Simply Security - News, Views, and Opinions from Trend Micro

Trojan on the Loose: An In-Depth Analysis of Police Trojan

Posted on April 16th, 2012 in Cybercrime, Trend Labs by TrendLabs | Be the first to comment |

In recent months European internet users have been plagued by so called Police Trojans that lock their computer completely until they pay a fine of 100 euros. Yes, a fine: it does its threats by posing as the police forces of the victim’s particular country and in the victim’s language. This bullying strategy seems to be paying off because there’s no shortage of infections in the European countries affected by this Trojan.

We’ve taken a deeper look into the inner workings of this Trojan as well as the network infrastructure that its owners are using to control and receive the payments. We found ties with different malware campaigns dating back to 2010, from Zeus and CARBERP to a fairly recent newcomer to the malware scene called the Gamarue worm.

The same people peddling this Trojan are also heavily involved in other malware and are very invested in this business. For instance, we have found that they were affiliates of the DNSChanger Trojan program called Nelicash that Rove Digital was sponsoring for a few years. The main persons behind Rove Digital were arrested on November 8 2011 after a two year investigation by the FBI, the NASA Office of the Inspector General and Estonian police in collaboration with Trend Micro and other industry partners. So we might have found an important clue who is behind the police Trojan.

These criminals are in it professionally and will continue to be because of how much money they are able to make. This is a perfect example of one such group that has found a way of extorting money out of unsuspecting Internet users. We have written an extensive report on the Trojan and the people behind which you can download to get the full picture of this criminal organization.