Rogue anti-spyware programs

First seen in December 2010, Security Shield has since continued to have strong distribution through 2011 and into 2012. Recently rebranded as Security Shield 2012, the Security Shield computer infection is one of the longest running rogue campaign that uses the same name and belongs to the same family. The only other rogue that has had a longer distribution was Security Tool, which lasted for about 18 months.

Security Shield 2012 Screen Shot
For more screen shots of this infection click on the image above.

It is important to note that when we call a program a rogue, we are referring to one that is an actual computer infection and not one that is just misleading or does a bad job cleaning. These infections display the typical fake alert and scan results, but also take your computer hostage, change system settings, terminate processes, create fake files, or are installed by malware. Security Shield is one of these types of infections as it bundled with other malware, displays false alerts, false scan results, terminates processes, and hijacks Internet Explorer.

Rogue anti-spyware programs are normally broken up into families, with each rogue in the family essentially being the same program but with a different user interface and name. Security Shield is part of the Rogue.WinWebSec family of rogues that includes other heavy hitters such as Security Tool, System Tool, and MS Removal Tool. With over 760 rogues cataloged in our virus removal section, we have learned that you can determine how strongly a particular rogue is being distributed by the amount of views that the particular rogue’s removal guide receives. In terms of total views, the Rogue.WinWebSec family is by far the most prolific with a total of 5,795,128 views for this family. The second largest are the rogues that are part of the Rogue.FakeXPA, which includes XP Antivirus, that have 4,429,320 combined guide views.

Though Security Shield is not the largest campaign from this family by any means, it still has had a strong distribution with over 600 thousand views of its removal guide. As you can see from the list below, this rogue family typically releases one heavy hitter every 6 months to a year, which gets large distribution. The family then releases a couple more variants throughout the same year, which do not get nearly the same amount of play.
Security Shield’s largest distribution was when it was first released in December 2010. Then from March 2011 through December 2011 there was a lull in distribution. In January of this year, though, we are seeing a large increase in search queries related to this rogue, which has now been rebranded as Security Shield 2012. The amount of page views for the Security Shield removal guide has also increased dramatically here at BleepingComputer, which corroborates what we are seeing in the Google Trends’s chart for the search phrase “Security Shield”.

Google Trends Chart for
Google Trends Chart for the Security Shield Search Phrase

Even though Smart Fortress 2012, the latest Rogue.WinWebSec variant, is still being promoted, it appears that the developers behind this family are continuing to strongly pushSecurity Shield. Whether they will continue to distribute Security Shield is unknown at this point. What we do know, is that Rogue anti-spyware programs are making a comeback and are unfortunately here to stay. They are just much too profitable for the criminals to abandon this type of cybercrime.

To protect yourself, make sure you never click on pop-ups stating that you are infected, have all your Windows updates installed, and make sure all your computer programs are up-to-date by using a program like Secunia PSI. Just these three steps will dramatically reduce your exposure to these types of infections.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: