Turning the tables on “Windows Support” scammers by compromising their PCs
Tech support scams are nothing new—we first went in-depth almost two years ago on “scareware scammers” who cold-call unsuspecting victims and try to talk them into compromising their computers by installing remote control applications and handing the keys over to the scammers.
We even managed to engage with one for a protracted length of time, with deputy editor Nate Anderson playing the role of a computer neophyte and recording the entire mess. But one developer has taken things a step further, producing a tool that will enable you to fight back if targeted—if you don’t mind a bit of bad acting yourself.
Matt Weeks is one of the developers who contributes code to the open source Metasploit Project, a sprawling and continually updated security framework that functions as a repository for software vulnerabilities and is frequently used as a Swiss Army Knife for penetration testing. Weeks has published a long report on his site detailing how he was able to reverse-engineer the encrypted communications protocol used by Ammyy Admin, one of the most popular remote control apps used by tech support scammers, and then use that knowledge to ferret out a vulnerability in the Ammyy Admin application.
Because Ammyy Admin uses the same binary on both the remote computer being controlled and the source computer doing the controlling, an exploit with the application has the potential to affect not just the target but also the source. Weeks figured that if he could sniff out a vulnerability in the application’s communications stack, he could use that vulnerability to execute code on the remote computer—in other words, to gain the same level of access on the scammer’s PC that the scammer tries to gain on the victim’s.
Ammyy Admin doesn’t opt in to ASLR or DEP.
After a bit of work with a pair of virtual machines each running Ammyy Admin, Weeks had learned enough about the application to hook into the running app’s encryption and decryption facilities and monitor its communications, saving the effort of having to actually break the encryption. Once he could see exactly what Ammyy Admin sends over the wire during a remote control, he started to try to break it using a method called fuzzing—carefully injecting a controlled amount of random data into the stream to see what happens. The goal was to cause the application to actually crash and then to see why it crashed.
By coupling together fuzz testing and debugging, a skilled developer can gain a picture of the potential vulnerabilities in an application. The prize in this case would be a particular type of crash that leaves the attacker in control of the CPU’s instruction pointer—in other words, a crash that lets the attacker tell the computer what to do next.
After several days of fuzz testing with almost a dozen virtual machines, Weeks had collected enough crashes to begin analyzing and debugging. He was aided by the fact that Ammyy Admin doesn’t opt in to ASLR or DEP. ASLR randomly changes the layout of a program’s data areas, and DEP prevents the operating system from running code in certain areas of memory; both of these technologies are intended to make exactly this kind of vulnerability detection and exploitation significantly more difficult (Ars Microsoft Master Peter Bright explains ASLR a bit more in detail in this piece).
The fruits of labor well spent
Weeks’ work resulted in new module for Metasploit and a bespoke set of carefully broken communications strings. When injected properly into the communications stream between an Ammyy Admin client and server, the exploit uses modified screen drawing instructions to park a payload in part of the memory reserved for the Ammyy Admin server’s application. That payload can be whatever you’d like, but an attacker would generally want it to be a remote shell—an application that can be executed to gain access to the remote computer, cloaked as program data.
After the payload is delivered, the Ammyy Admin server is fed the appropriate instruction that gains control over the instruction pointer, causing it to execute the payload. And just like that, the victim becomes the attacker.
Weeks has made the exploit package available for download at the end of his post, though he notes that while he has tested it with virtual machines running Ammyy Admin, he has not used it against an actual Windows support scammer. Actually doing so would almost certainly be illegal in most countries.
Ars has reached out to Weeks with some questions about the development process and the tool, and we’ll update this piece if he is able to respond.