Security Shield Rogueware

[Retired]

One of my friends called today to say her computer has been attacked by a rogue ware threat called Security Shield. at this point I don't know very much about it, but from the little research I've done, it may have come as a link or attachment in an email from her friend, which launched a warning to scan for viruses. The scan actually installs the rogueware that hijacks your computer, launching frequent popups and ads, tracks your activities and reports back to some online source.

It seems the rogueware cannot be uninstalled using conventional means, and requires manual removal including editing registry entries.

I am continuing to research Security Shield, but am concerned about search engine links that might be associated with the rogueware itself.

Any feedback or insights would be appreciated.

 

[Retired]

Here are some resources that describe this type of rogueware and how to remove it (resources from trusted sources)

Misleading Applications - Rogue Antispyware - Smithfraud Anti-Spyware Removal | Norton

Remove My Security Shield (Uninstall Guide)

Scroll though the 10 screenshots of Security Shield that are disguised to look like legitimate Windows alerts.

 

[Retired]

My research on the topic has led me to these conclusions:

The internet appears to be swamped by these "fake" security/antivirus programs which exist for the sole purpose of selling themselves to you. There are even people who make money creating and selling the parts of these fake programs, selling ways to get around/disable existing legitimate system protection programs, and selling knowledge of exploits that are unkown or not yet patched. Most of it is over the Internet and based outside of the USA so this type of fraud doesn't even seem to be a blip on the radar of government agencies having to do with cybercrimes. If you go to a site like cybercrime.gov or read some of the IC3 reports you will find that the government agencies seem more concerned with other kinds of cybercrimes which involve much greater sums of money and/or are USA based so they can be more easily arrested and prosecuted.

The most common vector to get misleading applications/rogueware on your system seems to be from compromised websites, sometimes legitimate but probably more often created specifically to distribute the rogueware. The thing to do is avoid clicking on links in Email messages even when supposedly sent from a friend. It seems even some Facebook or Twitter users have been hit by rogueware-- perhaps from being tricked into clicking on link to a compromised web-site.

Can mainstream security programs protect against these threats?

It's verey difficult for a security system to defend the system against the user inviting an intruder, which is how most of these invasions occur. The user may even do something as "safe" as click on "No Thanks" or on the [X] to close a window and that actually tells the invader to come on in.

The actual program that invades may not of itself be malign but it's set up to do something annoying and to blackmail you into paying up. They seem to disable existing security programs alond with utilities such as "Notepad", but allow your browser to continue operating.

If you remember what VISTA was like at first with its "Do you really want to do that?" when you told it to do something ..... None of us wanted that kind of protection.

All one can hope for is to be informed and on the alert for danger signs.

What to do if a pop up occurs with a title such as "My Security Shield" or "Virus Doctor"?

Most important, do not click on any buttons associated with the pop up, not even the [X] in an attempt to close the window. Instead try [ CTRL + F4 ] which can close an open window so the malware does not take as a click on. Alternatively, click Ctrl+Alt+Delete on your keyboad to bring up the Windows Task Manager. Find the browser's process and end it.

If that doesn't work, use the computer power button to turn off the computer and do not resume doing what triggered the popup after the system restarts.

Addendum from Norton Forum:

One of the reasons that rogue antivirus programs are able to evade detection is that they continually morph into new variants. They stay one step ahead of a security program's ablility to recognize them, and this has posed a real challenge to all legitimate antivirus programs. Norton consistently ranks at or near the top in detection rates, but no program detects 100% of everything that's out there.

A security program like Norton 360 should be just one layer in your protection planning. Since most of these threats rely on JavaScript to launch their fake AV scans, one thing you can do is use Firefox as your primary browser and install the NoScript add-on, which lets you block all scripting except for those sites which you specifically allow. Since many threats launch via malicious ads, NoScript would let you allow the primary site to use scripting while still blocking the advertisements on the page from doing so. There is a learning curve and you do sacrifice some web surfing convenience at first until it becomes second nature, but this will protect you from almost all rogue antivirus programs. Using a Limited User account, rather than an account with Administrator privileges, when online will also help protect you.