Archive for July 13, 2017

Investigating A Tech Support Scam – Part 3: What Did These Scammers Try And Do?

Posted in Commentary with tags on July 13, 2017 by itnerd

In part one of this investigation I dealt with the initial threat. In part two I looked at who the scammers who do business as People Connect Inc. are and showing that they are scammers. Now I will show you what these scammers were up to. Though, that took some effort.

First of all, I grabbed a ZIP file that was encrypted. I needed to break into it. Thus I reached out to a friend of mine who is a white hat hacker (in other words, a hacker that hacks to helps people rather than hurt them) to help with this. We used a program called John The Ripper on a custom computer with a series of Nvidia graphics cards to add computing power to the CPU to help to crack this ZIP file. It took several hours, but I had it cracked. When I got to look at the files, this is what I saw:

Screen Shot 2017-07-13 at 8.00.49 PM.png

Here’s what these files do. First, there were four batch files:

  • The first one is called execlock.bat and it takes away Internet access from dozens of websites using a supplied application called hosts.exe which is a Russian designed application that modifies a file on your computer called “hosts” which controls how your computer gets to the Internet. By doing this, it can make you think that you had a serious problem. But not enough to outright kill your Internet access (which would disconnect the scammers of course and keep the scammers from “fixing” things).
  • The second one is called execunlock.bat and it restores the Internet access that was removed by the previous batch file.
  • The third one is called lock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execlock.bat batch file that I mentioned earlier. This elevate.exe application allows one to bypass any security that might be present on the PC.
  • The fourth one is called unlock.bat. It runs a file that was in the collection of files called elevate.exe and then runs the execunlock.bat batch file that I mentioned earlier. This elevate.exe application again allows one to bypass any security that might be present on the PC.

Now I believe that the purpose of these batch files is to create a “problem” for the scammers to fix so that they can take your money. But they didn’t stop there. The real threat is three other files that were present.

  • The first threat is a file that I found called air.exe. It appears to be a remote control application which would allow someone in some other location to control a PC. It appears it is based on this application:
http://www.aeroadmin.com/en/
  • Next on the list is are two pieces of software called Nautilus Blue.exe and Nautilus Green.exe which appears to be another remote control application called Show My PC which is based on this:

https://showmypc.com

Here’s the catch, these apps run an install that appears to install other software. That of course isn’t good as it implies that it would create a problem that would be persistent.

One note: I figured out how what this stuff was doing using a piece of software called Process Monitor so that I could log everything that these pieces of software do at very low levels. Be it network access, reading or writing to the hard drive, or whatever else these pieces of software decided to do. On top of that, I used a Windows 10 virtual machine via Parallels Desktop to do my testing so that I could take a snapshot of the environment before running this stuff and go back to that snapshot over and over again during my testing. Plus I would not have to risk a a real PC being infected with something at the end of my testing.

I have reason to believe that if they got a chance to run these files (which they didn’t because I pulled the plug on these guys), the scammers could remote control a PC at will. Plus nothing from a malware or antivirus perspective will detect this stuff as it is based on commercially applications which makes this stuff very dangerous. That makes the scammers very dangerous. Thus I will be submitting all of this to antivirus vendors in the hopes that they will come up with countermeasures against this stuff so that these scammers cannot use these tools do do their evil deeds.

In the final part of this investigation, I will give you my tips in terms of avoiding a scam like this.

UPDATE: On top of submitting the files that I found to a variety of antivirus vendors, I have reached out to AeroAdmin and ShowMyPC as well to inform them that their software is being used in this scam and might have been modified. I will update you if I hear from them.

UPDATE #2: ShowMyPC has been very helpful in terms of unwrapping the files named Nautilus Blue.exe and Nautilus Green.exe. Here’s what they said:

Of the 2 files you sent one of them, green one, it seems like a renamed/perhaps re-bundled or modified file of our free version.

Our free version has an interface that has to be launched, explicitly press a button to start, next a warning dialog to accept settings and before a user could use it. It is very restrictive in time and usage and unlike many other programs has no inbuilt functionality to start remotely.

Our exe does not install anything but does extract files while in use.
Just delete the main exe and if any temporary files exist. You can read about uninstalling and any temp files on this link.
http://showmypc.com/faq/uninstall-showmypc.html

Although its hard to say how the program was modified, however if it was used on your customers pc, we maybe able to help you track the remote IP of the users if they made any connection and we can block those users from using this.

Any session using our program can be easily reported here.
https://showmypc.com/faq/warning.html

Thanks for bring this to our notice, and we continue to keep a watch on any abuse report.

I’d like to thank ShowMyPC for their help with this, Now over to Aero Admin. I am working with them as well and I will update you when I have more info.

Advertisements

Kaspersky Punted From Feds List Of Approved Vendors

Posted in Commentary with tags on July 13, 2017 by itnerd

Following up on this story from yesterday which suggested that Russian antivirus company Kaspersky had ties to Russian intelligence, it seems that Kaspersky has a full blown crisis on its hands as it has apparently been removed from the US government’s list of approved vendors:

The delisting represents the most concrete action taken against Kaspersky following months of mounting suspicion among intelligence officials and lawmakers that the company may be too closely connected to hostile Russian intelligence agencies accused of cyber attacks on the United States.

Kaspersky products have been removed from the U.S. General Services Administration’s list of vendors for contracts that cover information technology services and digital photographic equipment, an agency spokeswoman said in a statement.

Here’s why this happened:

The action was taken “after review and careful consideration,” the spokeswoman said, adding that GSA’s priorities “are to ensure the integrity and security of U.S. government systems and networks.”

Translation: We don’t trust Kaspersky.

You have to wonder how much of this comes from actual proof that the company and how much comes from politics? Either way, it’s not a good situation.

#Fail: Verizon Suffers Data Breach…. Data From 14 Million Customers Exposed

Posted in Commentary with tags , on July 13, 2017 by itnerd

US cellphone carrier Verizon has one hell of a data breach on its hands. A security firm by the name of UpGuard found out about this security blunder which involved technology supplier Nice Systems who left Verizon customer data unprotected on an Amazon Web Services S3 storage instance. This data was publicly accessible to anyone who had the “easy-to-guess” URL, the security firm said. The data in question included names, phone numbers and PINs that could be used to access customers Verizon accounts. The number of customers potentially affected totaled 14 million.

#fail

Verizon has admitted to the breach, but has downplayed the potential damage that could have been caused. Still this highlights what could happen when a company loses control of your personal information.

UPDATE: Clearly Verizon is touchy about this because I got this via Twitter no less than 5 minutes after posting this story:

#Fail: US Health Insurer Mails Coverage Information On USB Keys Which Could Lead To Pwnage

Posted in Commentary with tags on July 13, 2017 by itnerd

From the “this seemed like a good idea at the time” department comes BlueCross and BlueShield of Alabama and their decision to mail out policy details on a USB key, along with instructions to insert the key into a PC. Here’s the problem according to the fellow who brought this to light via a LinkedIn post:

You should never insert an unknown usb device into your computer or run an unknown program. If you do, it is possible for that device to install software on your computer that may not have the best of intentions.

I am not accusing BCBS of creating software that is less than aboveboard. However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.

This, to me, should be something that even the most junior cyber security consultant would understand is a bad idea. A corporation the size of BlueCross should have the resources to make sure ideas like this never see the light of day.

Clearly someone at this organization didn’t think this through. Thus I suspect heads will roll over this as in the age of epic pwnage, this would be an easy to exploit attack vector.