Computer Security Wiki

Antivirus XP 2008 is an example of rogue software.


Vista AntiVirus 2008 running a fake scan with false positives and exaggerated claims.

Rogue security software are software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.[1]

Most rogue programs state that they are legitimate applications, but are typically clones of other lackluster products repackaged under new names and graphics. Most rogue programs also use highly aggressive sales tactics which include adware, Trojans that display fake security alerts, or claims that they have won awards from major publications and companies. What it all boils down to, though, is that these types of programs are either deliberately deceptive or displaying numerous false positives in order to convince you to purchase their software. This is because the single most important thing to the creators of rogue software, is to sell as many copies as they can. That means that the people, or affiliates, who are selling this software can do so by any means. This ultimately leads to deceptive advertising and the use of malware to sell the software.[2]


Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on a web page while users surf the Web. The “updates” or “alerts” in the pop-up windows call for users to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When users click, the rogue security software downloads to your computer. Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software.


Rogue security software might report a virus, even though the computer is actually clean. The software might also fail to report viruses when a computer is infected. Inversely, sometimes, when users download rogue security software, it will install a virus or other malicious software on a computer so that the software has something to detect. Most rogue security software might also lure users into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program), use social engineering to steal personal information, install malware that can go undetected as it steals your data, launch pop-up windows with false or misleading alerts, slow down a computer or corrupt files, disable Windows updates or disable updates to legitimate antivirus software or prevent users from visiting antivirus vendor Web sites. Rogue security software might also attempt to spoof the Microsoft security update process.


False positives[]

A common method used by rogue security software makers use is that of intentional false positives. A false positive is a fake or false malware detection in a computer scan. This attempts to convince even advanced users (who may not be deceived by previous methods) that their computer is infected. There are two variants of this method. Some rogue software creates a list of non-existent files and infections. Others select files from the computer at random, including valid clean system files. In a few rare instances, the "full" version of the rogue program actually attempts to remove these files, damaging the system.

These intentional false positives should be differentiated from an accidental false positive, which can occur in a scan by real legitimate security software.

Invited real discoveries[]

A variant on the false positive method is that some programs first download real trojans to a computer and then "detect" them. This method is rarer as many of these trojans are detected by other legitimate anti-malware programs, limiting the effectiveness of the sell.

False security alerts[]

Many rogue applications now couple false positives with realistic or dramatic looking system security alerts. They may change the desktop background to a dramatic warning, continuously or sporadically redirect web browsers to a page that informs the user that they are infected and need to purchase a program, change the homepage to a security warning, or bombard the user with continuous security alerts from the task bar, often using the yellow triangle with an exclamation point used by Windows to denote a system error.

Locking various aspects of the system[]

To prevent removal by the user and entice the user to buy the program, rogue software will often lock various aspects of the system, including the control panel, the Add/Remove Programs feature, the ability to change the desktop, the ability to change the home page, and the ability to go to certain malware removal sites. These are all intended to prevent the user from removing the program and instead try to force them to buy the "full" version.


External Links[]