The rogueware business has evolved to incorporate ransomware techniques, based on the hijacking of users’ information

Infected computers are extremely difficult to clean manually, forcing victims to pay the ransom or reformat the computer


PandaLabs, the anti-malware laboratory at Panda Security, The Cloud Security Company, has identified a new, more aggressive trend for selling fake antivirus programs or rogueware. Until now, when a computer was infected by this type of malware, users would typically see a series of warnings prompting them to buy a pay version of the program. Now, these technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

Once a computer is infected, any attempt made by the user to run a program or open a document, etc., will be frustrated. The only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake antivirus.

This fake program, called Total Security 2009, is offered for €79.95. Victims are also offered ‘premium’ tech support services for an additional €19.95. Users that pay the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake antivirus however, will remain on the system.

“The way this rogueware operates presents a dual risk: Firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine antivirus installed on the computer, thereby leaving the system unprotected”, explains Luis Corrons, Technical Director of PandaLabs.

“Users are often infected unknowingly, in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” underlines Corrons. “Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus. For this reason, on the PandaLabs blog, we have published the serial numbers required to unblock the computer if it has been hijacked. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake antivirus”.

PandaLabs recently published a report about the lucrative business of rogueware. “This shift towards hijacking computers indicates either that users are becoming more adept at recognizing these threats or that security companies are beginning to close the net. This would explain why hackers are becoming more aggressive in the methods used to force the victims into paying.” The PandaLabs report is available from:

The serial numbers and a video demonstrating how this scam operates is available at: