Bad Behavior

If you ever browse the Malware Labs blog, you’ve most likely seen mention of a rogue security program called WiniGuard. WiniGuard is one of largest families of cloned rogue threats, and appears regularly on the blog, as new clone variants are constantly found and added to Ad-Aware’s detection database. Keep reading to get to know more about the devious behavior of this rogue program.

Understanding the Threat

WiniGuard is rogue security software – a program peddling itself as legitimate security software in an attempt to exploit computer users – which was originally added to Ad-Aware’s threat database in October 2008. But, the story of this rogue didn’t end there. The WiniGuard family of rogues has managed to survive much longer than the average rogue by producing clones – new versions of existing rogues that are released with a new name and only minor changes in its functionality or appearance, designed to evade anti-malware programs and catch more victims off-guard. You may also know WiniGuard by the names of its many clones, which include: Blockprotector, Softstronghold, Shieldsafeness, Trustfighter, and Blockdefense.

The Bad Behavior

A favorite tactic of malware authors is to update their creations, making clones and variations of the original program, rather than a whole new program, to try to get past your defenses. And, that’s just what the bad guys have proven to do with this rogue. In fact, our malware analysts have been adding a steady stream of new variations of WiniGuard into detection the past year, as rogue authors continue to make minor variations and push out cloned malicious programs. In December 2009 alone, 10 new WiniGuard clones were found and added to Ad-Aware’s threat database.

“The distinguishing characteristic of WiniGuard is that it never disappears; the authors of this malware constantly push out new clones,” says Albin Bodahl, an analyst at the Malware Labs at Lavasoft.

The user interface of clones in the WiniGuard family is often identical to the original application. However, Lavasoft analysts have identified four different user interface variants in the clones seen over the past years. Below are examples of four of the different variants.


Found 4/23/2009


Found 8/28/2009


Found 10/19/2009


Found 12/8/2009

Why would rogue authors go to such lengths to produce these cloned applications? The answer is simple: the cyber criminals have learned a successful business model, and continue to make profits from users by employing this bad online behavior.

“They just change the name of the application to cause confusion and make it hard for security vendors and end users to classify it as a rogue program. The lifespan of a rogue application is often just a short time interval. WiniGuard has managed to survive a long time period compared to others,” Bodahl says.

“Cyber criminals can only make money if their server isn’t closed down and the security businesses haven’t managed to detect their rogue. WiniGuard moves from server to server around the world and changes names to be able to release new cloned applications and lure more users.”

Winning Strategies

Ad-Aware detects WiniGuard, and Lavasoft Malware Labs analysts continue to work to add any new clones of this family into detection in order to keep you protected against them. Regular updates about the WiniGuard family of rogues are posted to the Malware Labs blog – stay tuned there for additional news.

And remember - for six quick tips you can use to help keep yourself, your friends, and your family safe from rogue security software, like WiniGuard, read our article, “How to Avoid Rogue Security Software.

Go Pro for the Price of Plus
Lavasoft Malware Labs discovered almost one new rogue per day in December 2009. The rise of rogues is taking a toll on unwitting computer users, costing victims over US $150 million.
Source: Malware Labs, U.S. FBI
Cyber scammers have lots of love for Valentine’s Day – a holiday annually exploited to push malicious wares. Learn more about how to stay safe.
“The new Rogue Gallery from the Lavasoft Malware Labs lists many of the known fake programs... the site is another welcome tool to help combat the fraudulent schemes that rake in big bucks for the crooks behind the scams.”
- Erik Larkin, PC World
Find us on
Contact us on
Follow us on
Watch us on
Pass on the news, tips and offers in this issue - e-mail Lavasoft News to a friend.
Ad-Aware takes the wins! Learn more.
Lavasoft Newsletter

Lavasoft AB Odinsgatan 10, 411 03 Gothenburg, Sweden | |

Add to your address book to ensure we reach your inbox.

You have received this message because you have registered to get information about Lavasoft and its products. If you would like to update your details or would like to unsubscribe, please click here.

For information on Lavasoft‘s Privacy Policy, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE. If you require Technical Support, please check the Lavasoft Support Center for information.

Copyright © 2009 Lavasoft AB. All rights reserved.