New Crimeware Technique Revealed

By Kelly Jackson Higgins
DarkReading
Oct 15, 2009

Attackers have added a new twist to spreading fake antivirus software:
holding a victim's applications for ransom.

Researchers discovered a Trojan attack that basically freezes a user's system unless he purchases the rogueware, which goes for about $79.99.
The Adware/TotalSecurity2009 rogueware attack doesn't just send fake popup security warnings -- it takes over the machine and renders all of its applications useless, except for Internet Explorer, which it uses to receive payment from the victim for the fake antivirus. "The system is completely crippled," says Sean-Paul Correll, threat researcher and security evangelist for PandaLabs, which found the new attack.

Correll says when the rogueware detects any application on the machine starting to execute, it then shuts down the application. "This happens for every file you try to open except IE. The only reason IE works is because that's what's used to allow victims to pay the cybercriminals,"
he says.

Bad guys have used ransom threats in phishing attacks and distributed denial-of-service (DDoS) attacks, but Correll says this is the first time it has been used to force users to buy rogueware. Rogueware distributors typically prompt the victim with pop-up messages, but the user can bypass the purchasing process by ignoring them or clicking through them.