Can rogue AV ever be legitimate?

Over the past year, the prevalence of search results laced with rogue AV seemed to never end.  Whether the search was about celebrity, politics, calamity, or anything that was hot and trending, blackhat SEO was sure to follow.  Now, search engines are being more proactive in producing safer search results for users, forcing malware authors to think more intuitively and change the way of dispensing rogueware.  Lately, email appears to be, at least for the time being, the favorite vehicle to distribute rogue AV.  We've blogged and tweeted about malicious Twitter and Facebook password resets and big brand names being used in email containing malicious links or attachments in the past few months.  

Today, we are blogging about an interesting email our Websense® ThreatSeeker Network recently identified. WithWebsense® Advanced Classification Engine (ACE), Websense customers are proactively protected against this threat.  

The email appears to be a transaction receipt for someone who was enticed to buy rogue AV software called Security Suite Platinum.  Since Security Suite Platinum is a pretty popular rogue AV, it came as a surprise that none of the AV engines in Virus Total actually detected it.  This led us to look deeper into the binary.

What does Security Suite Platinum actually do?

Security Suite Platinum is a well-known rogue antivirus which uses scare tactics to extract fees from unsuspecting users. It acts like a legitimate virus scanner, searching a computer for viruses, trojans and other malicious files. At the end of its "scan" it claims to have detected malware which scares a user enough into paying a small fee to remove the threats.

This part has been discussed many times before in a variety of security forums and blogs. However, what happens when a person actually pays the required fee is not so clear.

After paying a registration fee the user will receive an email with a confirmation and download instructions, as you can see in the email sample above. After clicking the link provided and typing the transaction ID, the Web site leads us to download the registered Security Suite Platinum straight away.

The registered Security Suite Platinum contains real open-source antivirus, called ClamAV. Think of it this way: it’s like ClamAV, but illegally used to operate as Security Suite Platinum. Security Suite Platinum actually turns out to be somewhat "real" antivirus in that it actually does detect some malicious files and behaves almost like real antivirus software.  This also explains why none of the AV engines in Virus Total detected this binary.

By a simple string search we can clearly prove the existence of the well-known open-source antivirus inside the rogue AV.  

So far so good, so what is wrong with this? First, it scared people into paying a fee using fake detection (not to mention the bad guys getting hold of a user’s financial information). Second, although the code running the rogue AV is legitimate AV, it is still not a legal and truly legitimate antivirus. There’s no trustworthy company behind it run by antivirus experts. The detection rate cannot be guaranteed. Finally, it is just an illegal use of free and open-source antivirus software acting like it is proprietary, asking for money when anyone can get it free. 

To test its detection capability we just copied several random malicious files into the %SYSTEM32% directory to see if the registered Security Suite would really detect it. Its detection worked on at least one of the samples and then it asked us to reboot the computer to remove the threat. However, instead of deleting the malicious file or moving it to quarantine, it only renamed the file by just adding an extra ".virus" extension. 

** Analysis by Tamas Rudnai