Rogue AV programs have become increasingly common in last two years. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it.
Once the rogue AV program is installed, the victim has to pay money to get it "working" or, in some cases to even uninstall it. So, the money making scheme is simple (some rogue AV versions even steal local data and install keyloggers).
In order to get people to visit their web sites serving rogue AV programs, the attackers use different vectors-
They Spend a huge ammount on Advertisement like Google Adwords, which make them always on a top of google search list. The victims who trust google usually fall in such pranks and download these malwares.
The main reason, however, why rogue AV is so successful is its persistence and amount of details - the web page they use to scare the visitor looks almost exactly like Windows' Security Center. One such page is shown below:
I was, of course, interested to see what else they do so I decided to analyze the code behind. First of all, I must say that the code is very elegant and clean, it's obvious that the bad guys got a real programmer to code the page (and malware?) for them.
Of course, this wasn't generated by Windows – it's actually just an image the attackers created. The "Remove all" and "Cancel" also aren't real buttons, just part of the image which has a handler that will get executed wherever the user clicks. You guess, on a click it will try to download the Rogue AV program. To eliminate any confusion, they also show this nice window where they explain what exactly needs to be done in order to install their rogue AV program.
It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.