Tag Archives: Virus Bulletin

Never Pay the Ransom – Good Advice?

Virus Bulletin doesn’t think so, according to the article Paying a malware ransom is bad, but telling people to never do it is unhelpful advice.

While the article certainly isn’t encouraging victims to pay up in general, and acknowledges that if (almost) all victims declined to pay up the criminals would be discouraged, it points out that:

sometimes, none of this helps and the only sensible business decision left is to pay the criminals, much as it is bad and much as there is never a 100% guarantee that this will work.

And I have to agree with that. As previously observed on this site:

Security bloggers almost invariably advise you not to pay the ransom. Easy to say, when it’s not your own data that’s at stake…

On the other hand:

…an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering.

Still, I agree that it doesn’t help to censure people or organizations who choose to pay up when there is no other option for (hopefully) retrieving their data.

David Harley

The Lure of the Support Scam

We’re all too familiar with tech support scammers claiming to represent Microsoft or other impressive names like Cisco or Apple. And sometimes we find them claiming to represent security companies in some way.

To cite some instances mentioned in a paper presented at Virus Bulletin in 2012 by myself, Martijn Grooten (Virus Bulletin), Steve Burn (Malwarebyes) and Craig Johnston (an independent researcher and former colleague at ESET):

  • We know of a number of instances where fake or cracked security software has been sold to victims by scammers claiming to represent legitimate security vendors in some way.
  • A scammer who talked to Craig claimed that his company was installing legitimate copies of a commercial product called Registry Mechanic. We were unable to verify that claim, but we do know for sure that it’s common for scammers to install free (or free versions of) various utilities as part of their service. (Which is, of course, not free.)
  • Microsoft terminated its relationship with Gold partner Comantra because of all the complaints about Comantra’s practices.

We also cited the case of iYogi – recently accused by the state of Washington of engaging in support scam practices – which to which Avast! was actually outsourcing the provision of legitimate support to users of Avast!’s free products, until similar allegations were made about iYogi.

A common current ploy is to lure victims into calling a helpline passing itself off as being hosted by a legitimate security-oriented company, by using some kind of popup fake alert. For obvious reasons, companies like Symantec and McAfee are frequently targeted for this kind of attack. However, Jérôme Segura for Malwarebytes reports a case where the scammer is claimed to be ‘an official member of the Symantec Partner Program’.  Segura explains:

We immediately reported all of our evidence to Symantec who took this case very seriously and confirmed that this company was indeed a member of the program. Symantec also let us know that they were going to take immediate action to resolve this issue.

Reassuringly, he also reports that the alleged scam site was subsequently taken down.

The article also indicates that the Malwarebytes brand has also been misused by scammers charging ridiculous prices for its product.

There are clear advantages to a support scammer in cosying up to a legitimate, ethical company, and scammers are apparently not averse to ‘inflicting brand and reputation damage’ on their partners.

However, I suspect that there are still plenty of scammers claiming to support products with which they have no genuine connection. Or interest, come to that, except as a means of promoting their own dubious products and services. It’s amazing how eager many ‘support lines’ are to point out the (usually mythical) limitations of the product they claim to support, in order to promote their own service or product.

If you follow this blog, you are almost certainly aware of the sort of popup alert I’m referring to above. But that’s not the only lure used by support scammers. A little time spent with your favourite search engine using terms like ‘[your chosen security product] + tech support’ is likely to turn up lots of links to sites that have no connection to the product or vendor, but claim to offer tech support for it.

I can only recommend that if you think you have a problem with your security product of choice, that you make your first port of call a web site that you know is maintained by the company that makes the software. After all, if it’s a product that you actually paid for, the chances are that you can get (at least some) support from the vendor without extra cost. This is unlikely to be the case with a free product – one of the reasons I’m lukewarm about recommending free security software, though a genuine free security product is better than no security at all. Nevertheless, a responsible vendor will always offer some indication of somewhere where you can get support, even if it means upgrading to a for-fee version. And while there are instances of a vendor being unaware of the unethical behaviour of one of its partners, these are very much the exception rather than the rule. It’s much more common for a scammer to claim a non-existent relationship with the vendor.

However, if you trust your support to a helpline you found via a search engine, there’s a good chance that you’ll stumble upon a company that knows more about SEO (search engine optimization) than it does about reliable support. Or ethics, or honesty.

It’s not that there aren’t honest support sites out there: the difficulty is in identifying which are honest, and which are scammers. A security vendor might not always know when it’s partnered with a scammer, but it does know which companies are genuine partners.

David Harley

Support Scams: multi-language, fake BSODs, and the Nuclear exploit kit

Here’s another blog by Jérôme Segura well worth a read: The Multi-language Tech Support Scam is Here.

And a couple of articles I added to the tech support scam page at the end of July, but didn’t note in the blog.

A blog by me, Double Dipping: Nuclear exploit, fake BSOD, support scams, refers to two very interesting blogs by Martijn Grooten – Compromised site serves Nuclear exploit kit together with fake BSOD – and Jérôme Segura  – TechSupportScams And The Blue Screen of Death.

David Harley

Support Scams update from Jérôme Segura

Jérôme Segura talks about his paper Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam, which he just presented at Virus Bulletin 2014, on the Malwarebytes blog: Tech Support Scams exposed at VB2014. The blog includes a link to a PDF version of the slide deck.

Added to the AVIEN resources page, of course.

David Harley
ESET Senior Research Fellow

Support scam paper at Virus Bulletin 2014

If you keep an eye on the support scam resources page on this site, you’ll have noticed that Malwarebytes’ Jérôme Segura has written quite a few pieces on the topic (more than I have recently), demonstrating that the game is still afoot, even if the rules have changed.

At Virus Bulletin, later this week, Jérôme presents his paper ‘Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam‘: it’s scheduled for 16.00 on Thursday 26th. I’m sure it will be well worth hearing, and I’m only sorry I can’t be there to hear it. (Though I do have a paper being presented there by my co-authors Aleksandr Matrosov and Eugene Rodionov:

You may also recall that back in 2012 I wrote a paper with Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, and independent researcher Craig Johnston (a former colleague at ESET): My PC has 32,539 errors: how telephone support scams really work. (The same team also wrote a related paper for CFET: FUD and Blunder: Tracking PC Support Scams. As part of the run-up to Virus Bulletin 2014, Martijn gives a preview on the Virus Bulletin blog of what to expect from the presentation: VB2014 preview: Tech Support Scams 2.0: an inside look into the evolution of the classic Microsoft tech support scam.

David Harley
ESET Senior Research Fellow

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:


Andrew Lee

Sick of Stuxnet?

Even if you’re not thoroughly sick of the word Stuxnet, you may well be pretty confused as to what “the truth” about it is. I know I am…

I think it will probably be a while before we get the whole picture, though there are a couple of last minute presentations scheduled for the Virus Bulletin conference in Vancouver next week that should be very interesting indeed: well, for sad Geeks like me, anyway. (I hope to see some of you there, maybe at the pre-drinks reception.)

I’ve spent quite a lot of the past couple of weeks working with some colleagues from ESET on a Stuxnet paper (67 pages long, so you’d think I’d be all Stuxnetted out by now). While we can’t predict all the surprises those papers will unfold, there’s some fairly detailed analysis and some observations that go a little against the “cyberwar on Iran” flow. Stuxnet Under the Microscope, by Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, September 2010 is available on the ESET white papers page at http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf.

ESET Senior Research Fellow

AVIEN Sponsors VB 2010

Virus Bulletin 2010

In honour of our 10th Anniversary here at AVIEN, we’re sponsoring the pre-dinner drinks reception at the 20th Virus Bulletin Conference in Vancouver next week. In case you didn’t know AVIEN was formed out of conversations held at Virus Bulletin in 2000, and the relationship has been a long and friendly one between the two companies. We’re proud to help bring a part of the conference to the attendees.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration


There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Virus Researchers are community outcasts

Lately I’ve been reading a lot of blogs and articles attacking and defending AMTSO and their attempt at establishing standards for the testing of counter-malware products. Unfortunately I think BOTH sides are missing the larger picture here. AMTSO was formed to address some critical shortcomings in the testing of counter-malware products: some tests were arguably unethical, most unscientific and some just poor from the word go. So where does the dissent come from? It comes from the very people who done or supported those poor non-science based tests. Yet it goes beyond that. The people who are condemning AMTSO and their efforts are in some cases well respected in the general security arena, and are very knowledgeable, and this is the rub. These people, most people in academia, and in management as well do not recognize Malware research and prevention as a specialty niche. They attempt to apply the same rule-set to fighting a malware outbreak as they do a simple intrusion, and see nothing wrong with that solution.

A majority of people not engaged in the Malware field as a profession still feel that the average Security Professional has the same knowledge and skill sets as used by the Counter Malware Professionals. Unfortunately nothing can be further from the truth. It goes beyond the abilities and skills for reverse engineering, programming, and identifying abnormal network traffic. This argument goes back to at least the early 1990’s when in a panel discussion a firewalls specialist attempted to answer a question about a virus. On that panel was Wolfgang Stiller, creator of Integrity Master Anti-Virus, Wolfgang interrupted him saying along the lines of “look I’m here for the virus questions, I would never presume to speak with authority or experience on firewalls issues, but you presume to have the same experience and expertise with viruses that I do, and that is mistaken”. Similar exchanges have happened on other panels with people such as Robert Vibert and Rob Rosenberger, among others. These are also the same people who demand that anti-malware products protect against threats that are not viruses, nor are they specifically malware, but “Potentially unwanted programs”. So this is not a new phenomenon. The question in my mind is why does it still exist?

Anti-Virus ‘Experts’ helped establish the disaster recovery field, and were among the very first to teach classes in th at subject. It was the Anti-Virus Researchers who developed the field of Computer Forensics, in both cases it was the Anti-Virus field that had the necessary expertise and skill set needed to fill the holes and expand the career field. So now that Disaster Recovery, and Computer Forensics are recognized as specialty fields and given a high degree of respect from schools and management, what happened to the Anti-Virus researcher? Their mindset is not of an operational nature, they bore easily, some may even say they have attention deficit disorder (ADD), yet they are anal about doing things the same way every-time. They dwell on minutiae, arguing to the point of splitting hairs. I sometimes think some of my colleagues can SEE the traffic on the wire in their minds eye. Yet with all this contribution to the Computer Security Community they are still (almost purposely) maligned and misunderstood. At a Virus Bulletin Conference, I stated that we as a community must take action or go from the ranks of professional, to the ranks of the tradesmen. I still don’t know what action that is, or how to go about it, but AMTSO is a good step in that direction, and the naysayers need to start looking outside their comfort zone and realize they know enough to be dangerous and not enough to be helpful at this point.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator