Monthly Archives: January 2016

‘Educational’ ransomware

An article by David Bisson – Ransomware author tries to blackmail security researcher into taking down ‘educational’ malware project -looks at the complicated relationship between unequivocal ransomware (Magic, Ransom_Cryptear.B) and open-source ‘educational’ malware (Hidden Tear, EDA2). Not to mention the unfortunate affair of the free-hosting service that suspended the author’s account and deleted the data, so that even the criminal is unable to decrypt affected files now.

David Harley

Android.Lockdroid.E

Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here. 

Commentary by The Register here: Two-thirds of Android users vulnerable to web history sniff ransomware – Crooks want you to pay up on pain of severe embarrassment – and more

David Harley

TalkTalk and Wipro still TalkTalking?

A slightly opaque story about TalkTalk and arrests at the Indian call centre it’s been using to lighten its support load.

Adding to the Support Scam Resource Page, though it’s not clear exactly what the scam was from TalkTalk’s statements.

David Harley

Support Scams and the Security Industry

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

You may recall that I also commented here on the story last week, though I focused on slightly different issues.

Among the classic scam ploys used by the scammer Jérôme talked to were the notorious CLSID misrepresentation and the misrepresentation of the legitimate Windows utility csrss.exe (Client/Server Runtime SubSystem). While this is an essential component of modern Windows versions, malware does sometimes use the same filename in the hope of making it harder to detect, and purveyors of support scams sometimes use the Task Manager (as in this case) or another utility such as Tasklist.

In fact, if you run one of these utilities, you’ll find that you have lots of legitimate processes running with names that are sometimes associated with malicious software (for example, lsass.exe and svchost.exe) but the processes are legitimate and often essential. The scammer doesn’t care about this, of course: he just wants to ‘prove’ to you that there are ‘malicious’ processes on your system, so that you’ll let him have remote access to it and charge you accordingly. The value to the scammer of using a filename that is also used by malware is that they can direct you to Google searches that will lead you to alarming references to the ‘csrss.exe virus’ or Trojan. Some of these links are malicious, some are well-meant but misleading, and some are genuinely informative. However, the scammer is not going to encourage you to read anything that is really informative.

I particularly like David’s suggestion that:

If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm’s forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.

 While no-one in this business likes to see scammers getting away with anything, it’s particularly satisfying when we’re able to take direct action against those whose actions are responsible for blackening the reputations of  an industry which, by and large, tries harder than most to behave honourably and ethically. Of course, I wouldn’t want to discourage you from reporting scammers to law enforcement, either. No doubt they make good use of the information even if they tend not to talk about it.

It’s worth mentioning that forums aren’t the only way to contact a security company. If you have a support agreement with a vendor, you can certainly talk to its support desk. Most companies have an address to which you can send malicious samples and links. And some of us who write about this stuff get lots of comments to our blogs. That CLSID blog I mentioned above has attracted many hundreds of comments. I can’t reply to them all, but I do read them, and sometimes they provide material for further research and writing. One I really liked recently observed:

“This scammer called today and I played along. When he read my CLSID I googled “CLSID” and found this page. I told him that I had googled it and found that everyone has that CLSID. He told me that my google was broken. Best laugh of the day!”

Fortunately, people aren’t generally as dumb as scammers believe they are. There’s a difference between not knowing much about technology and being stupid. Though in these days of elaborate online scams, it really is smart to go out of your way to learn more about the technology you use than the bare bones of logging in and typing in text.

David Harley

The Lure of the Support Scam

We’re all too familiar with tech support scammers claiming to represent Microsoft or other impressive names like Cisco or Apple. And sometimes we find them claiming to represent security companies in some way.

To cite some instances mentioned in a paper presented at Virus Bulletin in 2012 by myself, Martijn Grooten (Virus Bulletin), Steve Burn (Malwarebyes) and Craig Johnston (an independent researcher and former colleague at ESET):

  • We know of a number of instances where fake or cracked security software has been sold to victims by scammers claiming to represent legitimate security vendors in some way.
  • A scammer who talked to Craig claimed that his company was installing legitimate copies of a commercial product called Registry Mechanic. We were unable to verify that claim, but we do know for sure that it’s common for scammers to install free (or free versions of) various utilities as part of their service. (Which is, of course, not free.)
  • Microsoft terminated its relationship with Gold partner Comantra because of all the complaints about Comantra’s practices.

We also cited the case of iYogi – recently accused by the state of Washington of engaging in support scam practices – which to which Avast! was actually outsourcing the provision of legitimate support to users of Avast!’s free products, until similar allegations were made about iYogi.

A common current ploy is to lure victims into calling a helpline passing itself off as being hosted by a legitimate security-oriented company, by using some kind of popup fake alert. For obvious reasons, companies like Symantec and McAfee are frequently targeted for this kind of attack. However, Jérôme Segura for Malwarebytes reports a case where the scammer is claimed to be ‘an official member of the Symantec Partner Program’.  Segura explains:

We immediately reported all of our evidence to Symantec who took this case very seriously and confirmed that this company was indeed a member of the program. Symantec also let us know that they were going to take immediate action to resolve this issue.

Reassuringly, he also reports that the alleged scam site was subsequently taken down.

The article also indicates that the Malwarebytes brand has also been misused by scammers charging ridiculous prices for its product.

There are clear advantages to a support scammer in cosying up to a legitimate, ethical company, and scammers are apparently not averse to ‘inflicting brand and reputation damage’ on their partners.

However, I suspect that there are still plenty of scammers claiming to support products with which they have no genuine connection. Or interest, come to that, except as a means of promoting their own dubious products and services. It’s amazing how eager many ‘support lines’ are to point out the (usually mythical) limitations of the product they claim to support, in order to promote their own service or product.

If you follow this blog, you are almost certainly aware of the sort of popup alert I’m referring to above. But that’s not the only lure used by support scammers. A little time spent with your favourite search engine using terms like ‘[your chosen security product] + tech support’ is likely to turn up lots of links to sites that have no connection to the product or vendor, but claim to offer tech support for it.

I can only recommend that if you think you have a problem with your security product of choice, that you make your first port of call a web site that you know is maintained by the company that makes the software. After all, if it’s a product that you actually paid for, the chances are that you can get (at least some) support from the vendor without extra cost. This is unlikely to be the case with a free product – one of the reasons I’m lukewarm about recommending free security software, though a genuine free security product is better than no security at all. Nevertheless, a responsible vendor will always offer some indication of somewhere where you can get support, even if it means upgrading to a for-fee version. And while there are instances of a vendor being unaware of the unethical behaviour of one of its partners, these are very much the exception rather than the rule. It’s much more common for a scammer to claim a non-existent relationship with the vendor.

However, if you trust your support to a helpline you found via a search engine, there’s a good chance that you’ll stumble upon a company that knows more about SEO (search engine optimization) than it does about reliable support. Or ethics, or honesty.

It’s not that there aren’t honest support sites out there: the difficulty is in identifying which are honest, and which are scammers. A security vendor might not always know when it’s partnered with a scammer, but it does know which companies are genuine partners.

David Harley

ESET on Ransomware

While this blog is essentially vendor-independent, the new report from ESET’s team in Latin America (with some contributions from my colleagues in North America) – Trends 2016: (In)Security Everywhere – includes a section on ransomware by Camilo Gutierrez that you may well find of interest. (Indeed, I’ve already quoted it on the Ransomware Resource page.)

It’s a pretty lengthy report, so you may well find other topics of interest in there: here’s the introductory blog article: ESET Trends for 2016: Threats keep evolving as security becomes part of our lives

David Harley

Ransomware, the Cloud, and DDoS

Ransoming the Cloud

On the ransomware resources page, I recommended:

Back up your data to an external device. And to cloud services as well, if you like. Bear in mind, though, that if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too. For the same reason, don’t try to reinstall backed-up files from an off-line resource (at any rate, a write-enabled offline resource) until you’re sure the malware is no longer present and active on your system.

In Ransomware a Threat to Cloud Services, Too Brian Krebs notes an instance where, when one of Children in Film’s employees opened an attachment passed off as an invoice: within 30 minutes, over 4,000 files on a cloud server, mounted as a local drive, had been encrypted by Teslacrypt. Fortunately, according to Krebs, the cloud hosting company kept daily backups and the company was able to use BleepingComputer’s TeslaDecoder to decrypt the files without paying the extortionists, but the inconvenience was still significant.

DDoS  Statistics

For Tripwire, David Bisson summarizes some of the detail from a report from cloud provider Akamai on trends in DDoS (Distributed Denial of Service) attacks, often associated with attempted extortion.

Cloud Security Alliance Survey

The Register reports that a CSA poll found that:

  • Some respondents would pay very large sums to extortionists to avoid data dumps
  • That gambling sites continue to be targeted with threats of DDoS attacks, often coinciding with major sporting events
  • That “… even police and law enforcement agencies [are] recommending organisations hit by the most water-tight ransomware encryption attacks to pay up to get their decryption keys.”

The article also suggests a link between the Hidden Tear open source code and the not-very-successful Linux.Encoder.

DD4BC

And here are a couple of items about the DD4BC (DDoS for BitCoin) gang:

  • ESET reports on Operation Pleiades in which several countries cooperated with Europol against the threat.
  • A related story from the BBC.

All items added to the ransomware resources page.

David Harley

Paul Ducklin on Cryptowall

Added to the ransomware resources page: link to an article for Sophos by Paul Ducklin on Ransomware evolution: Another brick in the CryptoWall. As you’d expect, good info on Cryptowall specifically, but also links to info on other ransomware. But also a link to a paper well worth your consideration on how ransomware evolved from 2014 to 2015.

David Harley