Matthew Weeks is the director of emerging technology for Root9b, a cybersecurity firm with offices in New York, Texas, and Colorado. He’s also got a lovely grandmother whom he’d prefer not be pestered by scam artists professing to be Microsoft support agents who can fix all her computing problems from afar.
Unfortunately, like so many unassuming PC owners, the scammers managed to con Weeks’ grandmother into granting them access to her machine — which they subsequently filled with actual malware. After spending hours cleaning up the mess, Weeks decided that someone needed to turn the tables on the bad guys.
His approach: finding a vulnerability in the remote control app that the scammers rely on. It’s called Ammyy Admin, and it works just like Teamviewer or GoToMyPC do. A user who needs help fires up the host app and provides an ID to a remote tech — who then connects and takes control of the system. Ammyy Admin can actually be a very helpful little tool, but only when those using it aren’t twisting its capabilities to perpetrate nefarious schemes.
After several days of setting up virtual machines, writing scripts, and sniffing network traffic, Weeks found what he was after: a 0day in Ammyy admin that allowed him to pwn a remote guest. And while he admits that he wouldn’t normally make something like this public so quickly, he doesn’t think there’s any real risk to end users. The only folks really at risk are the Windows support scammers.
If you’re concerned about the legality of Weeks’ tool, it’s probably best not to run it. You can always exact a bit of payback by trolling the scammers when they call and posting the hilarity to YouTube.
[Image courtesy of State Farm on Flickr]