Academic journal article Journal of Information Ethics

On Reviewing the Implications of Rogue Antivirus

Academic journal article Journal of Information Ethics

On Reviewing the Implications of Rogue Antivirus

Article excerpt


Rogue Antivirus software is actually the most common form of scam software, also called Scareware, which makes use of social engineering to exploit a computer user's fear of revealing sensitive information, losing important data, and causing irreversible hardware damage. Therefore, a fake or Rogue Antivirus program displays misleading or fraudulent alerts in an attempt to dupe a victim into purchasing a license for a commercial version that is capable of removing non-existent security threats. In doing so, users compromise their machines and receive viruses, worms, trojan horses, etc. through the installed antivirus software that offers new attack opportunities to cyber criminals.

RA software has evolved into one of the most criminal operations on the Internet. Some programs may also lock down system functionality to prevent victims from accessing files or websites or from creating new processes, such as Windows Explorer, Task Manager, Command Prompt, etc. This will lead victims to avoid their own protection by default.

2.Survey Works

Rogue Antivirus attackers and users disseminate their malware using three main infection schemes- Social Engineering, Drive-by-download attacks, and botnets. The most often employed style is to use social engineering techniques to persuade a victim to voluntarily install the Rogue Antivirus. To initiate this attack, a malicious web page displays a window in the browser that makes the users believe that the machine has been infected with the malware. An example is shown in Figure 2.1. To fix the security problem, the window also contains a link to a program that helps to clean up the infection. Of course, this program is the Rogue Antivirus software that attackers aim to install [3].

Rogue Antivirus often comes from social networking sites, spam mails, poisoned search engines, etc. Rogue Antivirus is related to the blended threat called web 2.0. In this environment, a layered attack is exploited in various forms such as exploiting vulnerabilities in web browsers and OS. With the use of scripting, automatic infection can be achieved when the page is directed. In the case of social networking websites, malware downloads along with the video or any kind of document. In 2009, Microsoft estimated that 30 percent of home computers and 4 percent of corporate computers were infected with malware distributed via blended threats [1]. Search Engine Optimization poisoning leads to fake antivirus download sites that display fake antivirus scanning and thereby affects the computer.

The second infection method used by most of the attackers is drive-bydownloads. These attacks make use of numerous unpatched vulnerabilities in a web browser and in its plugins. Attackers either attract users to access their harmful sites or attack legal websites to install their malware. Then the attackers can spread the malware through these websites to all other unsuspecting visitors who are using the affected web browsers. A recently well-known drive-bymalware is called Blackhole [13]. Blackhole mainly spreads malware through harmful websites that deliver the following typical payload:

* Bot-type malware such as Zbot (aka Zeus)

* Rootkit droppers (for example TDL and ZeroAccess)

* Fake antivirus

In the worst case, Blackhole continuously renews as new vulnerabilities are discovered.


A botnet plays a major role in the distribution of rogue antivirus. If one computer within a network is infected, the cycle of blended threats helps in infecting the other computers. Hackers began to beat email antivirus scanners so through email spams the malware can be installed and also through the specific URL page one can be redirected to illegitimate websites. Rogue antivirus allows its controller to re-task the malware, download other malware such as Spambot or Keylogger, or initiate functions such as moving to a new control server. Hackers grow the antivirus masses through the infected URL so that it stops filtering the blended threats. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.