Is it ethical to sell zero day exploits?

Zero day flaws are the application vulnerabilities that nobody knows about until it’s too late. They’re the things like Heartbleed, or Shellshock, or most recently POODLE that allow hackers and attackers to execute malicious code on machines that aren’t theirs. They’re also the things like Sandworm and Operation Snowman: previously unknown entry points into a PC through end user software that allow malware writers to infect their victims in new and often unprotected ways.

Zero days are dangerous because once they are announced users literally have “zero days” to apply a patch. Once a zero day is made public, you can already assume it’s being exploited by cybercriminals in the wild. For this reason, the biggest concern in the world of zero day research is never an issue of when – as bugs will always be discovered. Much more pertinent is the uneasy question of how.

How Zero Days are Disclosed

Zero day research is a very big deal, and it involves a lot of money.

On one end of the spectrum, you have internal researchers, employed by software companies, who actively look for security flaws in the company’s product, so that they can stay ahead of attackers. If zero days are ever found, the software receives “just another round of updates” and the problem is more or less silently fixed, without a scary security announcement to users.

This is, for example, what happens with your Windows-based PC on the second “Patch” Tuesday of every month. Patches like these are by no means perfect, as there is always a small time window between release and automated update that attackers can exploit, but ‘good guy’ zero days more or less make the best of what’s already a bad situation.

On the other end of the spectrum, things get much worse. Here, you have financially motivated hackers who uncover new vulnerabilities all on their own.

They have no ties to the company or the users their discovery will affect, and they simply want to make as much money as they can, regardless of others (or the law). In this ‘bad guy’ scenario, a profitable course of action is keeping one’s mouth shut and silently adopting the zero day in a new malware distribution campaign. In this way, a bot master can infect thousands of new victims in a matter of days. His in-the-wild zero day will of course eventually be discovered by one systems administrator or another, and eventually announced, and eventually patched – but all of that takes time.

Go between these two endpoints, and things start to get interesting. Sometimes, the good guys aren’t official employees – sometimes they’re independent researchers applying for bug bounties, which at big companies like Facebook and Microsoft can be as large as $150,000.

Sometimes these researchers get their bounties, along with 15 minutes of fame, and other times they do not. When this latter scenario occurs, things begin to turn a bit greyer, as jilted researchers sometimes opt to disclose to the public without the affected company’s consent.

In situations like this, the company is usually spurred to action – but whether users are safer than they would have been if no one ever knew is a hot topic of debate. You can’t know what you don’t know, and with zero days, this means that there is always the chance that someone malicious has discovered it too. For the surveillance wary, this ‘malicious someone’ even extends to the government; in fact, in recent months, some have even suggested that the NSA knew about Heartbleed.

Zero days, get your zero days!

So, who else finds zero days? Well, a better question might be: what happens when zero days become a commodity? What happens when a few entrepreneurial actors come along and recognize that the spectrum outlined above represents much more than just a collection of ways in which software flaws are discovered and disclosed? When they realize, with glee, that this spectrum is a real-life environment, overflowing with unmet economic demand?

Enter the world of for-profit zero day research. Here, vulnerabilities are bought and sold to the highest paying bidder.

Here, vulnerabilities aren’t just casually researched by security enthusiasts hoping to make the world of software a better place, and maybe make a few bucks while they’re at it. Here, zero day flaws are aggressively sought after – and when they’re found the danger of public disclosure is used as a very effective sales mechanism.

It works like this:

Someone comes to your place of business and tells you they have discovered a secret way to exploit your product that will allow whoever uses it to leech money and personal information off of you and your customers.

They tell you that you can have access to this secret information, but only at a price. You freak out, but then you think: should I take this person seriously? Then you consider slamming the door on them. Then you realize: if what they’re saying is true, what’s stopping them from selling this supposedly secret knowledge to someone else?

From a legal standpoint, nothing is stopping them. For-profit zero day research, and even brokering, is completely legal. This is because the knowledge of a zero day is not the same thing as the exploitation of a zero day. Knowing a flaw exists is not illegal to know, and for companies that have such flaws this knowledge can help prevent security disasters. The problem, though, is that this knowledge isn’t always sold to the companies it affects. It’s sold to whoever is willing to pay, based on the seller’s discretion.

Sometimes, it’s sold to competitors. Other times, it’s sold to governments. Pricing can range from 5 to 7 figures, and many of the larger customers actually pay for catalog-styled subscriptions that give them access to 100-or so industry vulnerabilities, per year.

Smaller software companies, on the other hand, usually cannot afford to play this zero day game. This often means that independent researchers don’t bother to find flaws in smaller company’s products, even if the products are good and lots of people use them. It can also mean that if zero days affecting smaller companies are found, for-profit researchers stand to earn much more by selling the knowledge to a larger (walleted) competitor and never telling the affected company or its users.

The firms that find and sell these vulnerabilities can be found through a simple Google search. There are many, and anyone who runs this search will also find that scattered throughout the results there are also more than a few articles on ethics.

Zero day knowledge may be fundamentally different from zero day exploitation – but the question of whether people should sell the former to prevent the latter remains unresolved. In a free market vulnerability economy, the only thing stopping a research firm or broker from selling a zero day to a cybercriminal or repressive government is that research firm or broker’s moral compass. Many feel that this barrier is much too subjective and much too easily swayed by the amount of money that is involved. Many also worry at the fact that most zero day salesmen have sworn to keep their client lists absolutely secret.

For users affected by security bugs in the products they buy to manage their work and their lives, the question that needs to be answered is whether for-profit zero day research has a net positive or net negative effect.

Fundamentally: Is software safer in a world where zero day research is privatized? Or is vulnerability salesmanship simply Malware Lite?

As always, we’d love to hear your thoughts.

Have a great (zero-free) day!

Related Posts:

• Vulnerabilities in Oracle Java Cloud Publicly Disclosed


• Zero Day Alert: Unpatched Vulnerability in Internet Explorer


• PayPal Vulnerability Publically Disclosed


• Widespread Windows Zero Day affecting Microsoft Office Files


• Patch Tuesday: It Doesn’t Apply to Windows XP

Is it ethical to sell zero day exploits?

Internet Zombie Defense Training, or: How Not to Become a Bot

Going on the Internet can be like walking through a post-apocalyptic city, where half the people you pass want to eat your brain.

In the post-apocalyptic city, these “people” are called zombies.

On the Internet, these zombies are infected computers, and we call them bots.

Bots and botnets are one of the most fundamental (and frightening) concepts of modern day malware. They are, very literally, networks of infection that allow their masters to hijack thousands of victims’ computing resources, to carry out any number of nefarious deeds or attacks over the Internet, for financial gain.

Don’t want to get bit? Then read below (and aim for the skull).

Fact 1: A group of zombies is much scarier than just one

Imagine going one-on-one with some undead ghoul. Do you hit it in the head, or just run away? Either way, you’re probably going to live to see another day. That’s how it works in the movies, at least. Individual zombies are pretty weak, but, in hordes, they are terrifying.

Strength in numbers applies to botnets as well. With botnet malware, the aim is to infect as many devices as possible. Once infected, devices become linked to a “Command and Control” server, which can issue remote commands.

 

Fact 2: Zombies like brains

Botnet masters connect their victims to Command and Control servers because botnet masters like brains. The more brain, i.e. computing, power a botnet master has at their disposal, the better. This is because botnets are used to carry out coordinated attacks, which combine the computing resources of thousands of machines. Such attacks have one primary motive: to make money for the botnet master, or for a paying customer who has requested the botnet master’s criminal services.

 

Fact 3: Zombies are evil

Like zombies, malicious botnets are pure evil. They exist solely to make money by wreaking havoc and destruction on everyone else.

Spambots hijack infected computers’ ability to email, as well as stored contact lists, to send out massive amounts of spam. Spam can be anything from annoying advertisements for sex products and diet pills, to malicious links and attachments that act as the “bite of the bot.” The increasing popularity of social media websites has now also attracted computing’s undead to places like Facebook and Twitter, where compromised profiles can be abused to spread comment spam.

Clickfraud botnets tell infected computers to go to a website and click on ads owned by the botnet master – or a client of the botnet master – making money for criminals AND slowing down your device by consuming RAM.

DDOS attacks tell thousands of infected bots to visit the same website at the exact same time, overloading the targeted site to the point of collapse. These “zombie swarms” are carried out to blackmail successful websites or to (illegally) take down the competition.

Bitcoin mining botnets such as Linkup can turn your PC into a mindless slave that dedicates its resources to creating various forms of cryptocurrency and making someone else rich.

Illegal material download or propagation can be carried out by bot computers without their owner’s knowledge or consent. In this scenario, the infected bot acts as a proxy, so that criminals can be criminals without having to leave evidence on their own device. Instead, the illegal activity – and potentially the blame – is shifted to you.

The ability to steal your financial information or identity usually comes included. “Command and control” means command and control, and, in addition to being used as a weapon, a bot computer can be told to share its stored information or its user’s activity with the botnet master, in numerous ways.

 

Fact 4: Zombies don’t know that they’re zombies

And if you’re implicated in a botnet, you probably won’t know that your computer has become a bot. Your device will very literally be hijacked and told to perform malicious actions without your consent, behind the scenes.

 

Fact 5: Zombies like to limp around and drool

Nevertheless, one of the best ways to spot a zombie is its characteristic limp. If your computer becomes a bot, the situation will be much the same. An infected computer is most often a slow computer, as botnet masters’ primary objective is to steal the infecteds’ computing power. Accordingly, if your computer is acting slower than usual, you may be surfing with the undead. To find out, a simple CRTL + ALT + DELETE and a perusal of the Task Manager can be revealing, however bot detection is not always so simple. Most modern botnet masters make explicit efforts to counteract user detection. It is also important to note that even uninfected PCs carry out a number of important background tasks without explicit user consent, and that disabling these tasks in a fit of botnet paranoia can be just as disabling as actual infection!

 

Fact 6: Zombies lurk in the shadows

In most zombie-ridden after-worlds, you can spot members of the undead rotting and groaning from a mile away. This is not the case with botnets. Unlike zombies, botnets rely on deception, and they are typically propagated as Trojans or through social engineering. Botnet malware may deliver its payload through a malicious attachment disguised as something it’s not, or via a link to a fake website that surreptitiously initiates a “drive-by” download. Botnet masters may also disguise their creations as what appear to be useful apps – even security apps! – to get users to download and become part of their scheme.

 

Fact 7: Once you get bitten by a zombie, you are not the same

In many a zombie-flick, it often happens that one of the main characters gets bitten and infected. At this point, there is usually some (very brief) debate over whether or not the once-trusted comrade should be nixed. Typically, a cool headed hero will rise to action and do what needs to be done, much to the hysteria of his or her less rational team mates. “It needed to be done,” the hero will then explain. “He just wasn’t the same.”

With botnets, the situation is quite similar. You may know (and love) your PC or your mobile device with every beat of your digital heart, but once it becomes a bot it is no longer the same. The infected device will have a mind of its own, and it will no longer be that “trusted friend.” Any information you share with it will become accessible to the botnet master, and all that extra computing power you invested in will be consumed, as your device becomes a slave.

If you suspect your computer has become a bot- don’t wait. Contact our experts immediately, before the infection spreads. Zombie assassination is always free to anyone who requests it. Why? Because we like doing it.

 

Fact 8: Zombies have one big weakness

You’ve got to smash their brains.

With botnets, this doesn’t mean taking a hammer, a bat, a shotgun, or your post-apocalyptic weapon of choice to an infected device – but, it does mean getting inside the head of a botmaster. One need not understand the technical specifics of botnets proper to achieve a solid defense – just like no one really knows how zombies work, technically. For the average user, just knowing that botnets exist is almost enough on its own to avoid infection. From there, it is simply a matter of identifying the most common infection mediums…and not walking around the graveyard after dark.

Always use your brain – Whether it’s a website, an “urgent email,” or a personal messages sent through social media, always think before you click – otherwise your machine may be turned into a thoughtless, clicking machine! If you plan to download pirated software or media, you should also know that you will regularly be brushing shoulders with the undead.

Always take care of your weapons ­– Just like in the movies, it’s you against the somnambulant horde. The leaner, the faster, and the more efficient your weapons (i.e., software and applications) can be, the lower the odds you’ll get turned into a walker. Botnet masters specifically design their creations to exploit known weaknesses in popular software, so as to infect as many devices at once as possible. Avoiding infection is often as simple as enabling auto-updates on all of your main applications, and flat out discarding those programs you do not use so that you don’t have to worry about vulnerabilities. As an added benefit, this practice will increase the overall performance of your machine.

Always travel in a group ­– Fact #1 applies to the good guys too. Zombie slayers and botnet bruisers are strongest in groups. If you notice a strange background task operating on your PC, you should Google it and see what other people have to say. For specific files, you can also use Emsisoft’s isthisfilesafe.com. In addition, Emsisoft customers always have the option to become part of the Emsisoft Anti-Malware Network, a statistical service that allows Emsisoft to collect anonymous information from your machine, in order to identify botnet breeding grounds and sites where users are getting bitten.

To opt in, simply open Emsisoft, then click Settings > Updates > Join the Emsisoft Anti-Malware Network at any time.

Collected information always remains anonymous (see: Privacy Policy). Opting in can help thin the herd of Internet zombies and lead to more accurate detections by providing the Emsisoft Lab with actionable information.

 

Fact 9: Emsisoft Anti-Malware is like zombie body armor

Body armor: now there’s a concept too few zombie movies have used.

Imagine what that would be like – impenetrable suits of armor, completely immune to any zombie bite, worn by the entire human cast. Things wouldn’t be wouldn’t be so scary anymore. In fact, they’d be downright fun. Running from the zombies and just trying to survive would be more like ignoring the zombies or dreaming up new ways to make their heads go splat. Or, maybe even capturing zombies and training them to do all of humanity’s most mundane tasks, thereby rebuilding the post-apocalyptic world, better than it ever was before.

And botnets?

Well, we can’t condone actively hunting them (unless, of course, you know what you’re doing), but if you’re running Emsisoft consider yourself immune.

Have a great (zombie-free) day!

Related Posts:

• New Sefnit Variant Adopts SSH to Commit Click Fraud


• Watch Dogs Torrent Infected With Bitcoin Mining Malware


• Authorities Crackdown on Gameover Zeus and CryptoLocker


• BadLepricon Mobile Malware Mines for Bitcoin Gold


• Emsisoft Security Warning: 16 Million Email Accounts hacked…

Internet Zombie Defense Training, or: How Not to Become a Bot

The Internet Is A Dangerous Place

Have a great (scare-free) day!

Related Posts:

• Researcher claims Yahoo! servers have been compromised using


• Apps like StealthGenie make mobile spyware accessible to…


• Trouble Ahead: BadUSB exploit code has been made public


• So now the police are handing out spyware, for free…


• U.S. sends scary message to hackers, but the truth is even…

The Internet Is A Dangerous Place

U.S. sends scary message to hackers, but the truth is even scarier

In the United States, it is now officially National Cyber Security Awareness Month. Fittingly enough, the U.S. Department of Justice has kicked off October with an indictment against 4 North American hackers, which alleges the group stole $100-200 million in digital, intellectual property from some very big-name software developers and the U.S. Army.

More specifically, the indictment lists theft of:

• Source code and tech. specs on Microsoft’s XBox One at a time when the console was still unreleased


• Intellectual/proprietary data related to Microsoft’s XBox Live online gaming network


• Apache helicopter training simulator software developed by Zombie Studios for the U.S. Army


• A pre-release version of Epic studio’s Gears of War 3


• A pre-release version of Activision studio’s Call of Duty: Modern Warfare 3

Video games and more video games. At a glance, this looks like the work of teenage hackers. Not surprisingly, the ages of the 4 young men (2 of which have already plead guilty) range between 18-28. Trivial cybertheft? Maybe. But the DoJ doesn’t seem to think so.

 

“Electronic breaking and entering of computer networks and the digital looting of identities and intellectual property have become much too common,” said U.S. Attorney Oberly.  “These are not harmless crimes, and those who commit them should not believe they are safely beyond our reach.”   -Department of Justice press release

 

“These were extremely sophisticated hackers … Don’t be fooled by their ages,” assistant US attorney Ed McAndrew said after a court hearing on Tuesday. -The Guardian article

 

The DoJ press release goes on to state that crimes like these are crimes against innovation. In a world where intellectual property is now almost always digital property as well, it’s hard to disagree with that. It may be that this was simply a group of kids who stole some video game code, but it is still cybercrime. And, what the DoJ and The Guardian don’t write is that while these 4 young hackers behaved very badly – using SQL injection to steal employee login credentials – there are much, much worse cybercrimes being committed every single day, and far, far more dangerous cybercriminals currently roaming the Internet at large.

What is most frightening is what remains unwritten:the smartest cybercriminals around know better than to target Microsoft and the U.S. Army. Instead, they target those who can’t fight back. Instead, they target you.

This October, don’t just be aware of cybercrime. Protect yourself against it…

And have a great (cyber-crime-free) month ahead!

 

Related Posts:

• U.S. Charges Chinese Military Hackers with Cyber Espionage


• BlackShades RAT Users – Busted


• Authorities Crackdown on Gameover Zeus and CryptoLocker


• Emsisoft Explains the Syrian Electronic Army


• The World Cup and Malware

U.S. sends scary message to hackers, but the truth is even scarier

Get Rich Quick or Reboot Trying: The State of CyberCrime in 2014

In a world where even money has gone digital, it’s no surprise that criminals have gone there too. Online alley muggings that turn netizens’ computers into spam- or click bots happen every single day.

Digital conmen who craft intricate phishing sites designed to steal credentials lurk around every corner. Malware like Zeus or Zberp or Dyre can now automate credential theft with man in the middle attacks – no fake banking page required. And even the big names, names like eBay and Microsoft, are not invulnerable to breaches or bugs that enable identity theft and zero day attacks.

     

  All of these are the street crimes of our virtual world, which happen on a daily basis, whether we personally experience them or not. Just like in the real world, though, there’s more to cybercrime than petty theft and thugs. In fact, there’s actually quite more to it than that.

Call it intelligent, call it high level, call it “organized (cyber)crime,” if you will – but whichever name you give it, digital money theft has reached new levels of effectiveness in 2014. As commerce has now become almost ubiquitously virtual, large scale attacks from organized cyber gangs that used to only affect governments and corporations are now entering the consumer realm. And in all cases the connection is cash.

Ransom where? Yeah, on your Computer.

An information economy relies on information. Likewise, a criminal that can take that information and hold it for ransom stands much to gain. 2013 may have been the year when criminals first figured this one out, but 2014 has been the year of ransomware’s optimization. Ransomware is malware that locks, or encrypts, your computer files so that you cannot access them. It then demands payment for recovery – usually around $600!

What has been so alarming about ransomware in 2014 is its enhanced distribution and resiliency. Some of the top 2014 ransomware headlines may have indeed been the international takedown of the CryptoLocker botnet and even the decryption of CryptoDefense; however, even after such roadblocks the criminals behind these creations reemerged with a new, un-crackable variant called CryptoWall in a mere matter of months.

Since then, CryptoWall has become the largest and most destructive ransomware threat on the Internet, encrypting 5.25 billion files and earning over 1.1 million U.S. dollars. The targets? Everyday people and employees who simply open the wrong email attachment at the wrong time.

 

Don’t know what Bitcoin is? Doesn’t matter.

This brave new world of digital currency is more than just PayPal. Cryptocurrencies like Bitcoin involve thousands of people and millions of dollars. Since it can be used anonymously, Bitcoin allows criminals to purchase illicit goods on black markets, and it’s also the currency of choice for ransomwarers. On top of this, cryptocurrency’s entirely virtual nature has in some ways made it much easier to steal than cash.

Source: Fabian Figueredo

In February 2014, Bitcoin cybercrime kicked off with transaction malleability and the closure of Mt. Gox, the largest Bitcoin exchange in the world. Due to a coding flaw, cybercriminals were able to get away with 350 million U.S. dollars of other people’s money. Subsequently, the market price of 1 Bitcoin dropped to about $400 in April 2014, less than half of what it was at its peak in December of the previous year.

You don’t even have to be involved in Bitcoin trading to become a target of cryptocurrency cybercrime, though. By design, new cryptocurrency is created by computers that run “mining” programs, or complex algorithms that require tons of computing resources.

At present, no single PC can create new cryptocurrency on its own – however, that hasn’t stopped cybercriminals. With the use of Bitcoin mining botnets, even today’s low level thugs can infect thousands of remote PCs at once and command them to run mining programs for profit.

Emsisoft Lab actually discovered and analyzed one these beasts back in February, which combined ransomware and cryptocurrency mining botnet techniques. Named Linkup, the malware would deny Internet access, accuse the infected of viewing child porn, and then demand payment for reconnection. Meanwhile, the malware would download and run a cryptocurrency miner called jhProtominer which would use your computer’s resources to make someone else rich. Notably, 2014 also saw the emergence of BadLepricon, a bot that brought Bitcoin mining to the mobile environment.

 

Emptying your bank account? There’s an app for that.

Though it might have been creative, BadLepricon was actually kind of a financial flop. Cryptocurrency mining requires a lot of computing power, and even thousands of infected smartphones don’t have the brainpower to pay off. This year has shown that mobile malware is far from profit-less though. In early April, the Oldboot bootkit emerged with the ability to gain remote control of your Android device and command it to use premium rate SMS services owned by criminals – the payoff being that victims had to pay the bill.

That same month also saw the emergence of iBanking, an Android rogue that propagated through Facebook and that could intercept two-factor authentication codes, allowing cybercriminals to log into victims’ online financial accounts. Less technically impressive – but unfortunately no less profitable – 2014 also saw the mobile security embarrassment that was Virus Shield. Featuring nothing more than a graphic display that changed from an unprotected X to a now-you’re-protected check mark, Virus Shield achieved over 10,000 downloads on Google Play and went for $4 a pop. This silly little app that never actually scanned for malware at all made over $40,000…in less than a week!

Virus Shield was so ridiculous that some people thought it was funny, and compared to what happened next it kind of was. Shortly after Virus Shield, the Android environment met file encrypting ransomware for the very first time. It happened in June, and its name was Simplocker. Like its PC-based brethren, Simplocker for Android was (and still is) fully capable of encrypting all of your important files and demanding payment for recovery. Fortunately, a decryptor for early variants of Simplocker have since been developed; however, as an estimated 22% of the world’s population owns a smartphone (2% more than own a PC), the opportunity to cash in on mobile ransomware is now greater than ever.

 

What do Target, Michaels, Goodwill, and The Home Depot all have in common?

Hint: The answer isn’t that they’re all big box retailers based in the U.S. If you live in the United States, odds are very good that 2014 has left you feeling quite cold about retail shopping with your credit card. Point of sale malware and payment card theft have downright dominated the info sec headlines this year, with each new breach topping the last.

The recent Home Depot breach affected 56 million payment cards alone, involving a malware infection that spread to almost every single store in the United States and Canada. By the numbers, that’s almost one fifth of the entire U.S. population. And at this very moment, untold thousands of these card credentials are being bought and sold by cybercriminals in underground carding networks, whereafter they’ll probably be used to buy big screen televisions and designer clothes in other people’s names.

What’s most disheartening about point of data sale breaches, though – and what you rarely read about in the headlines  –  is that they are never victimless crimes. Even if not a single account is used to make fraudulent purchases, it still costs money to cancel and reissue cards, and it still costs money to investigate the crime.

From a societal perspective, this is ultimately money wasted – money that could be used to achieve more positive ends. Follow the headlines, monitor your accounts, even study up on the technical specifics of the malware used if you’d like, but probably more than anything 2014 has shown us that the current U.S. payment card system is broken, and that the people who’ve broken it are cashing in big.

This is why we can’t have nice things

The world we live in is now a world where malware is an enterprise, literally interwoven with all others existing in our digital economy. Each new day brings us some new technology that makes life better, but also some new hack that exploits what is good for criminal gain. Is this unique to the Internet environment?

Hardly. Miscreants have been abusing other people’s innovations since the dawn of humankind. They do it because they cannot innovate on their own, and they have no regard for anyone but themselves. Does this mean that we should stop innovating and using our favorite new technologies? Hardly that, either. What is needed is a full acceptance of the reality of our digital landscape.

CyberCrime is everywhere, and we need to stop it. It may not be as scary as getting mugged in the streets, but in terms of dollars and cents it is actually way more frightening. How does paying $1000 to recover ransomed business files that are rightfully yours, just because you opened the wrong .PDF attachment sound to you?

Or how about letting a drug trafficker use your PC to make himself a few extra Bitcoin, while you’re away at work? What about an innocent looking mobile app that actually intercepts your security credentials and wipes your bank account clean? And let’s not forget about that credit card, either.

Who wants to make a wager on which American retailer will be breached next? If you’re alive and well in 2014, the unfortunate truth is that these are all relevant questions that need to be asked. But perhaps the most important one of all is the following:

What are you doing to ensure that you’re protected?

 

Have a great (cyber-crime-free) day.

Related Posts:

• BadLepricon Mobile Malware Mines for Bitcoin Gold


• Warning: File Encrypting Ransomware, Now on Android


• Watch Dogs Torrent Infected With Bitcoin Mining Malware


• Why you need an anti-malware app (but not a rogue one)


• MtGox Freezes All Bitcoin Withdrawals

Get Rich Quick or Reboot Trying: The State of CyberCrime in 2014

WikiLeaks exposed how much governments spend on FinFisher malware to spy on their citizens

Surveillance technology provides “digital weapons” that governments use to combat cyber-crime. On the flipside, this kind of control is used by suppressive regimes against human rights defenders and other “selected” enemies such as critical journalists, members of different political parties or religious groups.

We wrote about this in July and asked “Is malware still malware if it’s used by legal authorities to track down criminals?” In 2011, we also made a brief statement about how and why our software detects “federal trojans”.

FinFisher surveillance software for government agencies is spyware that allows complete access to a target’s computer.

 

“This software is designed to be covertly installed on a Windows computer and silently intercept files and communications, such as Skype calls, emails, video and audio through the webcam and microphone.” WikiLeaks

 

 

A license contract for FinFisher’s software worth €287,000 was first found in the offices of Egypt’s secret police after the overthrow of its president in 2011, and more research by organizations such as Citizen Lab has revealed that it was also sold to suppressive regimes that spy on their citizens and that are known for their human rights violations.

Reporters Without Borders called FinFisher’s parent company, Gamma International, a digital era mercenary and one of the “Top 5 Enemies of the Internet” in its report on the organization, along with Trovicor, Amesys, Hacking Team and Blue Coat.

 

“They all sell products that are liable to be used by governments to violate human rights and freedom of information. […] Their products have been or are being used to commit violations of human rights and freedom of information. If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents and netizens. If their digital surveillance products were sold to an authoritarian regime by an intermediary without their knowledge, their failure to keep track of the exports of their own software means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights.” Reporters Without Borders

 

Map of global FinFisher proliferation. Source: Citizen Lab

 

In its latest release of information on FinFisher, WikiLeaks exposed a more detailed “customer list” of countries that bought licenses and how much they spent for it.

RELEASE: WikiLeaks Spyfiles4: surveillance weaponized German malware https://t.co/Jup9X5VSxY

— WikiLeaks (@wikileaks) September 15, 2014

 

How much each country paid for #FinFisher spyware. Click on the country and customer ID to see full billing data https://t.co/o1yWCx081n

— WikiLeaks (@wikileaks) September 15, 2014

 

 

 

 

“Some customers were identified through the analysis of support requests and attached documents they provided to FinFisher support. This included Slovakia, Mongolia, Qatar State Security, South Africa, Bahrain, Pakistan, Estonia, Vietnam, Australia NSW Police, Belgium, Nigeria, Netherlands KLPD, PCS Security in Singapore, Bangladesh, Secret Services of Hungary, Italy and Bosnia & Herzegovina Intelligence.

Provided with the price list, we calculated an estimation of the profit FinFisher generated through the sale of surveillance products licenses. Applying the retail price to all the licenses available in the database, they amount to a total of €47,550,196, or €98,362,554 if we consider all the licenses marked as “deleted” too. Consider that the FinFly ISP licenses were not taken into account as no price was provided, and that support and training costs were not included in this estimation. Therefore we could realistically expect a higher number.” WikiLeaks

 

Screenshots of WikiLeaks documents revealing FinFisher’s license agreements:

 

Shouldn’t there be some sort of control to ensure that developers like FinFisher don’t sell their surveillance products to questionable governments? And why do companies like FinFisher still receive support and protection from countries like Germany and Australia that are so clearly against human rights violations in other, non-digital realms?

As an anti-malware company, we at Emsisoft believe these are important questions to ask.

Note: If you attempt to navigate to wikileaks.org to read the official statement, Emsisoft Surf Protection will prevent access by default. This is a safety measure, to prevent accidental download of the malware hosted there. To gain access, simply create a new Surf Protection rule granting access to the website – but please, only do so with caution.

Follow up article “A Statement from Emsisoft on WikiLeaks and the FinFisher malware“.

Related Posts:

• The Hacking Team, RCS, Qatif Today, and Lawful Interception…


• Is the NSA Spying on Gamers?


• Surveillance – a fair exchange of freedom and privacy…


• The Federal Trojan Background and a statement from Emsisoft


• The transparent citizen – How can I actively prevent…

WikiLeaks exposed how much governments spend on FinFisher malware to spy on their citizens

What’s the point of having a firewall?

Everyone knows the term firewall, but few people know why they would ever need one. Go on the Internet and read around, and you’ll find that there are not only many different ideas of what a firewall is supposed to do, but there are also many different technical concepts that fall under the term.

The basic idea of a firewall is a “wall-layer” that protects against attacks from the “other” side. This may seem simple enough, but then many people go on to wonder: Where should that wall be placed? And what, actually, are “attacks”?

To begin, let’s start out with an overview of the places where a firewall can reside.

Hardware firewalls

For high-end users, large networks or servers, a hardware firewall is usually a standalone device. For home users or small businesses, it is typically a component built into a router/modem. When a hardware firewall is used, all network traffic is routed through it before the data reaches individual computers.

As traffic passes through, the hardware firewall takes a deep look into its content to decide what should be let through and what should not. Some firewalls just follow plain rules that the user has defined.

For example: Don’t let anyone from the Internet initiate a connection to any local computer that sits behind the firewall – only allow outgoing connections.

Other firewalls adopt more advanced rules, using protocol-based filters. For example: Let users connect to the Internet, but only through port 80 (the HTTP web server port), and route the incoming traffic to a web server behind the firewall before it reaches individual computers. Still other firewalls are even more sophisticated and inspect every data package deeply on an application layer. Here a rule might be: Allow incoming traffic on port 80, unless it contains any code sequence that may be used to hack the web server residing behind the firewall, such as a cross site scripting attack or an exploit against a database the web server works with.

The advantage of hardware firewalls is that they are very literally separate from the computers they protect. All traffic must go through the dedicated, hardware firewall or it will not reach the local, target computer at all. Furthermore, there is no extra “surface area” within a hardware firewall for a malicious data package to sneak through by using manipulative code, such as there might be with a software-based firewall. The data either gets through or it doesn’t. A square peg cannot fit through a round hole.

The disadvantage of hardware firewalls, however, is that because of their separation and limited surface area (i.e., brain power) the firewall doesn’t really know what’s happening on the computers behind it. The hardware firewall only sees the data traffic generated by these computers, but it doesn’t know which applications are generating this data.

Therefore, if a user tells a legitimate application to connect to the Internet and that application tries to connect in a way that the hardware firewall is configured to block, the hardware firewall will prevent the application from connecting. Wrong decisions stemming from too strictly configured rule sets that block legitimate services are an inherent problem of hardware firewalls – and they typically result in unhappy users.

Network Address Translation (NAT) Routers

A special form of a hardware firewall is a Network Address Translation, or NAT, router. Most DSL routers in use today are using NAT, and in technical terms they are actually not firewalls, but they have a similar effect.

The idea behind NAT is simple. Many households have more than 1 Internet-connected computer, but the Internet account has only one public IP address. That IP address is like your Internet phone number, and it can be reached from anywhere in the world. With NAT, your public IP address is assigned to the router. Incoming data packages must then pass through the router before they reach their destination computer.

A NAT router enables this passage by converting each incoming data package sent to the public IP address to a special IP address that is exclusively used on local networks. These exclusive-use IPs usually start with 10.* or 192.168.* and they can’t be reached from the outside directly. These IPs are actually used multiple times by millions of local networks around the world.

As an example, consider the case of a local computer requesting a website from a public web server. First, a NAT router will replace the computer’s original, local IP with the account’s public IP. At the same time, the NAT router will “wrap” information about the original, local source IP within the data package request, so that it can keep track of which computer it belongs to when it returns. When the web server responds, it will then send the data back to the public IP –  at which point the NAT router will “unwrap” the information it appended about the local source IP and forward the data package to the computer with that local IP.

NAT routers give us a huge advantage: Computers that are in a NAT can reach everything on the outside, but nothing on the outside can directly connect to a computer in a NAT, unless the NAT router is specifically configured to forward individual protocols to single machines. In this way, NAT can enable a very powerful “firewalling” effect, despite the fact that NAT is not usually called a “firewall.”

Software firewalls

A software firewall runs on a local computer, but basically does the same job as a hardware firewall. Software firewalls inspect network data packages and decide which data to block or allow, based on rules.

One of the biggest things software firewalls have going for them is that they are usually not as expensive as standalone hardware firewalls. Another major advantage of a software-based firewall is that in addition to analyzing network traffic, it can also link each data package with the program that generates it – which is exactly what hardware firewalls can’t do. A software firewall can analyze traffic and program behavior as a whole, which means it can make decisions with much more precision than a hardware firewall ever could.

For example: If a data package genuinely originates from a program that was made by a trusted software vendor, there is no need to ask each time whether to allow it, even if it violates some pre-configured rule. A software firewall will recognize this benign origin and grant an exception.

A good software firewall is one that shows almost no warning messages, unless it is certain that there is a real attack and that some malicious program is attempting to gain access to your computer. An overabundance of warnings is not a good thing because it desensitizes the user to alerts.

Too many warnings can be like the boy who cried wolf, or in firewall terms “the security software that shows multiple alerts every single day.” Who has not dealt with a product like that? You see so many warning messages that you eventually just click “Allow,” no matter what the warning says. These types of software firewalls are in reality just a waste of computing resources because even when they detect real threats, their users unknowingly (and understandably) allow those threats to get through.

A good software firewall is also one that doesn’t block needed applications. This is after all what most users get so annoyed about with hardware firewalls (maybe you’ve experienced this at work ;). Granting permission to a certain legitimate application on a hardware firewall can be quite laborious. First, you have to open the admin interface; then, you have to find the right configuration tab and set up a complicated rule – provided of course you can understand the rule set.

 Software firewalls are better here as well because they are always locally at hand, and they are actually even smart enough to discern harmless actions, eliminating the need to configure new rules all by yourself.

When do you need a software firewall, then?

The truth is, if you exclusively connect to the Internet via a local home DSL or cable account that works with NAT, you should save the money you’d spend on a software firewall and get your best mates a cup of coffee instead. A reliable antivirus software with a great detection rate and a powerful behavior blocker is all you will need. If however you are using a computer that frequently connects to the Internet via third party networks, a software firewall is worth the investment.

Think of public WLANs, like at the coffee shop you took your friends to, or plugging in a network cable at some foreign hotel. Once you are connected, every other computer user on such a network can try to connect to your machine. And why would they want to do that? To try to find a leaky component that can be exploited to take control of your computer for financial gain, or to steal private data (also for financial gain). A software firewall that hides all the open ports on your computer effectively reduces the surface area and success rate of such attacks.

Frequent misconceptions about software firewalls

Misconception 1: Firewalls detect malware

The main purpose of a software firewall is to eliminate potential entry points attackers could use to get onto your computer from the outside. Software firewalls are not made to detect active malware that is already on your PC and communicating with some stranger half way across the world.

Why not? In short: Once there is active malware on your PC, it is too late. There is simply no point in blocking outgoing connections sourced by malware, because if the malware managed to run it probably also managed to disable your entire firewall and manipulate all sorts of system settings. This is not because firewalls are incompetent – it is simply because they are not designed to block malware. Blocking malware is the work of anti-malware. A firewall instead “hides you” from the outside, by denying communication with other programs through certain “channels” or ports.

Misconception 2: Firewalls are always HIPS (host-based intrusion prevention systems)

Not so long ago, all software firewall products available did exactly what users expected them to do: Filter network data. Today, that’s still the classic definition of the term “firewall;” however, since firewall technology was soon developed to death (no more space for innovation -> all vendors offering a similar level of quality), vendors started to add new and somewhat overkill features to their firewall products, such as monitoring of all sorts of operating system changes and detection of all sorts of non-standard-compliant code executions by programs and thousands of other ‘suspect’ things that tend to fall under the term HIPS today.

The major problem with these technologies is that for all their monitoring and detection capability they are relatively dumb. They tend to raise an alert for each and every action that could possibly lead to an attack, but the truth is that about 99.9% of all such alerted actions are not malicious. As mentioned before, such alerts are annoying and even dangerous because they can train users to click “Allow,” day in, day out.

HIPS are therefore recommended for experts only, who can fully understand the large amount of alerts they produce and take advantage of the extra protection layer this can provide. This doesn’t make HIPS irrelevant to everyday users, though. In fact, the technology behind HIPS is what eventually evolved into behavior blocking, an essential component of modern anti-malware.

Thanks to what behavior blocking borrows from HIPS, false alarms from antivirus software using the technology are now extremely rare. Behavior blocking isn’t HIPS though, and neither term is freely interchangeable with “firewall.”

Firewalls and Emsisoft

Emsisoft has gathered knowledge on firewall-, HIPS- and behavior blocking technology for almost a decade now. The Emsisoft Online Armor product is a HIPS that combines with a solid software firewall component, but it is mostly a product made for geeks. The brand new Emsisoft Internet Security on the other hand is made for everyone.

Emsisoft Internet Security adds a software firewall component to the proven technology of Emsisoft Anti-Malware, which means it can protect you from malware AND keep you invisible to network intruders. This makes it a perfect fit for home users and small businesses, who frequently travel beyond their home network and who want something simple-yet-intelligent that will keep their information secure, no matter where they go.

 

Have a great (firewalled) day!

 

Related Posts:

• What is a HIPS? The technology behind Emsisoft Online Armor…


• Managing network threats: Using Wifi securely and…


• NEW: Emsisoft Internet Security


• 10 steps to make your PC safe for 2013


• Buzz word: “cloud anti-virus” – what is it…

What’s the point of having a firewall?

What Happens When a Tech Support Scammer Cold Calls Emsisoft?

It’s called the Microsoft Tech Support scam, and it’s been around for years. Last week, Emsisoft and Bleeping Computer intercepted one of these scammers, and in addition to messing with him for a good three hours, we took detailed notes on how the Microsoft Tech Support scam works.

 

Someone calls you up, claiming to be from Microsoft, and scares you into thinking that your otherwise normally functioning PC is infected. If they scare you well enough, they’ll then connect you to a remote administration software that lets “their experts take a look at your PC.” From there, a number of bad things can happen, including malware installation, data theft, or simply more scare tactics, all in an attempt to sell you some expensive program that doesn’t work – or doesn’t even exist.

People all across the world get contacted by Microsoft scammers every single day, and all too often they become victims.

 

The Set Up

Step 1: Cold call victim, then lie, using fancy tech buzzwords

Like many a con job, the Microsoft Tech Support scam starts out with a cold call. In this case, it was to one of our friends over at Bleeping Computer – probably one of the worst people in the world a tech support scammer could connect to.

The scammer, who we’ll call Mr. Z., started his ruse by introducing himself as a Microsoft support tech. Mr. Z told our friend that he was calling about an urgent issue. The issue was that our friend’s computer was sending errors to the Window’s server, and that this was a critical problem that needed to be fixed. Being a volunteer support tech himself, our friend immediately knew what he was dealing with. There is no “Windows server” to which all Microsoft computers magically connect, and Microsoft technicians do not cold call their users about critical errors that need to be fixed.

This was a straight up scam.

Step 2: Use the Windows Event Viewer to scare them with things they’ve never seen

Nevertheless, our friend decided to play along. Feigning naivety, he took the bait. He told Mr. Z that his computer had been acting funny, and he asked Mr. Z how he knew there was a problem. All too ready to supply the evidence, Mr. Z began to give instructions.

You will need to open your command prompt. You will then need to type eventvwr and hit Enter.

In scammer-textbook fashion, Mr. Z was making use of one of the oldest tricks in the book. The Windows Event Viewer is simply an administrative tool that displays information about significant events that occur on your computer. Scammers make use of it because “significant events” are often just little glitches, such as a program failing to launch or update. Over the lifetime of a typical computer, many of these glitches will be logged as an event, and displayed as a warning or an error, even though they are not necessarily critical– or even noticed by the typical user.

As someone who works with computers on a daily basis, our friend knew the Event Viewer trick all too well, but, still, he played along. Feigning concern, he asked Mr. Z if all those warnings and errors in his Event Viewer were a problem.

With the utmost seriousness, Mr. Z confirmed that they were.

Step 3: Have them download TeamViewer and Establish Remote Control

It was about at this point that our friend decided to share the fun. Having read about this type of thing before, he knew that the next part of the scam would be to connect to his computer with a remote administration software. This type of connection can be dangerous if given to a stranger because it allows them to control your computer.

Fortunately, malware researchers have useful tools called virtual machines. A virtual machine is essentially an operating system emulator, which allows the researcher to study malware in its natural environment, without having to infect their own computer. Our friend knew that Emsisoft’s researchers used virtual machines on a daily basis, and since he didn’t have one of his own he decided to pass the scammer on to us.

As expected, Mr. Z told our friend that the only way to fix the warnings and errors that appeared on his Event Viewer would be to download TeamViewer and grant Mr. Z remote control. Here, our friend once again complied; however, instead of supplying the access code to connect Mr. Z to his computer, he gave Mr. Z the access code to connect to ours.

The Scare Tactics

Here is where things get really interesting.

Mr. Z is connected to one of our virtual machines in Europe. He’s been told by our friend, who lives in North America, that he’s going to let his daughter take over the computer because this whole TeamViewer thing is way too complicated for him. Mr. Z is no longer on the phone with our friend from Bleeping Computer. He’s in a TeamViewer session. With us.

In a typical Microsoft Tech Support scam, this is usually the point where all hell breaks loose. Malware infection, sensitive file rifling, installation of a covert backdoor for future access – you name it. Mr. Z could do anything, and we were ready for it. To test Mr. Z’s legitimacy, we even infected our virtual machine with malware, to see if he would notice – but notice he did not.

Through it all, Mr. Z had one primary objective: scare us into thinking something was wrong, and then sell us his “support program,” which would magically fix it all.

Step 4: Reiterate the Event Viewer Problem

The first scare tactic Mr. Z employed was a rehash of his Event Viewer shtick. We were, after all, the original contact’s “daughter,” and we needed to know what the problem was.

The Lies:

MRZ-PC (8:04 PM):

i m showng u tis again becoz befor line ws dissconnctd

EMSISOFT-WIN764 (8:05 PM):

ok

MRZ-PC (8:06 PM):

these r the error n warning which z harming ur computer

ok?

EMSISOFT-WIN764 (8:06 PM):

where?

I don’t see errors

can you show it with the mouse pointer?

MRZ-PC (8:06 PM):

u knw wat , ur computr z very slow

these r the errors ok

EMSISOFT-WIN764 (8:07 PM):

yes, I see it now

that looks quite bad

can you fix that?

The Truth:

Event Viewer is a normal part of your Windows PC, and logged warnings and errors are just minor glitches. To access Event Viewer on your own, open the Control Panel, then click System and Security > Administrative Tools > Event Viewer.

Step 5: Tell them about “good files” and “bad files”

Before he would “fix anything,” though, Mr. Z had an educational agenda. Showing us a few little event errors was not enough to achieve his ultimate goal. Like all scammers, Mr. Z needed to misinform us and instill fear. Mr. Z, in a nutshell, needed to show us which computer files were good, and which computer files were bad.

According Mr. Z, good files could be deleted and bad files could not.

The Lies:

MRZ-PC (8:07 PM):

ok , jst go ahead n try to delet them ok

yes m here to help u , first f ol u hav to try to delet hthem if u nt able to delet them, i will help u ok /

EMSISOFT-WIN764 (8:08 PM):

erm, okay

MRZ-PC (8:09 PM):

do u see ther z no delet option

it means u can not delet them by your own

ok

MRZ-PC (8:10 PM):

yes u can not delet them by your own , becoz some f the errors n warnings truns in to virus tats the reason u can nt able to delet them by your own

EMSISOFT-WIN764 (8:11 PM):

ah, I see

MRZ-PC (8:12 PM):

can u see i click on team veiwer and they giving nme the delet option becoz teamveiwer z a good file and good file always gives u the delet option n bad file never giv u the delet option , remember tat in future like u will know which z th good file n which z bad file

EMSISOFT-WIN764 (8:13 PM):

oooh, so for good files you have a delete option and for bad files not gotcha!

MRZ-PC (8:14 PM):

these errors and warnings they harm your computer services , services means which runs your computer , which z very impotant to your computer

now let me go ahead n show u th services

The Truth:

The “files” Mr. Z was trying to have us delete were really just logged events in the Event Viewer. Furthermore, whether or not a file can be deleted has nothing do with its maliciousness.

Step 6: Tell them about the “dangers” of stopped services

Now that we were good and concerned about our evil files which we could not delete, Mr. Z needed to make it clear why these files were such a problem. According to Mr. Z, the bad, undeleteable files were disabling our services – and if it got to the point where all of our services were disabled, our computer would die.

The Lies:

MRZ-PC (8:16 PM):

so these r the services which z very important to your computer , n now u can see ther xz so mny services hav stopped working ?

 

 

EMSISOFT-WIN764 (8:17 PM):

I see

MRZ-PC (8:17 PM):

ok

EMSISOFT-WIN764 (8:17 PM):

I guess in the middle pane it says stopped, not stopp

MRZ-PC (8:18 PM):

its a same thing

ok

EMSISOFT-WIN764 (8:19 PM):

yes

MRZ-PC (8:21 PM):

ok

can u see , 70% services has stopped runing inside your compuyter , n only 30% serivices z running inside your computer , which z not good

EMSISOFT-WIN764 (8:24 PM):

can’t I just start them or so?

MRZ-PC (8:24 PM):

onec these all sevices will stopped running , your computr will completely stopped and u can be able to use your computer any more

yaa u hav to reinstall the services

ok

EMSISOFT-WIN764 (8:25 PM):

omg, would that mean we’d need a new computer?

MRZ-PC (8:25 PM):

no , i mm here to help u out , we will repair the services

ok

now let me go ahead and check youir antivirus

EMSISOFT-WIN764 (8:26 PM):

phew, okay, I was scared there for a sec

The Truth:

Services are simply background processes that perform many tasks on your computer. They do not appear in your point-and-click graphical user interface, and instead operate behind the scenes. To take a look at which services are running on your PC, simply press CRTL ALT DELETE, open the Task Manager, and then click on the Services tab. Here you will see that some services are running and some are not. This is not a problem. Services are designed to automatically start and stop when they are needed and when they are not; and, as Elise points out at 8:24, a stopped service can be started manually. Just right click.

Step 7: Tell them about their “useless” antivirus

After showing us what was wrong with our computer, Mr. Z needed a scapegoat. Computers don’t just stop working on their own, mind you. To explain why we had undeleteable files that were disabling our services, Mr. Z pointed the blame at our “incompatible” and “useless antivirus”…Emsisoft Anti-Malware!

The Lies:

MRZ-PC (8:29 PM):

ok let me go ahead and sjow u , your antivirus status

ok

ok i click on compatability

MRZ-PC (8:29 PM):

now can u see thr z a written \

MRZ-PC (8:30 PM):

run tis program and compatabilty mode for windows XP service pack 3

EMSISOFT-WIN764 (8:30 PM):

but isn’t that unchecked?

MRZ-PC (8:30 PM):

so it means , your anti virus z nt working ion your computer

ok

The Truth:

Right click on your Emsisoft Anti-Malware shortcut, choose Properties, and then click on the Compatibility tab. You’ll see a drop down Compatibility mode menu which allows you to manually set the operating system for Emsisoft to run on. This menu was Mr. Z’s proof that Emsisoft Anti-Malware was incompatible with our computer!!!

Now, we were willing to play dumb…but not that dumb, so we pressed this whole incompatibility issue by running a scan.

More Lies:

EMSISOFT-WIN764 (8:31 PM):

but it runs, I mean, I can’t trust what it says?

I have another antivirus I think

MRZ-PC (8:31 PM):

if u hav a very good antivirus in your compter , those errors & warnings will never enter in to your computer

EMSISOFT-WIN764 (8:32 PM):

okay, I’m running that too now

look, it found stuff!!!!

MRZ-PC (8:33 PM):

its just showing u yay z running , but actually it z nt running , tats why there r somany error n wrnings in your computer

EMSISOFT-WIN764 (8:33 PM):

damn

MRZ-PC (8:33 PM):

u paid for tis antivirus or its free ?

EMSISOFT-WIN764 (8:33 PM):

okay, I won’t click on that message then

my father did, yes

or he got a free year license or so

MRZ-PC (8:34 PM):

how much un paid ? or u paid yearly or monthly or something like tat ?

EMSISOFT-WIN764 (8:34 PM):

let me ask him

MRZ-PC (8:34 PM):

ok

EMSISOFT-WIN764 (8:34 PM):

he says he paid 30 dollar yearly

but he got a free license from a friend

MRZ-PC (8:35 PM):

ohhhh really , u r payng t30 dollr yearly for tis useless anti virus

omg

EMSISOFT-WIN764 (8:36 PM):

well, idk, but it is detecting stuff right now, although it doesn’t seem to help much

MRZ-PC (8:37 PM):

see , these r use less , if it really works then u will not get these errors in your computer

ok

EMSISOFT-WIN764 (8:37 PM):

thats true

do you know what I could use best?

More Truth:

Emsisoft Anti-Malware was indeed working. It was detecting the malware we had pre-loaded onto the virtual machine before the TeamViewer session even began!

Step 8: Scan the computer’s brain

Now that Mr. Z had shown us the error of our ways, it was time to start problem solving. As he had so clearly shown us, we were running a useless antivirus that was allowing undeleteable files to disable our services! To provide a more accurate diagnosis of the situation, Mr. Z began by scanning our computer’s brain.

The Lies:

MRZ-PC (8:38 PM):

now let me go ahead n scan the brain f brain f your computer n let seee wat it says , if u hav any iother any problm tis scan will tell us

ok

i will tell u

EMSISOFT-WIN764 (8:38 PM):

ok

MRZ-PC (8:38 PM):

about th best antivirus fr ypur computer

MRZ-PC (8:45 PM):

jst wait it will tak same time

ok

EMSISOFT-WIN764 (8:45 PM):

yes

MRZ-PC (8:46 PM):

just look at the first window

what z wrtten over there ?

EMSISOFT-WIN764 (8:47 PM):

hmm

it says something about a trozen

whats that?

the second says warning

and the other something about the license

MRZ-PC (8:47 PM):

yes, do you knw wat z trojen virus ?

EMSISOFT-WIN764 (8:48 PM):

I know its bad yes

The Truth:

Mr. Z did not scan our computer’s brain. Instead, he just typed tree c:\ /f into the command prompt. This is a harmless command that simply creates a “tree-styled” graphic display of the specified directory in the command prompt. In this case, that display was quite large, and as it was created it simply looked like a scan. To see this in action yourself, open your command line prompt (find it using Windows Search), type tree c:\ /f, hit Enter, and voila – you too have “scanned your computer’s brain.”

If you take a closer look at Mr. Z’s brain scan, you’ll also see 3 messages at the end:

warning!!!

trozen virus found -250

computer liscebse will expire will expire in two week

First of all, these messages have nothing to do with running tree c:\ /f. If you type the command yourself, you can see that none of them appear after the command has run. So how did Mr. Z make it look like his brain scan had produced these results?

He typed them into the command prompt. And by the looks of it he used a broken keyboard.

Just as you can tell your computer’s command prompt to run tree c:\ /f (or any other command for that matter), you can also tell it to run warning!!! This isn’t a command the command prompt recognizes, though. In fact, if you take a closer look you’ll see that this lack of recognition is indeed the prompt’s response.

Step 9: Reference the Almighty Google and Wikipedia

Mr. Z was now moving in for the kill. Having used his extensive technical knowledge and highly effective brain scan, he had shown us that our computer was infected with “trozens.” Mr. Z. wanted to be absolutely sure that we were aware of the dangerous, though. Mr. Z needed us to understand what these “trozens” were… and to Mr. Z, there was no finer way to do so than through Wikipedia and Google.

MRZ-PC (8:48 PM):

ok let me show u wat z exactly trojen

ok

EMSISOFT-WIN764 (8:49 PM):

yes

MRZ-PC (8:51 PM):

yes m showing u , wat trojen vius

ok m gonna type trojen in the google n let see wat it says …..

ok

EMSISOFT-WIN764 (8:53 PM):

yes

MRZ-PC (8:53 PM):

wait

EMSISOFT-WIN764 (8:53 PM):

sorry, some text appeared

MRZ-PC (8:53 PM):

just wait … m doing somthng so do not touch your computer

opk , now go ahead n read the highlightd line

tis z about trojan viruses

EMSISOFT-WIN764 (8:55 PM):

ok

I understand

that sounds quite bad

MRZ-PC (8:55 PM):

hmmmm

below tat u can see ther z a written purpose and uses

EMSISOFT-WIN764 (8:56 PM):

yes

MRZ-PC (8:57 PM):

thr z writtn , TROJAN MAY GIVE HACKER TO GIVE REMOTE ACCESSES

TO TARGET COMPUTER SYSTEM

and below that

EMSISOFT-WIN764 (8:57 PM):

yes

MRZ-PC (8:58 PM):

thr z a written crashing the computer wit blue scree up death

let me show u

the blue screen

EMSISOFT-WIN764 (8:58 PM):

oh, I’ve never seen that

but it looks baad really

MRZ-PC (8:58 PM):

can u see the blue screen ?

yes

EMSISOFT-WIN764 (8:59 PM):

yes, I see it

MRZ-PC (8:59 PM):

if trojen will crtash your computer then u can see the blue screen

EMSISOFT-WIN764 (8:59 PM):

oh, and I definitely don’t want that

MRZ-PC (8:59 PM):

and when ever u turn on your computer

u can see the same screen

n they will ask u to restart your PC again

and no matter

haow many time u go ansd open your computer , u will get the same screen

EMSISOFT-WIN764 (9:00 PM):

I see

MRZ-PC (9:00 PM):

and just below that can u see ther z written , ELECTRIC MONEY THEFT

it mean they can steal your money from your BANK ACCOUNT

EMSISOFT-WIN764 (9:02 PM):

wow

MRZ-PC (9:02 PM):

jst below tat thr z a writtn , DATA THEFT

EMSISOFT-WIN764 (9:02 PM):

yes, I see

MRZ-PC (9:02 PM):

DATA THEFT means they can steal your personal infirmation from ur computer

like YOUR USER ACCIOUNT , PASSWRD

PHOTOS , YOOUR PERSONAL INFORMATION

EMSISOFT-WIN764 (9:03 PM):

omg

MRZ-PC (9:03 PM):

they can steal YOUR CREDIT CARD DETAILS

EMSISOFT-WIN764 (9:03 PM):

shoot

MRZ-PC (9:03 PM):

can u see , ther z writtn PAYMNT CARD INFORMATION

now i will like to see u

EMSISOFT-WIN764 (9:04 PM):

yes

MRZ-PC (9:04 PM):

do u do INTERNET BANKING ?

ONLINE SHOPPNG

?

 

PAYNING BILLS?

OR SOMETHING LIKE TAT ?

R U THR ?

??

EMSISOFT-WIN764 (9:05 PM):

sorry

yes

I sometimes shop online

and I think my father does banking

MRZ-PC (9:06 PM):

hav u read tat thing ? m asking u something?

EMSISOFT-WIN764 (9:06 PM):

yes

MRZ-PC (9:06 PM):

i think u hav to stop doing tat things

EMSISOFT-WIN764 (9:06 PM):

yeah, I’ll definitely stop that

MRZ-PC (9:07 PM):

you shuld nt do tat things UNTILL N UNLEWSS u do nt remove th TROJAN VIRUS from your COMPUTER .

ok

EMSISOFT-WIN764 (9:07 PM):

yes

MRZ-PC (9:07 PM):

ok

now do u undrstand , wat z TROJAN ?

EMSISOFT-WIN764 (9:08 PM):

yes

The Truth:

There is a Wikipedia article about Trojans.

The Big Sell

Step 10: Give them a .txt file they can’t refuse

It had now been over an hour on TeamViewer. In all that time, we had learned about warnings and errors, undeletable files, stopped services, ineffective antivirus programs, brain scans, and the dangers of “trozens” by way of Wikipedia and Google. Thanks to Mr. Z, we were now completely misinformed and “desperate” for an answer. Lucky for us, Mr. Z had a solution.

MRZ-PC (9:11 PM):

now let me discuss to MY SENIOR TECHNICIAN about your computer

EMSISOFT-WIN764 (9:16 PM):

ok

MRZ-PC (9:17 PM):

ok

wait

m talking to my senoir superwiser about your computer problem

what should be the best solution

EMSISOFT-WIN764 (9:18 PM):

ok thanks

MRZ-PC (9:18 PM):

pk

now m going to write down on the NOTEPAD SOLUTION FOR YOUR COMPUTER

OK

How a Microsoft Tech Support scammer fixes your PC.

A Heartfelt Thank You on Behalf of Bleeping Computer and Emsisoft

Final Step: When they realize it’s a scam, deny everything

By now of course we weren’t even sure if we could still play along. Mr. Z had provided over 2 hours of tech support… and now he was trying to get us to pay for extended service, with poorly written ads pasted into Notepad. In all honesty, this final tactic put us at somewhat of a loss for words, but after some careful consultation with a few of our friends from Bleeping Computer, we eventually developed an adequate response (continuing the conversation in Notepad).

Not to anyone’s surprise, Mr. Z denied all allegations of being a scammer until the very end.

Moral of the story? Some people will do anything to scam strangers on the Internet, even if it’s more work and less pay than getting an actual job. Don’t let them scam you.

Have a great (Mr-Z-free) day!

Your Emsisoft Team.

 

* Note: All of “Mr. Z’s” spelling and grammar has been left in its original form. If you can’t understand about half of what he’s saying, don’t worry – neither could we! In general, grammar like this – regardless of language – is a telltale sign that you’re dealing with a fraud.

Related Posts:

• Emsisoft Alert: Netflix Tech Support Scam


• Linux Rescue CD: a help or a hinderance?


• Naked Videos of Your Facebook Friends – Translation:…


• Malware Analysis: Ransomware “Linkup” Blocks DNS and…


• Phone fraud: Scammer uses Microsoft’s name to install…

What Happens When a Tech Support Scammer Cold Calls Emsisoft?