(Click for larger image)

Some of the less subtle Web sites we’ve seen use old-fashioned scare mongering to get their messages across:

(Click for larger image)

It also helps to dismiss the competition, especially because users mayalready have other security applications installed. Claims thatantivirus programs are incapable of dealing with spyware are common formisleading applications that claim to be "antispyware":

(Click for larger image)

Some misleading application Web sites also use “on-line scanners” toperform a scan of your computer. Of course these scanners are fake, buttheir shocking results might encourage the unsuspecting user toconsider purchasing the full application:

(Click for larger image)

Another tool we’ve seen used is pop-up windows that appear when youvisit certain Web sites. Clicking "OK" on these pop-ups usuallyredirects the user to the purchase page of some rogue product. Thefollowing example displays some convincing information on the“W32.Myzor.FK@yf” virus. The pop-up doesn’t claim you are infected withthis virus, but the impressive technical details are probably enough toget some users to bite:

(Click for larger image)

Another neat trick we’ve seen is a “keyboard check-up” that appears ina pop-up window while browsing the site of a system-repair misleadingapplication. This prompts you to type into a text box to check thatyour keyboard still works. A “fix” button is provided in case yoursystem is faulty:

(Click for larger image)

A closer examination reveals that the input box is an image and thecursor is an animation so of course nothing appears in the box as youtype. Clicking the fix button directs you to the vendor’s Web pagewhere you can use your newly repaired keyboard to enter your creditcard details and purchase the rogue application in question.

To add a touch of authenticity, the Web sites selling misleadingapplications often show lists of threat names that are detected bytheir products or threats that have recently been detected by them inthe wild. These names may appear legitimate at a quick glance, but theyare usually malformed versions of real threat names or just totallyfake. Some names you might see on these lists are:

• w32.expdwnldr
• trojanspm/lx
• trojan.dloader/lx
• spyworm.win32
• win32.trojan.rx
• wollf.16
• ipmonitor.win32.xtrojan
• trojan.w32.looksky
• trojan adware.w32.expdwnldr

In a later blog we will look at some of the social engineeringtechniques used by these applications after they have been installed onyour system.