New Fake Antivirus Attack Holds Victim's System Hostage

Attack forces user to purchase phony antivirus package to free computer

Dark Reading Staff, Dark Reading

October 16, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Attackers have added a new twist to spreading fake antivirus software: holding a victim's applications for ransom.

Researchers discovered a Trojan attack that basically freezes a user's system unless he purchases the rogueware, which goes for about $79.99. The Adware/TotalSecurity2009 rogueware attack doesn't just send fake popup security warnings -- it takes over the machine and renders all of its applications useless, except for Internet Explorer, which it uses to receive payment from the victim for the fake antivirus. "The system is completely crippled," says Sean-Paul Correll, threat researcher and security evangelist for PandaLabs, which found the new attack.

Correll says when the rogueware detects any application on the machine starting to execute, it then shuts down the application. "This happens for every file you try to open except IE. The only reason IE works is because that's what's used to allow victims to pay the cybercriminals," he says.

Bad guys have used ransom threats in phishing attacks and distributed denial-of-service (DDoS) attacks, but Correll says this is the first time it has been used to force users to buy rogueware. Rogueware distributors typically prompt the victim with pop-up messages, but the user can bypass the purchasing process by ignoring them or clicking through them.

Adware/TotalSecurity 2009 isn't new rogueware, but the difference is its distributors are using a more aggressive tack to ensure they make money from it. "Users are put into a Catch-22," Correll says. To free their systems, they are pressured into purchasing the package and sending their financial details to the bad guys, he says. Once the transaction is complete, they receive a serial number that releases their apps and files and can recover their information.

The good news is that, so far, this type of attack is relatively rare. And PandaLabs has posted the serial numbers for the malware application so that users can temporarily "unlock" their systems.

Rogueware has been on the rise this year, and its creators are pumping out new versions of the malware in rapid-fire. PandaLabs found 374,000 new versions of rogueware samples released in the second quarter of this year, a number the company expects to nearly double to 637,000 in the third quarter.

Correll says it's only a matter of time before other rogueware developers emulate the ransom attack. "By forcing the user to pay so quickly, they are able to maximize their profitability before getting caught and removed," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights