Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Security Shield rogue campaign shows a strong presence in 2012

  • Please log in to reply
3 replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,717 posts
  • Gender:Male
  • Location:USA
  • Local time:02:44 AM

Posted 21 March 2012 - 09:10 AM

First seen in December 2010, Security Shield has since continued to have strong distribution through 2011 and into 2012. Recently rebranded as Security Shield 2012, the Security Shield computer infection is one of the longest running rogue campaign that uses the same name and belongs to the same family. The only other rogue that has had a longer distribution was Security Tool, which lasted for about 18 months.

Security Shield 2012 Screen Shot
For more screen shots of this infection click on the image above.

It is important to note that when we call a program a rogue, we are referring to one that is an actual computer infection and not one that is just misleading or does a bad job cleaning. These infections display the typical fake alert and scan results, but also take your computer hostage, change system settings, terminate processes, create fake files, or are installed by malware.Security Shield is one of these types of infections as it bundled with other malware, displays false alerts, false scan results, terminates processes, and hijacks Internet Explorer.

Rogue anti-spyware programs are normally broken up into families, with each rogue in the family essentially being the same program but with a different user interface and name.Security Shield is part of the Rogue.WinWebSec family of rogues that includes other heavy hitters such as Security Tool, System Tool, and MS Removal Tool. With over 760 rogues cataloged in our virus removal section, we have learned that you can determine how strongly a particular rogue is being distributed by the amount of views that the particular rogue's removal guide receives. In terms of total views, the Rogue.WinWebSec family is by far the most prolific with a total of 5,795,128 views for this family.The second largest are the rogues that are part of the Rogue.FakeXPA, which includes XP Antivirus, that have 4,429,320 combined guide views.

Though Security Shield is not the largest campaign from this family by any means, it still has had a strong distribution with over 600 thousand views of its removal guide. As you can see from the list below, this rogue family typically releases one heavy hitter every 6 months to a year, which gets large distribution. The family then releases a couple more variants throughout the same year, which do not get nearly the same amount of play.

Rogue NameDate ReleasedViews
Winweb Security11/27/200881,533
System Security12/24/2008285,798
Security Tool09/25/20092,976,959
Windows Smart Security10/09/20097,389
System Adware Scanner 201012/15/20096,244
System Tool10/22/2010955,539
Security Shield 201212/07/2010617,599
MS Removal Tool03/27/2011897,129
Essential Cleaner05/17/201110,284
Personal Shield Pro06/09/201169,944
Security Sphere 201209/29/201112,2171
Smart Protection 201202/22/201217,623
Security Scanner02/12/20127,265
Smart Fortress 201202/27/201240,469
Rogue.WinWebSec Family of Rogue Anti-Spyware Programs

Security Shield's largest distribution was when it was first released in December 2010. Then from March 2011 through December 2011 there was a lull in distribution. In January of this year, though, we are seeing a large increase in search queries related to this rogue, which has now been rebranded as Security Shield 2012.The amount of page views for the Security Shield removal guide has also increased dramatically here at BleepingComputer, which corroborates what we are seeing in the Google Trends's chart for the search phrase "Security Shield".

Google Trends Chart for
Google Trends Chart for the Security Shield Search Phrase

Even though Smart Fortress 2012, the latest Rogue.WinWebSec variant, is still being promoted, it appears that the developers behind this family are continuing to strongly pushSecurity Shield. Whether they will continue to distribute Security Shield is unknown at this point. What we do know, is that Rogue anti-spyware programs are making a comeback and are unfortunately here to stay. They are just much too profitable for the criminals to abandon this type of cybercrime.

To protect yourself, make sure you never click on pop-ups stating that you are infected, have all your Windows updates installed, and make sure all your computer programs are up-to-date by using a program like Secunia PSI. Just these three steps will dramatically reduce your exposure to these types of infections.If you have unfortunately already been infected with the Security Shield 2012 malware, then please use the removal guide below.

BC AdBot (Login to Remove)


#2 keyboardNinja


    Bleepin' Ninja

  • Members
  • 4,815 posts
  • Gender:Male
  • Location:teh interwebz
  • Local time:01:44 AM

Posted 21 March 2012 - 09:40 AM

Thanks for all your hard work, Grinler! Keep fighting the good fight! :clapping:
PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#3 johnlsenchak


  • Members
  • 2 posts
  • Local time:02:44 AM

Posted 21 March 2012 - 07:09 PM

I just removed this rogue scarce-ware program off a computer. It wasn't easy at first since the rogue program prevented me from accessing certain windows settings. Eventually, I was able to gain full control of the machine and after a deep virus scan, it was removed without a problem

#4 starberrysparks


  • Members
  • 3 posts
  • Local time:03:44 AM

Posted 22 March 2012 - 01:21 PM

I was helping someone with the new 2012 variant and Malwarebytes' scan results also had the ZeroAccess rootkit. We ended up backing up their files with a linux live cd and reformatting, but I thought you guys would like to know it's also at least sometimes including ZeroAccess!

Edited by starberrysparks, 22 March 2012 - 01:22 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users