Panda Security has warned of a new type of rogueware currently in circulation, something it is calling ‘ransomware’ and which tries to force users of infected PCs into paying for a version of a fake anti-virus programme.
Infected computers are effectively hijacked and prove extremely difficult to clean manually, forcing victims to pay the ransom or reformat the computer, PandaLabs has said.
“Once a computer is infected, any attempt made by the user to run a program or open a document, will be frustrated.”
Victims of the attack find themselves offered a fake anti-virus programme called Total Security 2009, which has a price tag of £74.50.
Seemingly once paid, users receive a serial number this is entered to release all files and executables, allowing them to work normally and recover their information.
There are hundreds of roguewave programmes in circulation and most have a Trojan component, which users are misled into installing. The Trojan may be disguised as a browser plug-in, an image, screensaver or archive file attached to an e-mail message, or a free online malware scanning service.
The Anti-Phishing Working Group recently estimated that 485,000 samples had been detected in the first six months of the year, which is more than five times the total detected for the whole of 2008, so this is an escalating problem.
Microsoft reacted to the issue this week, with an update in its latest Patch Tuesday release of the Malicious Software Removal Tool which can detect a generic type of fake anti-virus program known as Win32/InternetAntivirus.
Luis Corrons, Technical Director of PandaLabs said of the problems triggered by Total Security 2009, “Once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge. Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus. For this reason, on the PandaLabs blog, we have published the serial numbers required to unblock the computer if it has been hijacked. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake antivirus”.
