I originally published this blog at http://community.ca.com/blogs/securityadvisor
January 09 2009, 11:34 AM by Benjamin Googins On a daily basis I see or hear about people (a lot of people) who are duped into buying fake security software that was installed on their PC. The distributors of this ‘rogue’ software are operating seemingly unimpeded by law enforcement and reaping large dividends at the expense of innocent, unsuspecting Internet users for amounts of 40, 50, even $90 a pop. Using ever refined techniques, these fraudsters have duped many people.
In this blog, I want to do a few things. First, I want to show you what the installation and operation of fraudulent security software looks like. Second, I want to show you why this software is fraudulent. This type of fraud has been going, seemingly unabated by any law enforcement body, for well over 10 years. Why is nothing being done?
The Installation and Operation of Spyware Guard 2008
For my example today, I am going to run through the installation and operation of Spyware Guard 2008.
The other day I searched Google for the word “raccoon”. Here is an image of the results returned:
I clicked the image highlighted red. Then was momentarily redirected to: 1f14fd009.blogspot (DOT) com (which has since been taken down). And then was automatically redirected to: http://sgonlinescan (DOT) com/sg1/1/10189. Which started a whole flurry of commotion on my desktop that looked like this:
As you can see, it opened an Explorer window and told me my drives were a Security Threat and my computer was infected with viruses. If I were someone other than a malware researcher, I might have believed this. How would someone know differently? Then a popup opened, and a new balloon window opened warning of the threats on my computer, and that looked like this:
Clicking anywhere on the “Warning” window, even the X in the upper right corner, opened the file download box. If I hit ‘cancel’ or exit on the file download box, my screen remained grayed out. Clicking anywhere on the screen reopened the file download box. It was a nasty perpetual cycle. Without some advanced computer skills, at this point, the only way to get my screen back was to download the file. I recorded the file downloaded come from a variety of different IPs: 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, and many others. The download source was constantly changing.
After the software installed on my system, it looked like this:
The GUI reported that 23 threats were found. I investigated the reported threats, none of them were true. Then I got this “Critical Warning” message. With a balloon window that opened from the system tray.
Then I was told my system was being infiltrated and “attecked”(sic) from the Internet.
I looked in Windows Add/Remove programs and there was an entry, highlighted red:
I clicked ‘remove.’ The screen flickered and the Add/Remove entry disappeared. On reboot it returned. The fake security software never uninstalled. Next, this software hijacked my Windows Security Center. All links in the Center, outlined in red, linked to a page looking for money. Under the Virus Protection section, Spyware Guard 2008 inserted itself as legitimate and needing to be registered. Here:
Clicking the links in the Windows Security Center and within Spyware Guard 2008 all redirected me to, this window, outlined in red:
Clicking anywhere in this window led to the purchasing page for Spyware Guard 2008, which looked like this:
These fraudsters are not shy about keeping the price very high – I suppose to make the entire scheme more believable. Choose between 49.95, 69.95 and $89.95. Clicking any of these ‘buy now’ options, leads to this page:
Fill in the forms with a ton of your personal information and credit card details and you just bought some fake security software.
Some of Specific Fraudulent Aspects of Spyware Guard 2008 Here are some of the fraudulent techniques; though many obvious, I want to point them out. 1) In Image 1, the Google search results were poisoned and redirected the user to Image 2. 2) In Image 2, the front popup as well as the small balloon window told me my system was infected with viruses. This is not true; I was working with a pristine machine. 3) In Image 3, my computer screen was grayed out and I could do nothing, but download Spyware Guard 2008. This required some manual installation, but for the average user, there were few options. 4) In image 4, the primary interface for Spyware Guard 2008 reported that I had 23 viruses on my system and gave the location of those viruses. I looked at each of those files and not one of them was a virus, as you would expect. They were actually critical system files. I suppose by putting the location to actual files, some people may actually go have a look for themselves and see that the files exist, but would not be able to tell if they were truly virus infected or not. 5) In Image 6, a Spyware Guard warning said that my system was being ‘infiltrated’ and ‘attecked’. To confirm this wasn’t true, I ran some system tools and found no infiltration. 6) In Image 7, Spyware Guard put an entry in Windows Add/Remove programs, the typical uninstall location. Unfortunately, it did not remove anything. Again, another piece of the puzzle to try and make the entire scheme more believable. Someone might check that and see that an entry exists, increasing the believability of the scheme. 7) In Image 8, all the links in Windows Security Center, were hijacked to point to Spyware Guard. These are some of the patently false and fraudulent elements of the Spyware Guard 2008 scheme.
What You Should and Should Not Do Well, obviously you shouldn’t waste money on fraudulent software, like what I just showed you (there are plenty of other examples out there).
If you are surfing the web and have a page like that in Image 2 open, close everything immediately — with this particular threat, that solution actually would have worked.
If you wait too long to close all the windows, you will automatically have your screen taken over, like in Image 3. Under this scenario, simply closing windows does not work. You can do one of two things. The first option is to do what is commonly referred to as the three finger salute, which is techny-speak for: pressing the buttons Ctrl, Alt and Delete all at the same time. Click on the Task Manager button. Once that opens, click on the Applications tab, select the browser window(s) and click “End Task”. This will ‘forcefully’ close the window. The second option is to do a ‘hard reboot’. This simply involves holding in the power button on your computer until the system shuts down. This is generally not a good practice, but can be effective and worth the risk in situations like this.
If you already have the fraudulent software fully installed on your system, you could manually remove it, but that requires a level of expertise I won’t cover here. You should use an anti-malware (anti-spyware, anti-virus or combination of) product to remove the threat. In general, be cautious about any software you install on your system.
Conclusion As you can see from the scenario above, Spyware Guard 2008 uses highly refined fraudulent techniques, both technical and social engineering, to convince a user they need to buy Spyware Guard 2008 or face certain doom. They didn’t outright steal credit card information, for example, or hold the computer hostage until the user paid money. They used a series of events to lead the user down that road – through convincing graphics, trusted sources (Windows Security Center), and fear tactics – to convince the user to make that choice on their own, based on fraudulent information. Don’t give these crooks any business.
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..
I had the same problem for TWO days, but win I saw the scam page come up the frist time, I killed my POWER to modem right away, then tryed to reset Cold Boot then Warm boot, then after two days I find in my NORTON ways to REMOVE Spyware Guard 2008 Scam Program, but it did other things to my hard drive, like remove drivers, contraling me from to much print screen pages, it always restart any time
I use my NORTON to try to KILL IT!,
Now My system is NOT the same, programs that are to start up at Boot Up don’t, I have to start them by mouse NOW, I knew better then to use my main system on the internet, now well have to burn off data on CD’s then fdisk the drive then wipe-iT-OUT, then reinstall my OS, I just getting tired of MicroSoft BAD OS’s, Time to start relearning LINUX, and making a spear drive for Internet ONLY.
Posted by: Niko Tesla, January 9, 2009 5:14 PM
This is on my father’s computer. CA finds it but cannot delete it. It is also effecting internet access for his computer. Can you advise when CA will have a removal system for this program? Redcardfirstname.lastname@example.org Thanks. Posted by: Mark Randall, January 10, 2009 7:22 PM
I think it could be comming under another name, or maybe this is another example of fraudulent spyware Antispyware 2009. Posted by: Nick White, January 15, 2009 12:37 PM
I had this problem (spywareguard 2009, not 2008). it seemed that the spyware has since been updated for the new year.. we had the problem on our home computer for around 10/11 days before CA Anti-Virus picked it up. it seems to have disappeared for now.. 17/01/2009 17:18:31 PM File infection: C:\Program Files\Spyware Guard 2009\spywareguard.exe is Win32/FakeAV.YK trojan. Deleted
17/01/2009 17:18:31 PM File infection: C:\Program Files\Spyware Guard 2009\spywareguard.exe is Win32/FakeAV.YK trojan.
17/01/2009 17:18:31 PM File infection: C:\Program Files\Spyware Guard 2009\spywareguard.exe is Win32/FakeAV.YK trojan.
after seeing this i quickly removed all traces of the spyware which i saw before. no processes from spywareguard were open which was a good thing. when i proceeded to ‘uninstall’ it one last time windows said it had already been uninstalled (probably for real that time). i went on and deleted the remaining files from the WINDOWS/ folder in the C drive which went without a hitch and the program files.
problem solved it seems!
good work CA. (for now!). Posted by: Adam, January 17, 2009 1:40 AM
you must download new microsoft updates….it was only through microsoft and their agents that i was able to get rid of this virus…..it did not only wish to extract money from me….it was set to destroy my entire pc hard drive….i don’t know what i would have done if i did not contact microsoft chat. Posted by: jill p, January 22, 2009 2:28 AM
Had a similar experience this morning…I clicked on a what I would deem to be a rather obscure picture from a Yahoo search, and was redirected. My browser history shows I was redirected first to: wificafe-search (DOT) com. Then a screen similar to Image 2 above with what appeared to be a scanning progress bar appeared; browser history shows the address was: findwife.asia/unique/index (DOT) php. My computer was overloaded and I wasn’t able to get the browser or the Task Manager to respond. First thin I did was shut off the wireless connection switch in my laptop, and after a few more tries with the browser & Task Manager, I resorted to the power button option. I didn’t hold the power button down long enough to complete the entire shutdown procedure, but the system started closing down the various running processes, including the browser windows. Glad to see that I prevented any harm, but I’ve been scanning and checking my computer for over an hour now. Seems to be fine now after a shutdown, then power back on. Can’t this type of attack be prevented or some warning provided sooner? Posted by: Paul Algee, January 24, 2009 7:58 AM
This is great information Mr. Googins, unfortunately for me the only reason I am reading your blog is because my computer was infected by Spyware Guard 2008 recently. The fact that this fraud isn’t being publisized on a larger scale is jepordizing honest people everyday. I knew right away it was bad when I kept getting redirected while surfing the net for ways to combat it. They didnt get my money but I did have to pay to have my system wiped and work backed up. Posted by: Shawn, January 26, 2009 12:39 PM
My grandfather is having the same problem, but with Malware Defender 2009. I installed Trend Micro Internet Security Pro and it did not help. I then downloaded Spybot Search & Destroy and now the computer is in a login/logout loop. I since found out that the malware had embedded in the userinit registry and it was deleted with Spybot. That was what has the computer in a loop. I have tried everything, F8 to restart in safe mode, F8 to configure last know good boot, nothing works to get it out of this loop. Anyone else have any other ideas? Posted by: Olivia, April 26, 2009 8:06 PM