back to article Hacker publishes tech support phone scammer slammer

Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers. Weeks' day job is director at Root9b, but he's taken time to detail a zero-day flaw in Ammyy …

  1. Anonymous Coward
    Anonymous Coward

    I'm getting stabbed...

    I can "use reasonable force" and (likely) stab the person stabbing me without further charges...

    I'm getting hacked and I have to bend over and take it, despite knowing that the person doing the hacking is about to go and attack someone else as well...

    1. Allan George Dyer

      Re: I'm getting stabbed...

      It's wonderfully ironic to use a flaw in your attacker's weapon to get them, but this isn't "reasonable force". It is more like you see someone with a knife trying to sneak up on you and, instead of stepping behind your knife-proof door, locking it and calling the police, you pull out your own weapon, saying, "come on, if you think you're hard enough". You have a safe choice: not "following" their instructions, but you take a risky choice with increased chance of damage on both sides.

      If you try this, you'd better be damn sure you're better than the attacker, or you'll find they've planted some evidence to make it look like you infected their machine with the tool before trashing it.

      1. dotdavid

        Re: I'm getting stabbed...

        I'm guessing these companies aren't likely to run to the police if you hack their machines, as face it they're likely to have evidence lying around that they've hacked thousands of people.

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm getting stabbed...

        That's not true. This exploit would be like beating your attacker to death with the knife handle while the blade is stuck in your chest.

      3. I ain't Spartacus Gold badge

        Re: I'm getting stabbed...

        It's very tempting though. We still get at least one call a week from these guys. I've got an old laptop handy, that I'm willing to risk. I could have it set up and ready to go. But in the end, it's probably too much hassle, when I can just tell them to bugger off. And you'll only get to hack some minion in a call centre.

        1. dotdavid

          Re: I'm getting stabbed...

          What you really want is some kind of device that recognises the caller's words and phrases and replies with a realistic "old person" response. Then you could just leave the hacker tied up trying to explain what a window is to a virtual old person. With VOIP you could seed the internet with honeytrap potential victims.

    2. NightFox

      Re: I'm getting stabbed...

      Brave Sir Knight to Squire: "See how yonder French archer will fire his arrows on me only for my new shiny armour to deflect them back through his eye and into his sku...."

      TWANG................... THUNK!!!

      "Oh bugger"

      (Drops down dead with several arrows protruding from chest)

      1. Trigonoceps occipitalis

        Re: I'm getting stabbed...

        "They couldn't hit an elephant at this distance."

        Major General John Sedgwick

    3. AlbertH
      Mushroom

      Re: I'm getting stabbed...

      I'm uploading a particularly nasty version of the old CIH virus to these scammers. It spreads via local ethernet as well, and after thirteen reboots, it re-writes the BIOS rendering the target machine un-bootable. I don't know how many of these clowns have received this yet, but the USB sticks I sent to a few people have been used (and duplicated) very widely. Let's hope a lot of their machines are now paperweights.....

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm getting stabbed...

        "I'm uploading a particularly nasty version of the old CIH virus to these scammers."

        I suspect the scammers probably aren't running Windows 9x.

        CIH (aka Chernobyl) doesn't work against the NT kernel. It writes to the first 1KB of a disk and/or the BIOS, both of which are prevented by NT security*. That's assuming the code is even compatible with modern Windows.

        * Not allowing applications direct access to hardware is one of the things that made the NT kernel so stable (in comparison to DOS/Win9x) while also increasing security.

        1. Anonymous Coward
          Anonymous Coward

          NT kernel security...

          re: '* Not allowing applications direct access to hardware is one of the things that made the NT kernel so stable (in comparison to DOS/Win9x) while also increasing security.'

          Moving the GDI into ring 0, reintroduced instability and insecurity.

    4. Richard Jones 1
      WTF?

      Re: I'm getting stabbed...

      I fell into your line of thinking about the offence of retaliation for a while but then I realised.

      They call up saying you have a nasty thing on your computer and yes you have so you say

      "Yes I have."

      They log into your computer and the nasty thing turns round and bites them. You have been totally honest, they called you, they got the problem, where is the issue?

      To take another example, you call a repair person saying that some electrical device is faulty. They come round and either collect it to test at their workshop or plug it in with you.

      It goes bang and they get a shock.

      You are dealing with 'experts who know about these things' they should fully understand the risks of faulty electrical devices or bug ridden PCs - that is their job, not yours.

      [Word to the wise, just in case, do not let a gas fitter test for leaks with a lighted match.]

  2. heyrick Silver badge

    would breach some form of broad computer crime laws.

    And, yet, trying to bugger up your computer is okay?

    1. This post has been deleted by its author

    2. Steven Raith

      Re: would breach some form of broad computer crime laws.

      Two wrongs don't make a right.

      That said, it is - on occasion - hilarious.

      Steven R

  3. Dr. Mouse

    Well done that man! I'd happily buy him a pint in thanks!

    I wish more of this was done. A true white vs black cyber war would be awesome!

  4. WonkoTheSane

    Hmmm,

    Will this run on a VM I wonder?

    +1 to buying this guy a pint!

    1. sjaddy

      Re: Hmmm,

      If you read his web page all the testing was done on VM

  5. ukgnome
    Pint

    Well done that man

    -------------->

  6. Parax

    Air Force reverse engineer?

    Did the author mean "Air Force reserve engineer"?

    Anyway this needs the webcam trick that the Zeus guy used. would be good to post more screenies of scammers..

    1. Terry 6 Silver badge

      Re: Air Force reverse engineer?

      Someone has to get the planes back into the hanger.

      1. Uncle Slacky Silver badge
        Alien

        Re: Air Force reverse engineer?

        Also, someone has to work out how the captured UFOs work...

    2. bob, mon!

      Re: Air Force reverse engineer?

      A couple of years ago the Air Force hosted a "Reverse Engineering Workshop". I suspect the author meant "reverse engineer".

    3. Col_Panek

      Re: Air Force reverse engineer?

      I worked for the Air Force, and I've been called similar things. Ass-backwards, mostly.

  7. Steve Graham

    Yes, but...

    Ammyy Admin is supported software. The next release will surely fix this vulnerability now that it's published.

    1. Destroy All Monsters Silver badge

      Re: Yes, but...

      > supported software

      Honor among thieves?

  8. Anonymous Dutch Coward

    Tens of millions of users

    Used by tens of millions of users? Really? Or do you mean tens of millions of victims - which sounds also quite large but who knows!?!?

  9. Stretch

    If you tell the scammer you are going to exploit him when he tries to connect then it would not be a crime. I doubt many of them have any idea what they are doing or how, and would answer "yes, ok" to anything you say

  10. alain williams Silver badge

    Please do something useful with it

    like recording details of the scammer's machine:

    * machine registration details, OS, timezone, ...

    * traceroute to google - will give some real IP address on the way out

    It is the second that is useful - it should not be hard to work out who is using that IP address and send in the fuzz to grab all machines and use the first to identify the individual machine. They can then start throwing these people in jail.

    Assuming that local law enforcement or politicians are not bought off with bribes - these scammers could be a non trivial foreigh earner in some parts of the world.

    1. tony2heads

      @alain williams

      I am willing to place a small wager on nigerians being involved

  11. Anonymous Coward
    Anonymous Coward

    Your Mother Must Be Very Proud of The Work You Do

    I can hardly wait for one of these a-holes to call me so I can try this. But I wanted to post what I've been doing in the past.

    I go along with the caller without really putting in or out any real information and after we've been talking for a while and I can tell he's relaxed a little I change my tone completely to my best Darth Vader voice and say, "I know your Mother must be very proud of the work you do; I want you to know I've put a curse on you and all your family. A horrible curse that will follow you for the REST OF YOUR LIFE"

    Usually I get stunned silence on the other end followed by some weak come back and a hang up.

    Hilarious.

  12. Robin Bradshaw

    http://www.itslenny.com/

    Theres more than one way to skin a cat

  13. Truth4u

    Using this would breach the law

    That's the perfect reason to use it. There's already crimes taking place against us that the police don't care about (cos someone in another country did it using the internet, so why should the police care? Just cos it's their job? No, they're not paid to give a shit about crimes in other countries)

    well it cuts both ways, if you use this against an attacker in another country, what will their police force do about it?

    uh, exactly, nothing.

    so hack away.

  14. Anonymous Coward
    Anonymous Coward

    Had one of those call me once. Was really funny to give them the run around on my linux desktop. Took them over an hour to figure out I wasn't using windows.

    1. Col_Panek

      The best (legal) offense is to waste their time, so they avoid calling other victims. Tell them to wait while your machine boots up (10 minutes)....go to the loo to take a dump, bringing the phone with you, so they can hear you grunt. ...give the phone to your 3 year old to continue the conversation, walk off "to get your credit card" ...when you tire of the game, explain you run Linux, which will get them to immediately hang up.

      Above all, remember these people are crooks who hate you and your country.

      What the hacker who wrote the scammer slammer should have done: installed Linux on grandma's PC. End of problem.

  15. lizbradley

    Since I'm not very good with computers and stuff, I'll just hang up and report the scammer phone number to Callercenter.com to warn others.

    1. hayzoos

      Hanging up is good. Reporting the scammer's phone number is a waste of your time. They use caller ID spoofing and can display any phone number they choose.

      You do not have to be good with computers to waste their time and delay them from scamming another victim. Do not download any software they tell you to. Do not give them any identifying information including addresses your street address or computer's IP address. Do not give them any financial account numbers.

      I had a group calling a few months ago, once or twice a day for a week. Each time they called they used a different number. I asked my number to be removed from their list since they wouldn't be successful in scamming me. That did not work, they still called. They did stop calling after I identified myself as an experienced computer professional and was challenged to a "quiz". Some nonsense about what character cannot be used in a filename. I know how to use any character in a filename, including the colon. It may break the filesystem or thoroughly confuse the OS but it can be done. The scammer became irate and hung up. No calls from them after that.

      1. Truth4u

        Walk up to the toaster and be like... "ok I turned it on now what?"

        And proceed on that basis. It will be literally half an hour before they even figure you're not at a computer.

        "I don't see a start button, there's a button to make it pop up"

        is it a laptop?

        "no"

        etc

        In the unlikely event of them figuring it out just say "oh you mean the COMPUTER!" and move to the next kitchen appliance.

  16. PeterM42
    Trollface

    2 helpful responses...

    1) Pretend to be an old dodderer and lead them on (thus wasting their time and running up their phone bill) and just before they get to the bit where they have your information, tell them to bugger off.

    (My last ones were on for 20 mins and 15 mins respectively). Great fun!

    2) Have a VERY LOUD whistle handy near the phone.

    BOTH methods can be used consecutively for maximum enjoyment.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2 helpful responses...

      I did the latter by mistake once.

      Went to go get Audacity recording and forgot I had software playthrough enabled, and so they copped a loud feedback howl.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like