 |
||||
         |
    |
|||
|
 |
|||
|
At first... My first suspicion came when answering the phone there was absolute silence, then all of a sudden I could hear voices in the background - this is an indicator that I'm being called from a room of people all talking and the microphone was just taken off 'Mute'. Most of the time I'm talking to a telemarketer, or lately a political polling place. So my suspicious antenna are already set to "Alert!" and waiting for something interesting. |
||||
| "My company has determined that your computer is infected with a virus." His opening line makes me VERY glad I answered this phone call - I can already tell this is going to be good. This person has no idea who he is talking to. Instantly I put my "Dumb Guy" persona on. My wife has one too, she calls hers "Dumb Dora". To the best of my recollection, here is the conversation, screen shots, and other interesting tidbits. ET: "Evil Tech" <-- Person trying to do something
bad with my computer ET: "We have detected your computer is infected with some kind of malware or virus. If you want, I can show you how to see how it is infected." DG: "Wow, really? Sure!" ET: "Can you go over to your computer?" DG: "Yes, I'm there now." ET: "What is the key on the bottom right of your keyboard?" DG: "It says 'C T R L'" ET: "What key is to the right of that key?" DG: "It is a key that looks like the windows logo. I don't really use that key." ET: "Yes, you have an older computer, right?" DG: "Why yes, it is older." <-- I lied - the keyboard is older, but the computer isn't. ET: "I can show you how to see the infection and remove it. Press the key that looks like the windows logo, and then press the R key." DG: "Ok. I pressed it." ET: "What came up on your screen?"
DG: "A window that says 'Run' ET: "Good. Is there anything in the Open box?" DG: "No." ET: "Ok. Click the mouse into that box and type 'eventvwr'."
DG: "Ok, I did that. Now what?" ET: "Now press OK" DG: "Ok." ET: "Did a new window open up?" DG: "Yes, it says Event Viewer."
ET: "Good. Now read me the items in the first column." DG: "Event Viewer (local), Custom Views, Windows Logs, Application and Services, and Subscriptions." ET: "Good! Now double click Custom Views and tell me what you see."
DG: "I see Cisco, ServerRoles, and Administrative Events." ET: "Very good. Now click on Administrative Events.
<pause> ET: "Did you click it?" DG: "Yes. I'm reading some of these errors. There sure are a lot of them!" ET: "Let me check if these are your virus or not. Can you click on one of them and read me what it says?" DG: "Ok, I have one - it says Log Name: System, Source: Schannel, eventID 36887, level Error, User SYSTEM, and there are a lot of them." ET: "Let me look that up ... yes, that is the error. Lets try and clean it for you. Can you right click on one of these errors and tell me what the menu says?"
DG: "It says Event Properties, Attach task to this event, copy, save selected events, refresh, and help." ET: "Is there a delete option?" DG: "<sad inflection in my voice> No..." ET: "How about a 'Clean' option?" DG: "<sadder inflection> No, I don't see a clean option either." For the less technical, you are looking at events in the "Event Viewer" and there are no delete or clean options in it no matter what you do. Where they sent me is a place that collects up any internal error that windows finds, and most of them are totally harmless. Really. But to the less technical user, they can be scared easily into thinking something is wrong. ET: "Hmmm.... this is a bad virus. I'm going to have to connect you with one of our techs online and they'll be able to further help in cleaning this virus." At this point, I had to stall him - I needed to spin up a virtual machine so I could let him 'fix' a computer that I didn't care about and one that also wouldn't have access to the rest of my network should he load something really bad on it. I'll spare you the lame excuses dialogue I threw at him to stall ... DG: "Ok, sorry about that - I'm back now. Can you help me?" ET: "Yes, hit the window button and R again. Then type 'www.computerprotection.webs.com' and press Enter." I did and got this screen:
It is a website created on a free website hosting company that puts its ads on the bottom. On it were 4 tools for remote control. DG: "Yes, I did that." ET: "Do you see the Ammyy Admin 3? Please click on it." I did so and got a security warning as I'm downloading a program:
DG: "I have a file download - security warning. It is warning me that files from the internet can potentially harm my computer." ET: "This is not a file. It is software. Go ahead and click Run." DG: "I'm not sure about this - it looks like it could harm my computer. I've had people tell me not to download things - Are you sure it is safe?" I needed some time to get the network sniffer running in case this was some bot client that I was about to infect my system with, so I looked for excuses not to press Run and go with the flow. Eventually, all I heard was: <silence> DG: "Hello?" He was gone. Apparently I wasn't cooperating quickly enough. Some quick research reveals more details about the scam: https://www.allclearid.com/blog/from-the-allclear-investigators-watch-out-for-the-ammyy-com-scam Read from others that were victims - read the comments and stuff here: http://download.cnet.com/Ammyy-Admin/3000-7240_4-75599137.html So there you have it. Maybe they will call me back soon ? Hmm.... I would love to have them hork up a virtual machine of mine, get nothing, and have the whole scam documented for the world to see. Maybe I should answer more of those junk phone calls. UPDATE 11/11/2014: They (or another set of scammers) called me back! And I was ready for them! It wasn't 100% the same, but I was able to run things to a conclusion - so here are the highlights of the differences. The caller ID did read a number: 21-277-7888 (yes, the area code wasn't complete). This is confirmed as they called me the next day to try to follow up and the guy identified himself as the same name as the night before. First up was "Kevin" - when I asked him for some details, he described himself as "I work for the windows help and support department - we are a service provider of Microsoft. We provide services associated by them." <-- Kevin's exact words. He wanted to read me a serial number to confirm that his number matched mine to confirm the computer that was sending them these virus reports. He had me open up a CMD prompt and type "assoc" and hit enter, then look for the line that started with ".ZFSendToTarget", claiming that he would read the serial number that was on his screen and if it matched mine then he was looking at the report for my computer. He read me: .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "That serial number is your Target ID and your system sends it to us to identify you. Did that match your number?" I just smiled and said "Yes, it does!" The truth of the matter is, that is the exact same line present in almost every PC when you ask for the file associations, which is what the 'ASSOC' command does. Here are some screen prints of the output from the ASSOC command from my main work system, 3rd line down - windows 7 64 bit desktop:
Windows 7 32 bit notebook:
Windows 7 32 bit virtual machine I had him playing in:
Windows Server 2003:
Windows XP:
Suffice to say, this was his method of trying to convince a non-technical user that indeed he is getting reports from my system, which is a total and complete lie. So now he wanted me to use the service showmypc.com to let him see my screen. Since I was on a virtual machine set in a sandbox that he could trash with whatever he wants and I wouldn't care as I could delete all this changes and restore it to a snapshot taken from before he started molesting my machine, go right ahead! Control it all you want! Meanwhile, I was capturing all the data just to see if he was going to try and infect me with something or not. Once connected, he ran task manager and showed me the evil process that was running on my computer:
"Do you see the last line? csrss.exe? That isn't describing itself and it isn't running as you, this is malware that is waiting for you to do your online banking [which of course I had already said I do] and access any sensitive information." To prove this, he searched for csrss.exe on Google and look what came up as the number 1 hit:
Now in reality, while other systems could have had this infection, I know this system is clean. For those of you following along at home - a bit more technical stuff for a second - if you check the box that says 'Show processes from all users" you'll see it is a SYSTEM process and does have a description:
You can also run Process Explorer, pick that process, and verify the digital signature matches the digital signature that Microsoft publishes:
When I hit the Verify button, it greyed out and the image's digital signature was calcualted and compared and it verifies. Ok, exiting geeky mode - sorry for the slight divergence. Now he passed me over to "Andrew" who is one of their "senior technicians" who will assist me further. In reality, he is one of their senior scam artists... SORRY FOR THE SPOILER - I'm getting ahead of myself. Andrew runs a "netstat -a" command to show me all the connections my system was making to outside services and help identify the "bot" that had taken over my computer. Netstat does indeed show you what connections your computer is making with anything else as well as everything your computer is listening to. He pointed out a couple of lines and IP addresses that my computer was connected to. At this point we were probably 45 minutes into the call and I was actually getting hungry, so I decided to stop playing Dumb David and pose a challenge to him. "That line you say is the malware / bot that is making a connection out to the internet - isn't that the program you are using to see my screen? Isn't that using my internet connection?" "Oh, no sir! We are connecting to your computer via our Windows Server and not using the Internet. That line shows your system is infected with malware and when you next log into your bank account it will send that information into the botnet where people can then access your account." There is no nice way to say this - but his line was total bullshit. There is no way he could see my screen if my system wasn't making a connection to someplace else, with the exception of if he was standing over my shoulder. So they finally got to the close of the sale - they offered to install software on my system that would protect me from malware, viruses, spyware, botnets, speed up my PC, and bring peace to all the countries of the world - all that could be mine for $199 for 1 year, $249 for 5 years, or $299 for a lifetime of protection and security. I said "Well, considering this is a virtual machine that I regularly trash and don't care about - which is why I was willing to let you look at it - I don't think I want to buy the product right now" and terminated the call. To their credit, I was guessing they were going to infect me with something. I guess it is more lucrative to collect $200-300 from people that don't know any better than to use this method to spread infections. I can't say if the product they would install is good or not, but I can say they lied about everything up to that point - My system wasn't sending them any data at all With all those lies, why should I believe anything coming out of their mouths? There is a joke in poker: Q: "How do you know when a poker player is lying?" Don't fall for scams like this one!
If you found this helpful, please send me a brief email -- one line will more than do. If I see people need, want, and / or use this kind of information that will encourage me to keep creating this kind of content. Whereas if I never hear from anyone, then why bother?
If you have experienced the same thing, please share your story! David Soussan (C) 2014 DAS Computer Consultants, LTD. All Rights Reserved.
|
||||
 |
||||
