Even if you never had to deal personally with “Windows support” scammers, chances are someone you know did or you have heard about these type of scams.
These scammers usually try to trick users into installing legitimate remote desktop software onto their computer, allowing the scammers to take over the machine and steal information, install malware, or to simply make it look like the computer is having problems with malware and ask for money in order to “fix” it.
There is a number of remote control apps on the market, and among the most popular ones with scammers is Ammyy Admin, which has also been used by the scammers who targeted the grandparents of infosec researcher and Metasploit developer Matt Weeks.
This intrusion inspired him to find a way for (relatively knowledgeable) victims to turn the tables on the scammers instead of just shutting down the scam attempt immediately or stringing the scammer along for a few minutes before doing the same.
Weeks decided to explore the Ammyy Admin software and see if he could find a vulnerability that can be exploited. It took him a while – and he described the complete process in a very thorough post – but he managed to find one.
The fact that Ammyy Admin does not use ASLR or DEP protection, creating an exploit for the bug was relatively easy. Writing the shellcode for the direct attack was a bit more difficult, he noted, but in the end he managed to “put together a Metasploit module that will generate a plaintext transcript to send to the remote end via the injected DLL into a running Ammyy instance that will exploit the remote end trying to take over your computer.”
“In order to run it, you still need to run Ammyy Admin, save the plaintext transcript in its directory, and inject the DLL into the process which will load up the transcript. So I put together an executable package to automate this,” he explained.
He made the package available for download, but only if you explicitly agree that you won’t use it for evil purposes and with the understanding that he does not condone illegal activity (using this exploit to compromise a scammer’s computer is, technically, illegal in many countries. He also explained that while the exploit worked against test machines, he didn’t try it out against an actual scammer.
“I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims,” he noted. “The primary users at risk of compromise are the scammer groups. Hopefully, it will be a deterrent to those who would attempt to compromise and take advantage of innocent victims.”