Support Scam Using (MS-)DOS* Attack

Fraud

3

We still have comments and reports coming in from our blog readers concerning the ongoing problem with scammers, almost invariably based in call centres in India, trying to persuade them that their PCs are infected with viruses or compromised by hackers. Here are some thoughts in response to a recent comment to one of my earlier blogs on the timeworn topic of the support scam.

The intended victim was influenced by recent reports relating to the recent Internet Explorer bug into believing that it was possible that his machine had been infected as a consequence of that bug, and the scammer used the old ASSOC trick to convince him that one of the lines displayed by ASSOC showed his computer’s ‘unique ID’:

.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

ASSOC is a command that displays the program and/or functionality ASSOCiated with a specific file type. This particular CLSID is frequently misrepresented by scammers as being a unique identifier of the victim’s system and/or a license ID for the Windows operating system. In fact, a CLSID is an identifier that is unique not to a particular PC, but to a COM class object, which means that it will be the same on any Windows system where that object can be found. In other words, there are many millions of Windows computers where running the ASSOC command will show exactly the same text somewhere in its display. It does not represent a unique ID string for either the PC or for a specific installation of Windows. (Indeed, our reader subsequently found the same string on his other PC, as you’d expect.)

assoc 3

Typical ASSOC output: the string the scammers like to use is flagged in red

Next, the scammer persuaded him that there were problems on his PC by asking him to run EVENTVWR to prove that there were ‘problems’ on the system. Event Viewer is a tool that keeps a system log. It will take you to a screen that shows you various system events, some of which will indeed be problems, though they’re usually transient errors and glitches that have already come and gone.

eventvwr

Typical Event Viewer Output

As is usually the case, the scammer was misrepresenting log entries as something more serious in order to persuade the intended victim to install remote access software such as AMMYY or TeamViewer to allow the scammer – or one of his ‘technician’ friends – to access the victim’s machine. When the scammer showed him the Windows ‘process tree’ – I guess using Task Manager – it was claimed that the running process csrss.exe was a Trojan being exploited by Mexicans to gain access to the PC and to the victim’s internet. (What the residents of Mexico have done to deserve such a slur, I can’t imagine, but at least I finally have an excuse to use the expression ‘Mexican Standoff’ in a blog title, even if the analogy is a bit strained.) In fact, while Trojans masquerading as csrss.exe are not unusual, the (real) file is the user mode part of the Client/Server Runtime Subsystem, an essential Windows system service. In other words, you need it to be running.

The scammer used the netstat utility to ‘prove’ his assertion, presumably with output something like this:

C:\>netstat -n

Active Connections

  Proto  Local Address          Foreign Address        State
TCP    192.168.1.76:64617     173.194.66.125:5222    ESTABLISHED

  TCP    192.168.1.76:64694     23.62.2.51:443         ESTABLISHED
  TCP    192.168.1.76:64996     31.13.72.65:443        ESTABLISHED
  TCP    192.168.1.76:64997     70.167.14.17:443       ESTABLISHED
  TCP    192.168.1.76:65041     173.252.102.241:443    ESTABLISHED

 This type of output has been used before by scammers to suggest that entries under ‘Foreign Address’ represent some sort of external attack. In fact, they simply represent legitimate connections between the local machine (in this case 192.168.1.76) and various remote systems.

In this case, fortunately, the intended victim realized that he was being scammed and denied the scammer further access.

On a related note…

For anyone who remembers an article I put up here – Facebook Likes and Cold-Call Scams – with Martijn Grooten of Virus Bulletin and Steve Burn of Malwarebytes and concerning dubious advertising on Facebook and elsewhere by tech support sites, you may be interested in articles here and here. They’re concerned with an initiative involving Facebook and others to reduce the impact of false advertising by tech support scammers who’ve gone beyond cold-calling to trying to attract people who are actively looking for help.

And an Ars Technica article – Inside the US government’s war on tech support scammers – describes how an FTC (Federal Trade Commission) investigator gathered evidence that helped towards getting a temporary restraining order against a company called PCCare247. An interesting variation on the netstat gambit described above was used by the scammer in the conversation recorded here. Having gained access to the supposed victim’s PC, he flagged a connection with a system outside the US with netstat that, according to him, showed that the PC was being hacked remotely. You won’t be surprised that the FTC concluded that:

This was a brazen lie; forensic examination would later conclude that the single connection displayed by netstat was in fact the remote access tool that Yakeen was using at that moment to control Novick’s machine.

TREE with low-hanging fruit

The article also cites an instance of the tree command being misused as evidence of the presence of malware. According to a comprehensive list of misused utilities published by our friends at Malwarebytes, the DOS commands dir and tree are frequently misrepresented as performing a full virus scan. As most readers of this blog will know, all they actually do is give listings of files and directories. Clearly, there are lots of computer users nowadays who have never seen an MS-DOS command prompt and don’t know about what we computing dinosaurs regard as basic DOS commands. It seems that support scammers are finding – or at least hoping to find – victims who can be conned using the most primitive of gambits because they don’t have decades of experience of command-line utilities.

DIR output

Typical Output from DIR

Conclusion: Avoiding the Gobbledygook

We can’t expect the average user to learn all about legacy utilities left over from obsolescent operating systems. But they can usually bypass these attempts to blind them with pseudo-science and technical-sounding gobbledygook by remembering a handful of basic rules.

  1. Don’t allow anyone who rings you out of the blue to connect to your PC for any reason. It’s like meeting someone in the street and having them tell you that you have mice under your floorboards, but if you give them your house keys and credit card they’ll go and sort it out for you.
  2. Don’t believe them when they say they know about the health of your PC. Tech support scammers don’t really know anything about your system, any more than someone you pass in the street knows about the state of your house. They may know your name and address – they can get that info from directories and marketing lists – but they don’t know anything else. All the CLSID and DIR nonsense is to con you into trusting the untrustworthy, by convincing you that they know more than they really do.
  3. Don’t take it for granted that any stranger who calls you out of the blue is the person they claim to be. If they claim to be representing your provider, or Microsoft, or your bank, it’s their responsibility to provide proof of their identity. Even if they give you information that you believe only your provider would know, consider calling the organization concerned back on a phone number you know to be genuine.

*That’s DOS as in Disk Operating System and, specifically, MS-DOS (Microsoft’s pre-Windows operating system for PCs), not Denial of Service. Though that could apply too.

David Harley
ESET Senior Research Fellow

 

Author David Harley, ESET

  • phantomsteve

    I have once had one of these “Hi, we’ve found your computer sending viruses” type of phone calls. I just asked three simple questions, which they were unable to give an answer to (I didn’t have the answers to hand, as I wasn’t on my computer at the time, but that was irrelevant as they didn’t even try to answer):
    “OK, if you know it’s from my computer, you should be able to tell me the three following bits of information:
    1. My IP address
    2. The computer name that I have given my computer
    3. My MAC address”….

    Strangely enough, they countered #3 with “oh, you don’t have a mac, you have a PC”..!

    Needless to say, they hung up!

    I have had a non-techy friend ask the same questions when they got a similar call (especially the MAC address – I told him that he doesn’t need to know what it is, just that it’s nothing to do with Apple computers) – he had no idea of the answer to 1 & 3 (he knew 2, as he’d actually changed his computer name with my help!)… but he didn’t need to. I also told him that if they tried to say “well, we can see you are using Windows 7″ (this is a couple of years ago), then to say “can you please tell me what service pack I’m using then?”…. he didn’t need to ask that though!

    We’ve only been bothered the once by the scammers like this…

    • http://dharley.wordpress.com/ David Harley

      :) I have actually asked them what they think my IP address is, and got a great deal of amusement from the answers.

  • Jammer

    What i have seen in Australia is, a)they rent a house in a large city, b) use the phone system (They use the local phone exchange to call from so the # looks local), 3) Repeat after a & b have been exploited to the full amount.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.