• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Do not use Ammyy Admin (Remote login) software. Ransomware Alert.

Question

d5aqoëp    908

Today I needed help with installing digital signature certificate and I couldn't. So I called up the support line. The guy was helpful and asked me to install this freeware Ammyy Admin which is TeamViewer alternative. So I went to the Ammyy website and downloaded the  file. Ran it and the guy remotely solved my issue. After 1/2 hr, my PC speakers were alive with voice "Your PC has been encrypted" go to this link on Tor and pay 2 bitcoins to decrypt your data. My wallpaper changed to Cerber Ransomware. All files were renamed to some gibberish alphanumerical names with cerber3 extension. Windows defender? Ohh poor fella. The damn antivirus didn't even know what was going on. Full system scan after encryption revealed nothing.

 

I did a clean 3 pass format and reinstalled Windows again. My backup was of yesterday's so I did not lose any data. So big <snipped> to those ransomware makers. Let them rot in hell while I move on with my life. Only 2 hrs lost but I still can smile.

 

Now the real part. I did a little google search on this Ammyy Admin website and apparently they get hacked every month or so when they randomly start packaging this Cerber ransomware in their executable. Which makes me think that  they are hand in gloves with the ransomware coders. My advice to fellow Neowinians: Do not use Ammyy Admin for remote access needs. There are several other alternatives.

  • Like 4

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
+warwagon    13,212

Which AV did you have?

Share this post


Link to post
Share on other sites
  • 0
d5aqoëp    908

The mighty Windows Defender

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

where exactly did you download it from..  And where did you get the idea it was free.  It is not free for business use.  How and who were you sharing with, maybe he was infected and it jumped to your machine From the connection.

 

I agree with your advice though - why would you use that when you can just use teamviewer??  have you looked at the website ;) hehehe

Share this post


Link to post
Share on other sites
  • 0
sc302    1,746
26 minutes ago, d5aqoëp said:

The mighty Windows Defender

really???

 

 

the only thing mighty about it is how bad it is.  I vaguely remember a Microsoft whitepaper stating to not use it as your primary av source, don't take my word for it...I am sure if you google how bad defender is you can come up with your own conclusion.  That thing couldn't detect a 20 year old virus, much less any ransomware.

Share this post


Link to post
Share on other sites
  • 0
+InsaneNutter    1,357
47 minutes ago, d5aqoëp said:

Now the real part. I did a little google search on this Ammyy Admin website and apparently they get hacked every month or so when they randomly start packaging this Cerber ransomware in their executable. 

The website looks like a scam in my opinion anyway, even if it is legit little effort seems to go in to maintaining the site / product: "Copyright © 2015 Ammyy"

 

Last website update: "07/03/2014 Ammyy Admin v3.5 released"

Share this post


Link to post
Share on other sites
  • 0
xendrome    5,555

Why install a "Teamviewer" alternative, when Teamviewer Host or Teamviewer Host Portable works fine... or any of the other well known Remote PC assist apps, kinda your fault for using crap software...

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

^ agreed on the crap software.  But not sure I would blame the OP..  Seems that was what was suggested by the support team he called.  Which I am curious what company that was.  The company you got your cert from?  Who suggest you use this software?  Do they own a legal license since clearly they are using it for business use.  So did they point to where they have a copy they distribute to their customers.  Or they just said get it off the net?  Did they give you a link to the actual site (yeah its crappy) or did you grab it from like cnet or something?

Share this post


Link to post
Share on other sites
  • 0
d5aqoëp    908
2 hours ago, BudMan said:

^ agreed on the crap software.  But not sure I would blame the OP..  Seems that was what was suggested by the support team he called.  Which I am curious what company that was.  The company you got your cert from?  Who suggest you use this software?  Do they own a legal license since clearly they are using it for business use.  So did they point to where they have a copy they distribute to their customers.  Or they just said get it off the net?  Did they give you a link to the actual site (yeah its crappy) or did you grab it from like cnet or something?

I had asked their support to get access of my pc through TeamViewer (which I already had installed) but he was trained to say it was not on their pc. They only had Ammyy Admin. So I had no choice. I downloaded it from Ammyy Admin's website as it is the first google search result. Even CNet would have been safer.

 

@sc302

I said mighty defender in a sarcastic way. It is worthless junk which just sits there and takes up resources on all Windows PCs.

 

This was my first Virus infection in years and I don't even remember when the last I was infected. Yet I have learned nothing. Obviously I will not double click BritneySpears.exe but I might definitely execute app installer which looks legit. This right here is the modulus operandi of future attacks.

Share this post


Link to post
Share on other sites
  • 0
xendrome    5,555

Who is "their support"

Share this post


Link to post
Share on other sites
  • 0
wakjak    19,114
7 minutes ago, xendrome said:

Who is "their support"

Must have been "Microsoft technical support, my name is Rob Johnson" (in a thick indian accent)

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

Yeah I am also curious who their support is?

 

And while they might have their own tool or sure use something other than tv.  They didn't direct you to where to get it, like from their site - they said just google it?  That is complete utter BS..  Who exactly is this support company?

Share this post


Link to post
Share on other sites
  • 0
d5aqoëp    908

I myself from Mumbai and the Digital Certificate issuer is a Mumbai based company with local call centre. The support guy might not even know that Ammyy Admin website routinely gets compromised. The digital certificate is used to sign the income tax documents before uploading to Govt website for filling tax returns.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

So this is a gov sponsored support??  Wow... Who is taking wagers that their use of Ammyy they are telling people to use is not even legal licensed for business use??

Share this post


Link to post
Share on other sites
  • 0
d5aqoëp    908

Not govt. definitely not. This company is just a contractor who is cutting costs by using freely available remote login software instead of commercial ones like TeamViewer.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

"freely available"

 

Does not mean FREE for business use.. Anyone can download TV, its FREE for personal use.. Same goes with this crap alternative they are suggesting.. Read their license agreement..  Or shoot first thing on their page

freesoftware.jpg

 

Did they miss the non- part of that statement? ;)

Share this post


Link to post
Share on other sites
  • 0
goretsky    1,065

Hello,

 

The following series of Tweets starting with this one might be of interest:

 

 

Regards,

 

Aryeh Goretsky

 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

I would really bring this up to this so called "support" so the next poor schmuck doesn't have the same thing happen.  That link posted by Danielx64 pretty much spells how crappy that company is.  Love the part of notification and response they got days later about please provide license number ;) heheheh

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
cork1958    1,716
On 9/21/2016 at 7:36 PM, d5aqoëp said:

I had asked their support to get access of my pc through TeamViewer (which I already had installed) but he was trained to say it was not on their pc. They only had Ammyy Admin. So I had no choice. I downloaded it from Ammyy Admin's website as it is the first google search result. Even CNet would have been safer.

 

@sc302

I said mighty defender in a sarcastic way. It is worthless junk which just sits there and takes up resources on all Windows PCs.

 

This was my first Virus infection in years and I don't even remember when the last I was infected. Yet I have learned nothing. Obviously I will not double click BritneySpears.exe but I might definitely execute app installer which looks legit. This right here is the modulus operandi of future attacks.

You even know that Windows Defender is junk and yet you still use it?! Why in the world would anyone do that, especially anyone that knows even a little bit about that fact?

 

Definitely glad you had a current backup though! :)

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Riggers    187

This is why i don`t like downloading software from places that don`t provide and MD5/SHA 1 for you to reference against. Also surely a product such as this should be digitally signed. I suppose in hindsight running the exe through virustotal or Jotti might have been good practice...

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,551

Maybe they don't have enough paying customers so now they have gotten into the rasonsomware business ;) hehehe.

 

I really do not blame the OP on this sort of thing.  You call a company for support and they say hey use this.. For starters THEY should be providing their customer with direct link to what they want them to use, off their website.  And 2nd it should be freaking legal if your doing business.  I would bet a LARGE sum of money, LARGE that this support company is not licensed for business use of this software.

 

But I agree with you, why would you use such software.  Shoot I put up the compiled versions of iperf for windows and I provide hash for them.

 

You know another sign of crapware - don't even provide you direct link on their website, they have you give them your email address..  I hate that practice!!!  Sign that the actual thing they are making money off of is selling valid email addresses ;) hehehe

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
sc302    1,746

fwiw, webex is all hosted on the webex site not the company site.  

 

It is usually companyname.webex.com

 

;P

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Anibal P    2,055
13 minutes ago, sc302 said:

fwiw, webex is all hosted on the webex site not the company site.  

 

It is usually companyname.webex.com

 

;P

 

It really freaks out newer employees that have not used Webex before, especially since we route the logins through our eSSO servers first 

Share this post


Link to post
Share on other sites
  • 0
Danielx64    604
17 hours ago, BudMan said:

Maybe they don't have enough paying customers so now they have gotten into the rasonsomware business ;) hehehe.

 

I really do not blame the OP on this sort of thing.  You call a company for support and they say hey use this.. For starters THEY should be providing their customer with direct link to what they want them to use, off their website.  And 2nd it should be freaking legal if your doing business.  I would bet a LARGE sum of money, LARGE that this support company is not licensed for business use of this software.

 

But I agree with you, why would you use such software.  Shoot I put up the compiled versions of iperf for windows and I provide hash for them.

 

You know another sign of crapware - don't even provide you direct link on their website, they have you give them your email address..  I hate that practice!!!  Sign that the actual thing they are making money off of is selling valid email addresses ;) hehehe

Yeah the other day I had no choice but to provide fake information just to get a trial of installshield. you know what else pisses me off? Not having prices up so you have to contact then to get a quote.

Share this post


Link to post
Share on other sites
  • 0
d5aqoëp    908

 I tried to contact my CA and he was unreachable for past 3-4 days. Today he called up and told me that he had to suspend work because he was infected with Cerber ransomware while trying to import his digital certificate. :laugh:

 

He lost 20 days of work and took last few days to get up to speed. I wished I could've warned him. Apparently this Virus is wreaking havoc in India because this useless tech support company is asking everyone to install Ammyy Admin. Their digital signature flash drive has install problems. So they are using remote login to push the updated version of installer which correctly installs their newer digital signature.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.