Tag Archives: Symantec

Lockdroid’s text-to-speech unlocking

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

David Harley

Support Scam Threatens to Delete Hard Drive

Siddhesh Chandrayan, for Symantec, reports on a particularly vicious example of social engineering designed to scare a victim into ringing a fake support line:

Tech support scams increasing in complexity – Tech support scammers have begun using code obfuscation to avoid detection.

The pop-up fake alert claims that the victim’s system is infected with ‘Exploit.SWF.bd’ and that the hard drive will be deleted if he or her tries to ‘close this page’. It displays a fake ‘hard drive delete timer’ complete with audio effect.

Don’t panic! In principle, Javascript like this isn’t able to do any such thing: that’s a security feature of the language. (There are, of course, other ways of accessing and changing the contents of a client-side disk, but there’s no suggestion that any of those mechanisms are at play here.)

The obfuscated script also includes code to ascertain whether the system is running Windows, ‘MacOS’, UNIX or Linux, so that the alert can be tailored accordingly.

Commentary by David Bisson, writing for Graham Cluley’s blog: Scare tactics! Tech support scam claims your hard drive will be deleted – Scammers tries to frighten you into phoning them up.

David Harley

Ransomlock.AT: ransomware meets support scams

It’s been a while since I’ve had occasion to talk about the issues that sometimes link tech support scams and ransomware, but now a couple of relevant items have come along more or less simultaneously. First, let’s look at the malware Symantec calls Trojan.Ransomlock.AT.

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

UK threat prevalence – Symantec

John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures for threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.

Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.

Ordinarily, I’d check out the report directly, but it requires registration, and I don’t really want to be bombarded with ‘commercial information‘ from a competitor, so I have to be really interested before I go that far. If that doesn’t bother you, though, you can get the report via this page.

The Register also cites the report’s finding that 430 million new  malware variants were discovered in 2015. I agree with Leyden that the figure is pretty meaningless, though for a slightly different reason: not because of the sheer volume of variants, but because you can’t tell from this summary what Symantec is defining as a ‘variant’.

David Harley

Android.Lockdroid.E

Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here. 

Commentary by The Register here: Two-thirds of Android users vulnerable to web history sniff ransomware – Crooks want you to pay up on pain of severe embarrassment – and more

David Harley

Support Scams and the Security Industry

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

You may recall that I also commented here on the story last week, though I focused on slightly different issues.

Among the classic scam ploys used by the scammer Jérôme talked to were the notorious CLSID misrepresentation and the misrepresentation of the legitimate Windows utility csrss.exe (Client/Server Runtime SubSystem). While this is an essential component of modern Windows versions, malware does sometimes use the same filename in the hope of making it harder to detect, and purveyors of support scams sometimes use the Task Manager (as in this case) or another utility such as Tasklist.

In fact, if you run one of these utilities, you’ll find that you have lots of legitimate processes running with names that are sometimes associated with malicious software (for example, lsass.exe and svchost.exe) but the processes are legitimate and often essential. The scammer doesn’t care about this, of course: he just wants to ‘prove’ to you that there are ‘malicious’ processes on your system, so that you’ll let him have remote access to it and charge you accordingly. The value to the scammer of using a filename that is also used by malware is that they can direct you to Google searches that will lead you to alarming references to the ‘csrss.exe virus’ or Trojan. Some of these links are malicious, some are well-meant but misleading, and some are genuinely informative. However, the scammer is not going to encourage you to read anything that is really informative.

I particularly like David’s suggestion that:

If you come across a fake anti-virus alert, collect screenshots, audio, and whatever other data you can document about the messages, and then post those files on the affected anti-virus firm’s forum. Those companies will take no greater pleasure than in shutting down someone exploiting their potential customers.

 While no-one in this business likes to see scammers getting away with anything, it’s particularly satisfying when we’re able to take direct action against those whose actions are responsible for blackening the reputations of  an industry which, by and large, tries harder than most to behave honourably and ethically. Of course, I wouldn’t want to discourage you from reporting scammers to law enforcement, either. No doubt they make good use of the information even if they tend not to talk about it.

It’s worth mentioning that forums aren’t the only way to contact a security company. If you have a support agreement with a vendor, you can certainly talk to its support desk. Most companies have an address to which you can send malicious samples and links. And some of us who write about this stuff get lots of comments to our blogs. That CLSID blog I mentioned above has attracted many hundreds of comments. I can’t reply to them all, but I do read them, and sometimes they provide material for further research and writing. One I really liked recently observed:

“This scammer called today and I played along. When he read my CLSID I googled “CLSID” and found this page. I told him that I had googled it and found that everyone has that CLSID. He told me that my google was broken. Best laugh of the day!”

Fortunately, people aren’t generally as dumb as scammers believe they are. There’s a difference between not knowing much about technology and being stupid. Though in these days of elaborate online scams, it really is smart to go out of your way to learn more about the technology you use than the bare bones of logging in and typing in text.

David Harley

The Lure of the Support Scam

We’re all too familiar with tech support scammers claiming to represent Microsoft or other impressive names like Cisco or Apple. And sometimes we find them claiming to represent security companies in some way.

To cite some instances mentioned in a paper presented at Virus Bulletin in 2012 by myself, Martijn Grooten (Virus Bulletin), Steve Burn (Malwarebyes) and Craig Johnston (an independent researcher and former colleague at ESET):

  • We know of a number of instances where fake or cracked security software has been sold to victims by scammers claiming to represent legitimate security vendors in some way.
  • A scammer who talked to Craig claimed that his company was installing legitimate copies of a commercial product called Registry Mechanic. We were unable to verify that claim, but we do know for sure that it’s common for scammers to install free (or free versions of) various utilities as part of their service. (Which is, of course, not free.)
  • Microsoft terminated its relationship with Gold partner Comantra because of all the complaints about Comantra’s practices.

We also cited the case of iYogi – recently accused by the state of Washington of engaging in support scam practices – which to which Avast! was actually outsourcing the provision of legitimate support to users of Avast!’s free products, until similar allegations were made about iYogi.

A common current ploy is to lure victims into calling a helpline passing itself off as being hosted by a legitimate security-oriented company, by using some kind of popup fake alert. For obvious reasons, companies like Symantec and McAfee are frequently targeted for this kind of attack. However, Jérôme Segura for Malwarebytes reports a case where the scammer is claimed to be ‘an official member of the Symantec Partner Program’.  Segura explains:

We immediately reported all of our evidence to Symantec who took this case very seriously and confirmed that this company was indeed a member of the program. Symantec also let us know that they were going to take immediate action to resolve this issue.

Reassuringly, he also reports that the alleged scam site was subsequently taken down.

The article also indicates that the Malwarebytes brand has also been misused by scammers charging ridiculous prices for its product.

There are clear advantages to a support scammer in cosying up to a legitimate, ethical company, and scammers are apparently not averse to ‘inflicting brand and reputation damage’ on their partners.

However, I suspect that there are still plenty of scammers claiming to support products with which they have no genuine connection. Or interest, come to that, except as a means of promoting their own dubious products and services. It’s amazing how eager many ‘support lines’ are to point out the (usually mythical) limitations of the product they claim to support, in order to promote their own service or product.

If you follow this blog, you are almost certainly aware of the sort of popup alert I’m referring to above. But that’s not the only lure used by support scammers. A little time spent with your favourite search engine using terms like ‘[your chosen security product] + tech support’ is likely to turn up lots of links to sites that have no connection to the product or vendor, but claim to offer tech support for it.

I can only recommend that if you think you have a problem with your security product of choice, that you make your first port of call a web site that you know is maintained by the company that makes the software. After all, if it’s a product that you actually paid for, the chances are that you can get (at least some) support from the vendor without extra cost. This is unlikely to be the case with a free product – one of the reasons I’m lukewarm about recommending free security software, though a genuine free security product is better than no security at all. Nevertheless, a responsible vendor will always offer some indication of somewhere where you can get support, even if it means upgrading to a for-fee version. And while there are instances of a vendor being unaware of the unethical behaviour of one of its partners, these are very much the exception rather than the rule. It’s much more common for a scammer to claim a non-existent relationship with the vendor.

However, if you trust your support to a helpline you found via a search engine, there’s a good chance that you’ll stumble upon a company that knows more about SEO (search engine optimization) than it does about reliable support. Or ethics, or honesty.

It’s not that there aren’t honest support sites out there: the difficulty is in identifying which are honest, and which are scammers. A security vendor might not always know when it’s partnered with a scammer, but it does know which companies are genuine partners.

David Harley

About those alligators….

I don’t know what Peter Norton  is up to these days. In the anti-virus industry, he’s probably best remembered for (a) the security products marketed by Symantec that still bear his name (though not the famous pink shirt photograph), though he sold his company to Big Yellow about 20 years ago. In researcher circles, he’s also remembered for telling Insight magazine in 1988 or thereabouts that “We’re dealing with an urban myth. It’s like the story of alligators in the sewers of New York. Everyone knows about them, but no one’s ever seen them. Typically, these stories come up every three to five years.” Well, quite a few people put computer viruses in the same category as flying saucers around that time. Commodore, for instance, reacted to questions about Amiga malware by saying that it sounded like a hoax, and moved on (1) to ignoring it altogether.

Not long after that, he lent his name to Symantec’s antivirus product, which I suppose makes it the world’s first anti-hoax software.

I’ve no idea whether there really are or ever were alligators in the sewers of New York, but according to the BBC, Scotland ‘s sewage system has quite a few equally bizarre inhabitants. Notably:

  • A Mexican Kingsnake
  • A goldfish called Pooh
  • An anonymous frog
  • An equally anonymous badger (no, it wasn’t in the company of the frog: what a story that could be…)

 The above were all alive and well, if not as sanitary as one might hope. However, a sheep found in a manhole chamber and a cow found in a storm tank did not survive the experience. Other inanimate objects found included credit cards, a working iron, false teeth, jewelry, and some of the hundreds of thousands of mobile phones that Brits are alleged to flush down the loo. 

It’s not known whether the very smelly aggregation of money mules that is apparently operating out of Scotland and associated with the “London scam” described here is operating out of the same network

(1) Yes, I’m paraphrasing myself. “Viruses Revealed”, Chapter 2, published by Osborne in 2001.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

Y2.01K, The Register, and Symantec

The Register’s Dan Goodin has had a go at Symantec over their Y2.01K update problem. Anyone would think that Symantec users had been unprotected since January 1st, which is nonsense: the kludge of misdating updates so as to circumvent the bug may not be elegant, but it gets the updates onto the machine, which is what matters, and has given the company the opportunity to do what any responsible security company would do: take the time needed to produce an effective, permanent fix, rather than flying into a panic.

Effective security software is complex code often produced under time pressures, and even security programmers are human: it would be miraculous if they never made mistakes. I have heard it suggested that even journalists get it wrong occasionally, but that’s probably just a malicious rumour. 😉

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com