The "No Network is 100% Secure" series
- Scareware -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


What is Scareware?: Scareware is software that often has limited or no benefit, that is sold to consumers by employing unethical marketing practices. Scareware is designed to cause shock, anxiety, or the perception of a threat directed at an unsuspecting user. A common tactic is to convince users that their computer is infected with a virus, then suggest that they download, and pay for, anti-virus software to remove it. Usually the virus is entirely fictional. The software that the user is duped into purchasing is typically non-functional or malware. Payments by credit card often result in credit card fraud as well.

Cyber-criminals are increasingly hiding viruses in bogus computer security software to trick people into installing treacherous programs on machines. Scareware pretends to check computers for viruses, and then claims to find dangerous infections that the program will fix for a fee. This rogue software lures users into paying for "protection" that is actually malware that offers little or no real protection. In addition, scareware is often designed to steal personal information, credit card numbers and so on. Hackers have been capitalizing on hype and fear surrounding widely reported viruses such as Conficker to trick people into loading scareware onto computers.

Shock-based scareware: Shock scareware is designed to literally scare the user through the use of unanticipated shocking images, sounds or video. The first software of this type is generally credited to be "NightMare", a program distributed on the Fish Disks for the Amiga computer in 1991. When NightMare is executed, it lies dormant for an extended and random period of time, finally changing the entire screen of the computer to an image of a skull while playing a horrifying shriek on the audio channels.

Anxiety-based scareware: Anxiety-based scareware will put a user in situations where there is no positive outcome. For example, a small program that presents a dialog box saying "Erase everything on hard drive?" with two buttons, labeled "OK" and "OK".

Alert-based scareware: Scareware is also used to describe software or web site marketing practices that produce a series of frivolous and alarming warnings or threat notices. Typically, these would involve being bombarded with pop-ups that promote firewall and registry cleaner software. Criminal web sites will display pop-up advertisement windows or banners with text such as: "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." These web sites may also indicate that a user's job, career, or marriage would be at risk.

Some scareware is not affiliated with any other installed programs. A user can be approached with a pop-up from a website indicating that their PC is infected. In some scenarios it is possible to become infected with scareware even if the user attempts to cancel the notification. These pop-ups are especially designed to look like they are from the user's operating system when they are actually a web page. The safest way to abort these attacks is to terminate the web browser from the task manager although very few users will do this. Clicking any portion of the pop-up, including "cancel" or the close "x" is just as likely as not to install the rogue software onto your machine.

Spyware scareware: Some forms of spyware also qualify as scareware because they change the user's desktop background, install icons in the computer's system tray claiming that the user's computer is infected with some kind of spyware that the scareware application will remove.

Ransom-based scareware: Another type of malware renders a User's PC inoperable and then demands a "ransom" to remove the malware. A recently discovered malware called Antivirus2009 claims to have located corrupted files on affected systems. Prospective marks are told they need to download a package called FileFix Professional to recover these files. In reality, Antivirus2009 is responsible for encrypting the supposedly corrupted files, targeting documents in the User's "My Documents" folder. FileFix Professional unscrambles this content but only after users pay $50 for software of dubious utility.

Other forms of ransom scareware will lock up a User's PC and will require entering a code number, which must be purchased, to unlock it.

Why does scareware work?: A recent report from North Carolina State University showed that most internet users are unable to tell the difference between genuine and fake pop-up messages. The study demonstrates how easy it is to fool people on the web. Despite being told some of the messages were fake, people hit the OK button 63% of the time.

Makers of fake anti-virus software exploit search engines to drive people to sites peddling scareware. Using popular and mis-spelled search terms, the criminals divert people to sites that issue fake warnings about virus infections. Some seed web pages with popular keywords such as "Obama" but others use terms associated with recent events. Using popular terms mean the pages appear high up in results when people carry out a keyword search. Anyone clicking on a booby-trapped page is then instantly re-directed to the site hosting the links to the fake security software. Once they arrive, visitors are bombarded with pop-ups warning that their PC is infected. To clear up the infection users are told they must download and pay for anti-virus software which typically costs about $50

Research suggests some criminals are making as much as $10,000 USD a day from fake security software. A report by the Anti-Phishing Working Group, released in March 2009, found 9,287 bogus anti-malware programs in circulation in December 2008 - a rise of 225% since January 2008.

Scareware best practices: Users should be very wary of any pop-up window claiming to find evidence of an infection. It is impossible to scan a user's local disk without installing software. Installing software from an unknown Internet web site is a fundamentally bad idea.

Do not perform "free" security scans offered on any web site. Messages telling you to install and update security software for your computer seem to be everywhere. So you might be tempted by an offer of a "free security scan", especially when faced with a pop-up, an email, or an ad that claims "malicious software" has already been found on your machine. Unfortunately, it's likely that the scary message is a come-on for a rip-off.

Make it a practice not to click on any links within pop-ups.

Make certain that your security software is active and current: at a minimum, your computer should have anti-virus and anti-spyware software, and a firewall.

If you're faced with any of the warning signs of a scareware scam or suspect a problem, shut down your browser. Don't click "No" or "Cancel", or even the "x" at the top right corner of the screen. Some scareware is designed so that any of those buttons can activate the program. If you use Windows, press Ctrl + Alt + Delete to open your Task Manager, and click "End Task". If you use a Mac, press Command + Option + Q + Esc to "Force Quit". If you get an offer, check out the program by entering the name in a search engine. The results can help you determine if the program is on the up-and-up. But bear in mind that most are not!

Scareware purveyors go to great lengths to make their product and service look legitimate. For example, if you buy the software, you may get an email receipt with a customer service phone number. If you call, you're likely to be connected to someone, but that alone does not mean the company is legitimate. Regardless, remember that these are well-organized and profitable schemes designed to rip people off.

Report possible fraud online at or by phone at 1-877-FTC-HELP. Details about the purchase including what website you were visiting when you were redirected are helpful to investigators.

Ransomware update - System Security malware: August 19, 2009. The latest example of ranson-based scareware is a misleading app called "System Security". This malware forces users to purchase it because it can render a system nearly unusable. Once System Security is installed on a machine it terminates most of the active user processes such as Firefox, antivirus programs, Acrobat Reader, and others. Internet Explorer is spared from this list. If the user tries to run Task Manager, antivirus software, or any other executable binary except Internet Explorer, this misleading application reports that the respective binary is infected and blocks access. Victims of this malware are forced to pay for a "subscription" to have it removed. Needless to say, paying this ransom will not remove this malware from your computer. This malware survives Even after system reboot. As always, we encourage users to download applications directly from vendors' websites or legitimate partners. AV signatures detect this misleading application as Trojan.Fakeavalert.

Registry Patrol: I've received a lot of inquiries about Registry Patrol asking if it is scareware. The short answer is that Registry Patrol does not appear to be scareware, however.... you would definitely want to Google reviews on this product and company before buying and/or downloading it to your computer. The CNET forum is packed with dissatisfied customers and contains almost no positive experience reviews. A person claiming to represent the company but providing no name or contact information disputed only one of the posts claiming "I suspect that this customer is likely a competing software seller who has decided to use forums like this to attempt to smear a quality product".

Based on the reviews I've read, Registry Patrol reportedly introduces substantial instability in at least some of the computers that it's been installed on. But I see no evidence that this instability is due to anything more than poor programming and inadequate testing. However, if the above quoted CNET forum response actually came from a company representative, one would probably be wise to seek out other solution providers. Caveat emptor.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro