Rogue Security Software-Computing Services ISO - Carnegie Mellon University

THREAT: Rogue Security Software

Horizontal Rule
Horizontal Rule

Summary

Rogue security software, also commonly referred to as rogue antivirus or fake antivirus, targets users browsing Internet websites. Users are typically prompted by a pop-up window that has been carefully crafted to resemble a legitimate security warning. These pop-up windows typically alert a user of an erroneous or misleading security risk (e.g. virus infection) and then prompt the user to download and install security software that can be used to resolve the apparent issue. In reality, this is an attempt to infect your computer with malware and/or collect payment for the use of fraudulent or non-existent software.

Figure 1 illustrates an example of a fraudulent warning message designed to resemble a Firefox browser update window. It recommends that the user download the latest version of Firefox and also suggests an update to Adobe Flash Player. 


Figure 1: Fraudulent Firefox Update Window
Rogue Firefox Update

Had a user clicked on one of the links in Figure 1, rogue security software would have been installed on that user's computer. Figure 2 illustrates rogue security software called AntiVirus System 2011. Note that this rogue security software is alerting the victim of multiple virus infections and also prompts the user to upgrade to a full version of the product so that the virus infections can be cleaned. Clicking on the Activate button would have directed the victim to a licensing screen where he/she would have prompted to purchase a license for the rogue software. 


Figure 2: Antivirus System 2011 Rogue Security Software
Rogue AntiVirus System 2011

Horizontal Rule

What You Should Do To Protect Yourself

One of the best methods of protecting yourself from rogue security software is to be able to differentiate between legitimate and fraudulent security warnings. The following are screenshots of what actual virus detection alerts would look like if you are running Symantec Endpoint Protection (SEP), which Carnegie Mellon makes available to all students, faculty and staff.


Figure 3: Legitimate Virus Detection Warning Using SEP v11 on Windows 7
Symantec Detection for Windows

Figure 4: Legitimate Virus Detection Warning Using SEP v11 on OSX
Symantec Detection for Windows

If you receive a fraudulent security warning, close the browser window immediately. Be on the lookout for erroneous methods of closing the browser window. For example, a fraudulent security warning may present a hyperlink or button labeled “Close” that, if clicked, takes some action other than closing the browser window. If you are unsure of how to safely close a browser window, use CTRL-W on a Windows computer or Cmd-W on a Mac computer. This is a relatively fail safe way to close a browser window using your keyboard and it works for most browsers.

The following are some additional steps you should take to protect yourself against rogue security software.

  • If you have not already done so, install Symantec Endpoint Protection (SEP). As mentioned previously, Carnegie Mellon makes SEP available to students, faculty and staff at no charge. It is available for both Windows and OSX operating systems. Be sure to keep the software up to date using the Live Update feature. In the event that you are lured into downloading rogue security software that Symantec is aware of, SEP will detect it and clean your computer before it has an opportunity to do damage. Software and installation instructions are available on the Computing Services website.
  • Ensure that your computer’s software to kept up to date. Some rogue security software may not present a fraudulent security warning and, instead, attempt to exploit a vulnerability in a common piece of software. Adobe Reader, Adobe Flash and Java are common targets in these scenarios. The Information Security Office has developed a tool that will allow you to check the version of your browser, Adobe Reader, Adobe Flash and Java to ensure that they are all kept up to date. This web-based tool can be found on the Information Security Office website.
  • Be aware of phishing scams. In some instances, a phishing email or phishing site may be used to lure you into installing rogue security software. To learn more about how to detect phishing emails and phishing websites, take a moment to play Anti-Phishing Phyllis and Anti-Phishing Phil respectively.
  • Be cautious of unexpected prompts to download software when visiting websites, even if it claims to be an update to software you already have installed. Most software providers that are targeted by these attacks (e.g. Adobe, Apple, Microsoft, Mozilla, Google, Symantec, etc.) include update functionality within their products. When in doubt, close the unexpected prompt and check for updates through the built-in functionality for that software.
  • Reduce the potential impact of an infection by running Identity Finder. Identity Finder is a tool that Carnegie Mellon makes available to all students, faculty and staff at no cost. It will search your computer for sensitive information and give you an opportunity to safeguard or remove the data from your computer. Specific types of data that Identity Finder can search for include passwords, social security numbers, credit card numbers, passport numbers, address information, etc. Information on how to download, install and run Identity Finder can be found on the Computing Services website.
Horizontal Rule

What You Should Do If You Are Infected

Faculty and staff who suspect that their computer has been compromised by rogue security software should immediately stop what they're doing, disconnect their computer from the network and contact the Information Security Office by phone at 412-268-2044 or by email at iso-ir@andrew.cmu.edu. Additional instructions can be found by reading the Procedure for Responding to a Compromised Computer.

Students who suspect that they have rogue security software running on their computer can contact the Help Center for further assistance at 412-268-HELP (4357). Basic steps for cleaning a virus infected Windows computer can also be found on the Computing Services website.



  Examples of Fraudulent Security Warnings >>