Saturday, 22 April 2017

Recover from Microsoft Tech Support Scam

How to recover from the "Microsoft Tech Support Scam"

There is also a GERMAN VERSION of this in my blog.
Diesen Artikel gibt es in meinem Blog auch AUF DEUTSCH.

An unexpected call

A friend of mine got a call from a friendly Microsoft support technician to help her fix a virus on her PC. - That is what he claimed, anyway.
Note: Microsoft will never call you about problems with your computer. 100% of the callers claiming to do so are fraudsters.

Here is a rough idea of the scammer's script as we could reconstruct it from her PC and what she remembered.

Your PC reports problems to our servers

With my friend, being a native German speaker, the scammer showed amazing patience making her understand the seriousness of the problem.

Step one: establsh trust

He let her type "Windows+r", then cmd to run a command shell. There he asked her to type "assoc" and asked if a line near the bottom read "888DCA60-FC0A-11CF-8F0F-00C04FD7D062" which is a globally unique identifier for the machine that causes the problem.
Oh no!
Sure enough the IDs matched. This calls for immediate action!


From what I could gather, she was then asked to go to a website, that had already been taken down when I went to investigate. Presumably she installed TeamViewer from there.
Now the attacker gave her a tour of her system:

Just look at all these errors. There must be something wrong!

That is a neat one and I had to investigate a little how it works.
There: It says it's been hacked!
The attacker let her run "tree c:\ /F" in the cmd-window. That takes a loooong time to complete. While it is running, the attacker (thanks to teamviewer) types some scary text and hits CTRL-C.

Give me your money

This must have been the moment when she was offered the 300€ full service support package. As she was still hesitant to accept that, the attacker prepared the more drastic moves.

Shields down!

Now he called msconfig, presumably to disable system recovery. Not absolutely sure, though, but system recovery was off when I got the machine and there were no restore points to revert to.

Around that time, he also must have run the syskey command that encrypts the SAM hive of the registry. That is the part that stores the user's password hashes.

Too scary

When he asked her to check her banking software, she started to smell a rat.
But the point when my friend freaked out was this: The caller, obviously sidetracked by my friend's friendly female voice, Wanted to see who he was dealing with and presumably ran the "camera" utility. When my friend saw herself on the screen, she closed the laptop's lid and hung up.

In the following hours, she got a number of calls from several unknown, foreign numbers which she didn't take. Presumably to "sell" her the password to her system.

AReResearch to the rescue!

She reported the incident to the police, who are aware of the problem, but couldn't offer much help. So she called me and came over to my house the next day.

The laptop still ran but I shut it down. (In retrospect, possibly not the best idea.)
The laptop was not new, but new enough to have an UEFI bios with safeboot. I set it to legacy mode and started the system from a "Desinfec't 2017" USB thumbdrive.
That is essentially an Ubuntu live linux with a selection of virus scanners, published annually by the renowned German c't magazine.
The scanners came up empty. The attacker apparently hadn't left any malicious software on the system.
So I set the bios back to uefi, but windows wouldn't boot but came up with a password dialog I hadn't seen before:
"This computer is configured to require a password in order to start up. Please enter the Startup Password below."

Now what???

I was stuck. The usual repair mechanisms wouldn't work. (I was not aware of the disabled system recovery at this point)
A bit of googling helped me find a solution:
The password dialog meant, that the SAM file was encryptend.
Windows does save a copy of the registry files from time to time, regardless of the system recovery settings.With a little luck, those were still in place.

So here is what to do:
  • Boot the locked machine from a linux live DVD. It doesn't need to be Desinfec't, as we don't need the scanners.
  • Mount your "C-drive" in R/W mode. For beginners, is might be easiest to recognize the right partition from it's volume name.
  • Using the file manager of the live-DVD (or USB-drive for that matter), navigave to your windows directory. Go to "system32" and then "config"
  • Rename the following files (e.g. with a ".orig" extension)
  2. SAM
          • Then go one step deeper in the directory tree to the "RegBack" folder
          • Copy the 5 files with the names listed above from the "RegBack" folder up to the config folder
          • Reboot the machine from the windows drive (you might have to change back the bios settings)

          That was it. The machine was good to go. I just uninstalled the unwanted version of TeamViewer and checked for anomalies with autoruns. Nothing out of the ordinary.

          No comments:

          Post a Comment