Fake antivirus attacks PCs with ransom demand

The Fake antivirus phenomenon has taken an unpleasant turn with the discovery of a Windows program that not only cons users into buying an unnecessary license but appears to lock files and applications on the victim's PC.

According to security company Panda Security, rogueware program Total Security 2009 starts out in conventional fashion with the ‘discovery' of a non-existent malware infection for which it demands an unusually ambitious $79.95 (£50), and even has the cheek to ask a further $19.95 for 'premium' technical support.

Users deciding against purchasing the license find that all files and applications on their PC have been designated as ‘infected' and made inaccessible until the user follows on-screen instructions to buy a license using the only working application, Internet Explorer.

According to Panda Security, the technique used to block access involves simple interception of Windows calls to open files and applications, closing them before they can open. Sophisticated techniques such as file encryption are not needed.

"This intercepting technique has been used before in other malware, for instance any rootkit malware, which is specifically designed to hide and kill processes silently in the background. However, this is the first time in history it has been spotted in conjunction with rogueware," said Panda Security's technical director, Luis Corrons..

Panda Security's demonstration video shows the con working on an XP system.

The program itself is remarkably developed, as has become a new trend for bogus antivirus in recent months, and mimics the design and configuration options found on many legitimate programs, including setting up ‘updates', privacy settings and scanning schedules. It is even possible to change the default language from English to German or Spanish.

"The way this rogueware operates presents a dual risk: first, users are tricked into paying money simply in order to use their computers; and second, these same users may believe that they have a genuine anti-virus installed on the computer, thereby leaving the system unprotected," said Corrons.

The bogus program would get on to a user's PC in the first place after they had either clicked on a link in a spam email, or by visiting an infected distribution website, or even by visiting the program's convincing-looking product homepage. Once registered, Total security 2009 remains on the system.

"This technique allows the criminals to make money before the AV companies catch up to them with signatures to finally detect the threat. Specifically, criminals will generate a new undetected sample on the fly and then distribute it to users. Knowing that the AV companies will detect it shortly, the criminals force users into purchasing the rogueware before the signature detection can kick in to remove it," said Corrons.

The program has been circulating for some weeks and infection rates are believed to be small. But the technique of combining fake antivirus prompts with a form of ransom-cum-hijacking will probably become a new front in the fake antivirus industry's campaign to make people buy more completely useless programs.

In the last year, fake antivirus programs have become possibly the biggest money-making scam on the Internet after spam marketing, even managing to find distribution on false pretences through premium Internet sites such as The New York Times.

There is growing evidence that many genuine antivirus programs don't detect some of these scam programs, which might also be a reason behind their success.