Category Archives: Virus Bulletin

Support scammers & repeat business

For Virus Bulletin, Martijn Grooten recounts in Phone support scammers attempt repeat business how – a year after the encounter with ‘Clinton’ that he talked about in our joint presentation (with Craig Johnston and Steve Burn) at the 2012 Virus Bulletin Conference in Dallas (My PC has 32,539 errors: how telephone support scams really work) – the scammers came back for a second bite of the cherry.

He summarizes:

Phone support scammers have found a new way to make easy money: by calling back people whom they have previously tricked into paying for their services, and tricking the same innocent users into paying for a ‘renewal’ of the service.

While I got a certain amount of amusement from the continuing ineptitude of the scammer he talked to this time, it’s not so amusing for victims of the scam, as Martijn points out:

While it is easy to laugh at the scammers’ lack of professionalism, they have taken advantage of many victims in the past: people who have become worried after hearing the many stories about malware infections, or people for whom the call just ‘made sense’.

ESET Senior Research Fellow

More about Dorifel as a scammer ploy, and Ammyy warns of misuse of its service

More about PC support scams.

First, here’s a somewhat free translation of part of an article at that describes the support scam gambit described in Dorifel/Quervar: the support scammer’s secret weapon whereby victims in the Netherlands, where Dorifel is somewhat prevalent, have been rung by scammers offering ‘help’ with removal of the virus. (By the way, interesting though Quervar is to researchers – see Quervar – Induc.C reincarnate? – it isn’t that prevalent, though there has been a spike in reports in that region. Most people are never going to see it.)

Currently, there are reports from people who are approached by phone by Microsoft offering to assist them in removing the Dorifel virus that is currently in the news.

The caller tells the prospective victim in (flawed) English claimed that the he or she has malicious software on his or her computer and that to the scammer can help them solve this over the phone. In almost all cases the scammer requires an extortionate amount of money for a (non-functional) antivirus package, asking for personal information and credit card data.

It also appears that the caller refers victims to a website where software can be downloaded to their PC. They seem to be offering help via remote access but in reality an uninfected PC might finish up infected, and an infected system could pick up an extra infection.

What are your options?

  • You can’t stop the scammers calling. [Actually, it might be possible with some services in some countries, but they don’t take any notice of do-not-call registries (DH)]
  • Ask for a local (Dutch) telephone number that you can call back on.
  • On no account give them remote access to your computer.
  • Be very cautious with the transmission of personal data and credit card numbers over the phone. [Don’t give them to anyone whose credentials you can’t verify (DH)]
  • If you have any suspicions of bad intent, hang up as quickly as possible. [Feel free to put the phone down on ’em, though they may call again. (DH)]

[Translation ends here.]

And now, the good news:, a remote access service very frequently misused by support scammers, has warned users of Ammyy Admin about the scam, and even given some advice for the victims who’ve fallen for it.

  • Turn off their internet connection: that makes sense as a short term measure to reduce the risk from something they’ve left to call home, as they may have tried to do in an incident described in The Tech Support Scammer’s Revenge.
  • Contact their bank to freeze their bank accounts – that may be overkill, but I can’t say it isn’t worth considering the possibility of your financial services having been compromised
  • Reboot and scan for viruses. Again, a sensible precaution, even if we haven’t seen confirmed reports of out-and-out malicious software so far.
  • And to ensure that the scammers don’t (assuming they used Ammyy) manage to get back onto the system:

“…make sure Ammyy Admin Service isn’t installed and doesn’t run in automatic mode. For this go to main window of Ammyy Admin -> Ammyy -> Service -> Remove. Then restart your PC again.”

The company also points out that Ammyy Admin doesn’t have to be uninstalled: you can just delete the .EXE. Hat tip to Martijn Grooten for flagging this. Steve Burn’s post also refers. (Not surprisingly: we tend to share information about this stuff as we see it.)

ESET Senior Research Fellow

‘Tech Support’ Scam Resources Page updated

I haven’t updated the scam resources page on the AVIEN blog site since November 2011. Mea Culpa. However, that doesn’t mean I haven’t been beavering aways at raising awareness of this scam among readers of my blog, the security industry, and (not least) law enforcement. So I’ve finally got around to updating the page.

Firstly, I’ve changed the name to something more unwieldy (less wieldy?), but a bit more explicit as to exactly what it’s about.

Secondly, I’ve added quite a few links to resources. Depressingly, most of them are my own blogs – I can’t believe how hard it is to get people to take notice of this scam! – but I shouldn’t forget to mention my friends and colleagues Steve Burn (MalwareBytes), Craig Johnston (independent researcher) and Martijn Grooten (Virus Bulletin), with whose help I’ve put together a couple of somewhat massive papers to be presented at CFET and Virus Bulletin later this year.

AVIEN & Small Blue-Green World Dogsbody
ESET Senior Research Fellow

Support scams: what can AVIEN do about it?

In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?

It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.

While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.

Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.

Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests ( there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.

I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?

Small Blue-Green World/AVIEN
ESET Senior Research Fellow

VB Seminar 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:


Andrew Lee

Sick of Stuxnet?

Even if you’re not thoroughly sick of the word Stuxnet, you may well be pretty confused as to what “the truth” about it is. I know I am…

I think it will probably be a while before we get the whole picture, though there are a couple of last minute presentations scheduled for the Virus Bulletin conference in Vancouver next week that should be very interesting indeed: well, for sad Geeks like me, anyway. (I hope to see some of you there, maybe at the pre-drinks reception.)

I’ve spent quite a lot of the past couple of weeks working with some colleagues from ESET on a Stuxnet paper (67 pages long, so you’d think I’d be all Stuxnetted out by now). While we can’t predict all the surprises those papers will unfold, there’s some fairly detailed analysis and some observations that go a little against the “cyberwar on Iran” flow. Stuxnet Under the Microscope, by Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, September 2010 is available on the ESET white papers page at

ESET Senior Research Fellow

AVIEN Sponsors VB 2010

Virus Bulletin 2010

In honour of our 10th Anniversary here at AVIEN, we’re sponsoring the pre-dinner drinks reception at the 20th Virus Bulletin Conference in Vancouver next week. In case you didn’t know AVIEN was formed out of conversations held at Virus Bulletin in 2000, and the relationship has been a long and friendly one between the two companies. We’re proud to help bring a part of the conference to the attendees.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Testing AV: Why VB Tests are still relevant

The latest Virus Bulletin Anti-Malware product test, the largest ever of it’s type (a mammoth 60 product test) demonstrates several things; that testing Anti-Virus products never gets any easier; that discussing (or dissing) the tests never gets any less popular; and that the results of testing are never less than controversial.

Virus Bulletin has been in the testing game a very long time, and their comparative testing and VB Award have been around since early 1998. Before that time, VB was reviewing AV products since its inception in 1989. Their test methodology is well known, and is based on a combination of Wildlist testing, tests for ‘zoo’ viruses (that is, non-wildlist known malware) and False Positive (FP) testing. The full current methodology can be found here.

Despite there being a large number of people decrying this sort of WildList based testing, and indeed some vendors entirely withdrawing from any sort of ‘static’ tests (i.e. based on scanning of predetermined files, rather than live incoming threats), the fact that 60 products participated in a test like this shows that there is still life, and worth, in this type of testing.

The surprising thing is that while many criticize WildList based tests for being limited in scope (the WildList certainly is not a comprehensive list of malware) so many products fail to pass these tests. This perhaps more than anything highlights their usefulness as a baseline. If your product isn’t reasonably consistent in achieving the VB 100 Award, perhaps you should think about a different one. Often the problem is not detection so much as false detection, making the FP part of the test very important. Any product could detect 100% of all viruses very easily, it’s much more difficult to detect ONLY viruses, and nothing else.

The other aspect of the testing, that perhaps is not clear from the results, but is highlighted in the short review written of each product, is that of the experience of the tester in being able to test and use the product.

John Leyden, writing in the register points out that 20 out of the 60 products (1/3 for those of you who still remember how fractions work) failed to achieve the certification. He also quotes John Hawes (VB’s tireless tester) as saying “It was pretty shocking how many crashes, freezes, hangs and errors we encountered in this test” – indeed damning words considering that the test was on Windows XP, a mature platform that has been a standard for many years.

So, while attaining VB 100 Awards is not the be all and end all of testing Anti-Malware products, it’s still a good place to start looking. Congratulations to all those whose products did pass, from someone who knows only too well just how high that particular bar is set.