back to article Your antivirus doesn't like Ammyy. And fraudsters will use that to RAT you out (again)

Crooks have once again targeted users downloading Ammyy's remote access software as a conduit for spreading malware. The tactic – which has been witnessed before, specifically in the infamous Lurk banking trojan – has been in play since early February, 2016. Ammyy Admin is a legitimate software package (used by top …

  1. Swarthy Silver badge
    Facepalm

    I dunno if this would work...

    But might it be a good idea to have a "known good" or "gold" copy of the download held in a secure non-web-facing store (in a BLOB in a back-end database, or a heavily fire-walled FTP server) and have the web site check that its cached version is the same as the "gold" version on a daily, or hourly basis?

    Or, you know, secure their web server so that bad actors can't arbitrarily change the software available on it.

    1. Pascal Monett Silver badge

      Re: secure their web server

      It seems to me that, however strong you think your webserver security is, there will always be a chink in the armor for the bad guys to slip through.

      Especially when you discover that some dormant, unused component you happen to have stored but not activated can actually be used to hack your site even if you've never so much as referenced it.

      But I like the idea of a gold reference.

    2. FlamingDeath Bronze badge

      Re: Gold copy

      Something like this?

      find /var/www/website.com/public_html/. -type f -print0 | xargs -0 md5sum > ~/checksum.md5

      Then Cronjob this command to run periodically

      md5sum -c ~/checksum.md5

      No need to store duplicate copies of files, just md5 hash them at point of creation

      1. Adam 1 Silver badge

        Re: Gold copy

        > Then Cronjob this command to run periodically

        md5sum -c ~/checksum.md5

        I'll just leave this here.

        Your idea is correct in principle, just don't use an insecure hash if you are using it for security purposes.

    3. JLV Silver badge

      Re: I dunno if this would work...

      That's a good idea. But I think it's what the hash signatures you see on some downloads are used for. Of course that supposes you can ensure that your good hashes are stored elsewhere and secured against manipulation.

      Sobering incident. Both for someone wanting to distribute software and someone installing it.

      I always think that the less sites you trust as download sources, the better. App Stores are OK by me, so are the open source repos for Linux and Port/Homebrew (Mac). Past that... I need to really need that software.

      PyPi, the Python script repo is another worrying example. Not sure how much vetting, if any, is taking place on uploads. Yes, you can read what you download, but install scripts have already, as sudo, run by then. And it doesn't take many lines of Python to make a mess.

      1. asdf Silver badge

        Re: I dunno if this would work...

        > so are the open source repos for Linux and Port/Homebrew (Mac)

        As long as they are signed but the real danger is getting the Linux iso (even original maybe compromised and so md5sums match) in the first place which Mint learned painfully earlier this year.

        1. a_yank_lurker Silver badge

          Re: I dunno if this would work...

          No system is completely foolproof but repos/app stores allow for some degree of policing and verification beyond what users can do.

    4. Adam 1 Silver badge

      Re: I dunno if this would work...

      > But might it be a good idea to have a "known good" or "gold" copy of the download held in a secure non-web-facing store

      Except if your site got pwned then they would just return true inside the isequal method it uses compromising the entire model.

      You don't really need the whole file btw. You just need to store its hash and compare that. Where your idea does have merit would be to deploy to a web job to aws/azure that downloads the files and does the comparison once an hour, broadcasting to predetermined mailboxes when there is a mismatch. Just don't use the same credentials or server for that web job and remember to update your build system to push the new hash to the guardian web job.

      Next, figure out some way to protect your build server/repository/compiler/meatbags involved in pushing out a release.

    5. Charles 9 Silver badge

      Re: I dunno if this would work...

      I've thought about it, but then you get the "Turtles All the Way Down" problem. How can you be sure the "known good" copy really IS "known good" if the intruders are savvy enough to not only replace the copy but also its hash as well (or worse, if it's a well-resourced enemy like a State, successfully pull off a Preimage Attack and submit a bad copy with the same hash)?

  2. Shadow Systems Silver badge

    I have fun with the scammers...

    When they direct me to download either TeamView or the Ammyy client, I pretend to visit the site but then tell them I'm getting a 404 error. They then try & walk me through the steps to make sure my internet is connected, & Google or (nearly) anywhere else has no problem. But those two sites aren't available no matter what they want me to do. The scammer then gets frustrated & tries to berate me, but I gleefully point out that THEY called ME to report a problem with my computer so it should come as NO surprise that there's a *Gasp!* problem with my computer. I string them along as long as possible, pretending to be completely technicly inept one moment or unable to get the computer to do what they ask, or the browser refuses to load a site or download a file or resolves to Youtube instead (it's fun to play cat videos to them), & generally waste as much of their time as possible.

    The calls usually end in the scammer screaming the air blue with profanities even a pirate would find disturbing, ranting & raving & foaming at the brain in fury at me having wasted their time, & me laughing my arse off.

    I wonder if I should let on that I've got sites like TV & Ammyy listed in my HOSTS file & therefore can't access them from this computer at all?

    *Maniacal cackle*

    1. Charles 9 Silver badge

      Re: I have fun with the scammers...

      "I wonder if I should let on that I've got sites like TV & Ammyy listed in my HOSTS file & therefore can't access them from this computer at all?"

      NO! Don't! Then they'll know what's up and go to Plan B: a relay that WOULDN'T be on your blacklist because you never heard of it until now.

    2. VinceLortho
      Devil

      Re: I have fun with the scammers...

      Done the same - great fun. I use a blank virtual machine for them to take over and reset it to an initial snapshot after I've wasted the idiot's 45 minutes of effort. Bwahahahahahah!

      1. Charles 9 Silver badge

        Re: I have fun with the scammers...

        But what if the malcontents have a Red Pill that can jailbreak them out of the guest OS into the host?

  3. Walter Bishop Silver badge
    Facepalm

    Ammyy Admin is transparent for Firewalls

    "Ammyy Admin is transparent for Firewalls, so you don't have to make any additional adjustments to ports or NAT settings." ref

  4. Anonymous Coward
    Anonymous Coward

    shame

    it's a shame because it is quite good and easy to use

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019