The TeslaCrypt puzzle

For eWeek, Robert Lemos observes Security Researchers Puzzled by Demise of TeslaCrypt Ransomware.

To be honest, I think the media are more preoccupied with the reasons behind the TeslaCrypt group’s actions than security researchers are in general, but I was happy to give him the benefit of my prejudices opinions, and flattered that he gave them so much space.

David Harley

Tech support scammers impersonating ISPs

 adds to our knowledge of current support scam tricks by describing how Scammers Impersonate ISPs in New Tech Support Campaign. Scammers have, in fact, impersonated ISPs before, though not as often as they’ve pretended to be Microsoft (or working on behalf of Microsoft), and not as often as I expected when I wrote about this possibility back in 2010.

The difference here is that they’re not simply ringing up and saying ‘I’m from your ISP’ or even ‘I’m from Verizon’ (which rings a slight alarm bell if you know your service provider is a completely different company). They’re using a nifty little wrinkle to determine the victim’s ISP from his or her IP address. I remember with some regret the days when a support scammer couldn’t even lie convincingly about knowing your IP address, but the scams have been based on increasingly sophisticated tricks, and on a barrage of pop-ups aimed at getting you to ring them rather than vice versa. Clearly, such a pop-up message is more effective if it’s actually customized to correspond to a potential victim’s real ISP, and may even take the form of a customized audio message.

Once they do get you on the phone, though, it seems they still lean heavily on old favourite ploys, for example the INF ploy noted in the Malwarebytes article. Here’s a description of how it works from another of my articles.

INF and PREFETCH are legitimate system utilities: The “Prefetch” command shows the contents of C:WindowsPrefetch, containing files used in loading programs. The “INF” command actually shows the contents of a folder normally named C:WindowsInf: it contains files used in installing the system. So how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something “prefetch hidden virus” or “inf trojan malware”. When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type “inf elvish fantasy” or “prefetch me a gin and tonic” and you’d get exactly the same directory listing, showing legitimate files.

 And, of course, I still see innumerable reports of scammers using the tired old CLSID  gambit. Evidently these things still work. Perhaps they’re more convincing when they come from a ‘support desk’ that you’ve been misdirected into ringing, rather than from a random cold-caller, but they’re still the same old drivel.

David Harley

Beating the ‘Microsoft scam’

On the SC Magazine web site, Biocatch’s VP of Product Management Oren Kedem asks ‘After a decade, why can’t we finally be rid of the Microsoft scam?‘ Which is slightly odd, in that he reckons the support scam (no, he wasn’t talking about the way Microsoft is pushing Windows 10!) has been around since ‘at least 2009 in one form or another’. Well, I first heard about it in 2010, but Steve Burn, something of an authority on the sites that push these ‘solutions’, has indeed been following them since 2009. Still, that’s rather less than a decade.

That doesn’t invalidate Kedem’s central point, though. In spite of all the publicity we’ve given to these scams, they’re still clearly operational. While much of the action has shifted away from cold-calling to decoy popups and fake alerts, seeding undesirable URLs via SEO and social media, and even real malware, I still see reports on the ESET blog from people who’ve fallen for tricks like the old CLSID gag. Of course, they haven’t necessarily been cold-called, but the scammers are clearly still using tried and tested gambits to ‘prove’ that the victims need their help.

Kedem suggests that education fails because people fly into a panic and forget what they’ve been told when a scammer actually captures their attention. There’s probably something in that, but in my experience people tend to be fairly good at spotting a scam that’s close to something they’ve previously been warned about. However, they’re not so good at extrapolating from one scam to another when the underlying mechanism is the same, but the gambit used appears quite different. Which is why I try to demonstrate attack principles as well as just describing an attack. (That often goes for technical attacks as well as social engineering.)

Unfortunately, support scam attacks have proved fairly adaptable over the years. While the scammers themselves are often far from bright, the scripts they work from are sometimes pretty clever. (Fortunately, a not-so-bright scammer will very quickly sound much less convincing if you nudge them away from the comfort of an anticipated response.  They’ll tend to desperately try to get you back on script, often by ignoring awkward questions and repeating scripted material until it’s clear they’re not going to get anywhere.) Still, the social engineering gambits they use in those scripts (and even the more technical approaches we’ve seen recently) are often far brighter than the call-centre drones that deliver them.

Kedem does make an interesting suggestion about making bank employees identify themselves with a ‘code of the month’ which might have possibilities for reducing phishing. Unfortunately, I can’t see how it would help with the ‘Microsoft scam’. And while there are ways of implementing educational programmes that might have more impact, getting the home users who are the main targets of support scamming to undergo suitable training may not be so easy.

David Harley

FLocker: Android Ransomware meets IoT

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

If cited this before, but it’s worth doing again. Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

… if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

David Harley

Crysis? What Crysis?

Ondrej Kubovič  for ESET: Beyond TeslaCrypt: Crysis family lays claim to parts of its territory. The ransomware that ESET calls Win32/Filecoder.Crysis encrypts files on fixed, removable and network drives.

It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

It encrypts everything except system files and its own bits and pieces, and charges between 400 and 900 euros. However, ESET users may be able to recover files encrypted by older versions with the help of ESET technical support.

David Harley

Support scam alert from the FBI

Another FBI alert, this time summarizing an increase in reports of tech support scams. While law-enforcement alerts are often behind the curve, there are several points well worth noting here:

  • The addition of two approaches to initial contact that have been particularly noticeable recently:
    • Via BSOD/locked screen
    • Addition of an audio message urging the victim to report the issue to a fake support line
  • An uptick in the variation where the scammer offers a ‘refund’ on ‘services’ previously paid for. This isn’t the technique much favoured by 419 scammers where the scammer takes advantage of the time it can take for a cheque to clear. Instead, the scammer persuades the victim to give the scammer remote access to the victim’s account as well as to his or her PC.

Data breaches used as basis for extortion

Not ransomware, but related in that it clearly involves extortion/blackmail: the FBI has issued an alert about Extortion E-Mail Schemes Tied To Recent High-Profile Data Breaches. The threatening messages arrive in the wake of a flood of revelations of high-profile data thefts. The ready availability of stolen credentials is used by crooks to convince victims that they have information that will be released to friends ‘and family members (and perhaps even your employers too)’ unless a payment of 2-5 bitcoins is received.

The generic nature of some of the messages quoted by the FBI doesn’t suggest that the scammer has any real knowledge of the targets or of information that relates to them.

‘If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then…’

This sounds more like mass mailouts in the hope that some will reach a target sufficiently guilt-ridden to pay up just in case. Other messages may well frighten some people, fearful of being ‘doxed’, into paying up in case their personally-identifiable information falls into the wrong hands.

David Harley

DNS Unlocker

James Rodewald has put up an interesting article for ESET on a DNS hijacker. It’s actually the way it conceals its activity that’s of most interest: however, this will also interest followers of this blog:

Typically a computer user affected by DNS Unlocker will see advertisements with a note at the bottom saying, “Ads by DNSUnlocker” … or something similar and multiple different variations of “support scam” pop-ups …

Crouching Tiger, Hidden DNS

David Harley

Flash Player exploit -> Angler -> CryptXXX

John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.

I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.

Worth looking out for (the article and the malware).

[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:

The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referer, user-agent, sometimes even your screen resolution, and several other parameters.

Very interesting.]

David Harley

 

CryptXXX 3.0: gang breaks own decryptor

On May 24th 2016, the CryptXXX situation took a turn for the worse. Lawrence Abrams reported for Bleeping Computer that CryptXXX version 3.0 not only prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their files for free, but also had the (presumably unintended) effect of breaking the criminals’ own decryption key. In other words, even paying the ransom doesn’t, at the time of writing, guarantee that you’ll get a working decryptor. When a ransomware gang screws up, it doesn’t always work to the benefit of the victim.

Bleeping Computer has some resources specific to CryptXXX: CryptXXX Support & Help Topic; the CryptXXX Ransomware Help, Information Guide, and FAQ.

David Harley