The “Microsoft” Phone Scam (Windows 7)

Last week I got a somewhat frantic call from a relative who was, at the time, on the phone with a “Microsoft” representative who had informed him that his computer was vulnerable and required a new firewall or the FBI was going to block his computer from the internet.

Now, before you roll your eyes, this relative had gotten an email from his employer that very morning with security warnings so it’s not an enormous leap to think that they, or some contracted company, were calling to address that issue.

The Attack

Anyway, here’s what they did and how I fixed it. He had given them remote access using a java-based remote support that goes under various names. In this case it was called “MyRemoteSupport” and had created a directory in C:\Program Files(x86) of the same name. The really tricky part was that they used a Windows feature to attempt extortion in the guise of a “fix”. There’s a little known feature sometimes referred to as “SysKey” that encrypts the SAM registry hive. This results in Windows requiring a password on boot and it’s not something that Ophcrack or chntpw can deal with as it’s the hive itself that’s encrypted.

The Solution

Thankfully my relative called me and I was able to tell him to yank the network cable before they could get to the next point in their attack, a point that would likely have necessitated a complete reinstall of Windows from scratch. The System Restore Points were still there so the fix was actually simple, a boot whilst hammering “F7” then an “F8” on the Windows 7 boot option (the only one in this case) then a boot in to the System Rescue allowed me to restore to the most recent point before the call which was just a couple of days prior. Thankfully this feature just restores the registry from one of those nastily named system restore blobs that sit around your hard disk so the SAM file was restored to the previous, unencrypted version.

After the restore I rebooted into networkless safe mode and had a poke about to see what the jerks had done. Nothing was super evident except the previously mentioned directory and an outbound firewall on a high port that looked somewhat suspicious. It was ambiguously named something like “VtSrv” and allowed all traffic out on a high port. After these were deleted I rebooted in to “Safe Mode with Networking” and installed/ran a MalwareBytes Anti-malware scan to clean things out. It found about 73 infected files some of which always seem present on his system the others had names that looked like the remote access thing in the browser cache/AppData directories.

Another reboot, this time letting the machine come up normally and an anti-virus scan cleared out a few strays and it was done. I’m sure that there are far more pervasive and unpleasant examples of this attack but if you’re lucky enough to find yourself getting a call at the same point of the attack as I did it’s not too much of a challenging fix.

Just another reason why Windows sucks!