Rogue security software, or rogueware, is a form of malicious software that misleads users into believing there is a virus on their computer.

What is rogueware?

The term rogueware, rogue software, or rogue security software, refers to a form of malicious software that misleads users into believing there is a virus on their computer. Next, they demand money in exchange for providing a fake malware removal tool, which actually introduces malware to the computer.

Rogueware can be considered a form of ransomware and is often linked to large cybercrime networks, in which hackers distribute Trojan kits and are paid a fee for every successful installation.


Infection vectors

Rogue software exploits human errors and manipulation to bypass security measures. When the victim visits a specially crafted website, a dialog box is displayed warning them of a virus infection and offering a (fake) antivirus solution to resolve the problem. This aims to alarm the victim and elicit a hasty, careless response from them: purchasing the solution.

Some malware distributors use black hat search engine optimization (SEO) techniques to push infected URLs to the top of search engine results about recent news events. In those cases, if the victim clicks a malicious URL, they are redirected through a series of sites before arriving at a landing page that says that their machine is infected and pushes a download to a "trial" of the rogue program.

Some rogue security software, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in Web browsers, PDF viewers, or email clients.

Cold-calling through services such as Skype has also become a vector for distribution of this type of malware, with callers often claiming to be from "Microsoft Support" or another legitimate organization.


How rogueware works

Once installed, rogue security software may attempt to entice the user into purchasing a service or additional software by:

  • Alerting the user with the fake or simulated detection of malware or pornography on their computer's hard drive or IP address.
  • Displaying a message simulating a system crash and reboot.
  • Selectively disabling parts of the system to prevent the user from uninstalling the malware or to ensure it is immediately reinstalled.
  • Some rogueware variants may also prevent anti-malware programs from running and disable automatic system software updates.

Desktop pop-ups or pop-unders are no longer a regular feature of operating systems. If pop-ups appear even when the user is not active on the computer, that’s a definite red flag.


Rogueware and scareware

Some rogue security software overlaps in function with scareware or ransomware by presenting offers to fix urgent performance problems or perform essential housekeeping on the computer, as well as scaring the user by presenting authentic-looking pop-up warnings which may mimic actual system notices.