A few days ago, I received a panicked call from my parents who had somehow managed to land on a (now defunct) (snapshot here) claiming they had been infected by Zeus. This horrible HTML aggregate had it all: audio message with autoplay, endless JavaScript alerts, a blue background with cryptic file names throwing us back to Windows' BSoD days, and yet somehow it displayed a random IP address instead of the visitor's one.
First call:
After everyone had a good laugh on Twitter, I decided I would give them a call to know more about what they hoped to accomplish. So I fire up an old Windows XP VM, and get in touch with the "tech support". I am greeted with a pre-recorded message, then Patricia is kind enough to anwser my call. I immediately try to get her hopes up by telling her that I'm a businessman working on an important, high-figure contract, and that time is of the essence. Sadly, it turns out that her French is quite poor so going off-script is a no-no. She guides me through the steps needed to download some kind of remote-assistance client: Windows+R, type in iexplore remote.join360.net, jump through a few more hoops and run whatever executable is offered to you. From what I gather, this is actually a legitimate tech-support program, it being digitally signed and all.The fun starts now. Patricia fires off cmd.exe after failing to recognize OllyDbg and IDA's icons on the desktop. In what I can only assume is a ploy to establish her technical expertise, she runs dir /s and tells me that the dates match my logins on this system and the files are all the documents I accessed. I feign amazement. Meanwhile, I stealthily send a CTRL+C into the terminal so we can go on with our lives. Patricia then types "1452 virus found", then "ip hacked", and asks me about which antivirus software I use. None, I reply: they're too expensive and@taviso keeps breaking them anyway. The reference is lost on her but she chastises me nonetheless. Then something weird happens. She tells me that I'm at the end of my 15 minutes of free support and that she's calling me back so I don't have to pay. A few minutes later, I do indeed receive a call from a phone number in Pennsylvania (+1-267-460-7257). She goes back to berating me about my apparent disregard for basic computer hygiene. In the end, she reaches the following conclusion: my computer has been infected, and now it needs to be cleaned up. I'm encouraged to buy either ANTI SPY or ANTI TROJAN, for the measly sum of $189.90. Before I have the opportunity to get my credit card, she goes back to the terminal, runs netstat and tells me that there's someone connected to my machine at this very moment.
Read the Full Article Here
Daniel