If you ever browse the Malware Labs blog, you’ve most likely seen mention of a rogue security program called WiniGuard. WiniGuard is one of largest families of cloned rogue threats, and appears regularly on the blog, as new clone variants are constantly found and added to Ad-Aware’s detection database. Keep reading to get to know more about the devious behavior of this rogue program.
Understanding the Threat
WiniGuard is rogue security software – a program peddling itself as legitimate security software in an attempt to exploit computer users – which was originally added to Ad-Aware’s threat database in October 2008. But, the story of this rogue didn’t end there. The WiniGuard family of rogues has managed to survive much longer than the average rogue by producing clones – new versions of existing rogues that are released with a new name and only minor changes in its functionality or appearance, designed to evade anti-malware programs and catch more victims off-guard. You may also know WiniGuard by the names of its many clones, which include: Blockprotector, Softstronghold, Shieldsafeness, Trustfighter, and Blockdefense.
The Bad Behavior
A favorite tactic of malware authors is to update their creations, making clones and variations of the original program, rather than a whole new program, to try to get past your defenses. And, that’s just what the bad guys have proven to do with this rogue. In fact, our malware analysts have been adding a steady stream of new variations of WiniGuard into detection the past year, as rogue authors continue to make minor variations and push out cloned malicious programs. In December 2009 alone, 10 new WiniGuard clones were found and added to Ad-Aware’s threat database.
“The distinguishing characteristic of WiniGuard is that it never disappears; the authors of this malware constantly push out new clones,” says Albin Bodahl, an analyst at the Malware Labs at Lavasoft.
The user interface of clones in the WiniGuard family is often identical to the original application. However, Lavasoft analysts have identified four different user interface variants in the clones seen over the past years. Below are examples of four of the different variants.
Why would rogue authors go to such lengths to produce these cloned applications? The answer is simple: the cyber criminals have learned a successful business model, and continue to make profits from users by employing this bad online behavior.
“They just change the name of the application to cause confusion and make it hard for security vendors and end users to classify it as a rogue program. The lifespan of a rogue application is often just a short time interval. WiniGuard has managed to survive a long time period compared to others,” Bodahl says.
“Cyber criminals can only make money if their server isn’t closed down and the security businesses haven’t managed to detect their rogue. WiniGuard moves from server to server around the world and changes names to be able to release new cloned applications and lure more users.”
Ad-Aware detects WiniGuard, and Lavasoft Malware Labs analysts continue to work to add any new clones of this family into detection in order to keep you protected against them. Regular updates about the WiniGuard family of rogues are posted to the Malware Labs blog – stay tuned there for additional news.
And remember - for six quick tips you can use to help keep yourself, your friends, and your family safe from rogue security software, like WiniGuard, read our article, “How to Avoid Rogue Security Software.”