Rogue software: How do you know?

It's no secret, many anti-malware scanners are actually malware in disguise. Is it possible to distinguish the difference? Let's give it a try.

Lately, I've been particularly focused on malware and how to get rid of it. The frustration in your comments and e-mail messages regarding malware is more than obvious, hence my quest.

I hope my previous articles about malware removal and the ensuing comments from members (who've been there and done that) have made a difference. For what it's worth, I'm not done yet, especially because of one particular question.

Know your enemy

I've been asked countless times, how do I know that the endless parade of new viruses aren't being created by the antivirus companies that claim to protect us. Truth be told, it's a great business plan: create the problem and then market the solution. If I remember correctly, they even made a movie based on this premise.

In their defense, I'm acquainted with many dedicated people who work for Symantec, McAfee, and other AV companies, and they truly want to squash malware. Besides, if it came to light that an AV developer was less than forthright, public outcry would totally destroy the company's credibility.

That's not nice

Ironically, malware developers are using the "street cred" earned by legitimate malware-fighting companies to develop a malware delivery vehicle for their malicious code. Grudgingly I have to admit, it's a good plan. See if the circumstances from the following scenario resonate with you.

The computer I'm working with is acting really strange. All of a sudden, advertisements (you know the kind) start popping up all over my monitor. This is not good. Why didn't my AV application or the malware scanners prevent this from happening? What am I going to do? I really need to finish my work, but I need to use Adobe Acrobat and that's installed only on the infected computer.

Luckily, I have another computer, so I scour the Internet trying to find a different scanner that will remove the malware. Wait a minute, I find what I need. Yes, the Web site is describing exactly how my sick computer is acting. I sure hope it works, but is the software what I really think it is?

I'll stop right there. Sound familiar? That's just one scenario. Brian Satterfield describes several more in his IT Security article "Welcome to Scam City: Rogue Anti-Spyware Apps." It seems that rogue software is a thriving underground enterprise, with most of the malware code pretending to be antimalware software.

How do I know?

Now to the question many of you have been asking me. How do I know that the software I'm about to download and install is safe? It appears that Satterfield and I were thinking along the same lines as we both found several Web sites that publish lists of rogue software and applications. Checking whether an application is listed on these Web sites will help determine whether the software in question is malware or not.

Rogue malware listings
  • Sunbelt Software, the developer of CounterSpy, has a Web site that lists over 397 rogue security programs (their name for rogue software). I personally have used Sunbelt Software for many years and have no reservations about the company.
  • Spyware Signatures has an extensive list of rogue software signatures. In fact, it has so many that it's almost easier to use the search function. The main focus of Spyware Signature is to provide relevant data to security companies that offer antimalware applications. That's good, because it means there's incentive to keep the list relevant and up to date.
  • My favorite malware scanner, MBAM from, has a list called newest rogue threats. It's a little different from the others because the rogue software list is published in a forum venue and is member driven. Truth be told, it's the first place I check.

These are the three lists that I refer to, but I'll bet there are other good ones. In fact, I'd appreciate hearing which lists you prefer.

Side note

You may be wondering why I included the above image (courtesy of MessageLabs). While doing research for this article, I stumbled upon a MessageLabs Web site that was displaying work created by Alex Dragulescu. I found it to be strangely fascinating, as it allows me to put an image with a specific malware. Dragulescu describes his work as:

"The visualization of worms, viruses, trojans and spyware code. For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity. Therefore the patterns and rhythms found in the data drive the configuration of the artificial organism."

Final thoughts

I hope that the rogue software listings will be of help. I realize that it's not a perfect solution or even near perfect. I'm hoping it's a conversation starter and that you, the members, will share your alternative approaches and rogue software lists with the rest of us.

Another side note

Being an anal paranoid, I wanted to make sure that I didn't lose you as readers or have you wondering where my security rantings have gone. The editorial staff at TechRepublic feels I should post my security articles in Chad Perrin's section IT Security. It makes sense to me, and I hope it does to you as well. So to cure my paranoia, please sign up for the IT security newsletter and look for me there.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks