Preview to a Possible Future of Rogue AV

Druckfreundlich, PDF & E-Mail

Posted by: Barracuda Labs

Yesterday, Purewire’s Malicious Javascript Detection (MJD) engine identified the following malicious URL:


The site uses a now ubiquitous social engineering lure: fake javascript-generated alerts that claim the user’s system is infected with malware.


If the user believes these alerts to be genuine, the following Rogue AV software (called “Privacy Center”) will end up installed on their system.


The above screenshots well-represent what Rogue AV looks like today. But what about the Rogue AV of tomorrow? The investigation of other malicious domains related to yielded the discovery of one such future vision of rogue software.

The story of this vision begins at, which resolves to the same IP address as However, instead of serving the user fake pop-up scanners and alert notifications, the site claims to act as a media distribution portal.


In addition, unlike some rogue software operations, is well put-together and includes a functioning search engine. As an example, the top result of a search for “Troy” is the 2004 movie of the same name; clicking on the result presents the user with accurate release and cast information, a series of movie stills, and a link to download the movie.


Yet, instead of a large movie, a small executable is served when the user clicks on the Download button. This executable has the same icon as the Rogue AV software served off of


In addition, about half of the few VirusTotal detections identify the above Troy executable as Rogue AV:

However, the similarities between these two binaries end at identical icons and similar AV detections. When Troy.exe is run, a larger executable is downloaded from the following location:


This larger binary is automatically executed and installs an interesting type of rogue software (called “IQ Manager”) on the user’s system.


Before IQ Manager even attempts to connect outbound, a child window appears, stating that there are “no empty spots” in the “shared channel”, and that the user must “wait their turn” or “activate the VIP Channel”. Activation, of course, requires a credit card.

However, even if the user decides not to perform activation, the download proceeds.


Upon completion, the resulting file was indeed a playable copy of the 2004 movie Troy. Subsequent investigation into IQ Manager’s operation revealed that it acts as a BitTorrent client, using torrents offered by the popular tracker

While current Rogue AV software offers the user almost nothing, and the IQ Manager software collectively provide a functional (if illicit) download service that will meet many users’ expectations. If this model proves financially successful for the criminals behind it, “pay for free” software could become a standard that forms the face of tomorrow’s rogue software.

Users of the PWSS are protected from this emergent threat.

Nach oben scrollen