FakeAlert Trojan Holds Systems For Ransom
Tuesday May 12, 2009 at 9:14 pm CST
Posted by Avelino Rico Jr and Geok Meng Ong
In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat. It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.
Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.
The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.
Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.
In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.
What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.
The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!
You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.
Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.
However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.
Affected VirusScan users may remove this threat using the latest DATs and engine.
May 21st, 2009 at 03:49
[...] having in mind the rise in the number of rogue security products recently (like the now infamous “Anti-virus XP 2009″) it becomes clear that transparent and fair testing is needed more than [...]
June 20th, 2009 at 16:39
so far fake alert is holding 2 of m pcs for ransom andive downloaded spy doctor offline and it helped the other spyware take effect but the other pc wont clean up and i cant go online cause it has stopped me and i cant get into safe mode it skips that page completely its an older pc and wont download service pack 2 for me to get mcafee.
July 24th, 2009 at 22:43
use windows preinstallation enviroment:) thats how i got rid of it
August 2nd, 2009 at 23:21
Had this SS 2009 and b/c it quickly closes ANY program you open. Without being able to open programs like taskmanager or msconfig.exe to try and remove one or wo of it’s operating files one cannot go about stoping the SS 2009’s processes.
I restarted in windows SAFE MODE and run [regedit] and deleted one or two of its registry files (HKLM/Software/Microsoft/Current Version/Run and also it’s 2009 support link which was in my Documents and settings/allusers/App Dat/user profile/satrt menu/programs/system Security 2009 link
Then I used system restore and restored to a day earlier.
November 22nd, 2009 at 14:47
As long as the laws dealing with this kind of fraud are weak scammers will continue to reap millions from unsophisticated users. Recently the FTC settled with James Reno of winfixer infamy for only $160,000. It has been estimated that the people behind this malware made in excess of $36 million!! As can be seen the law is no deterrent. Kind of like Keven Trudeau of infomercial scam fame. He regularly settles with the FTC and still makes millions. Prison time for these kinds of crimes should be mandatory–very serious prison time!! There is a very effective way to avoid being infected with rogue security programs–use a browser like Firefox that is less susceptible to malware—and— when the original rogue popup appears disconnect from the internet and restart. When I see one of these pop ups I shut my pc off manually and restart. When the rogue pop up appears DO NOT CLICK ANYWHERE ON THE DIALOG BOX!! If you do most of these rogues will do a drive by install regardless of your wishes. Even clicking the ‘x’ at the top of the dialog box can trigger an unwanted download.