Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers.
Weeks' day job is director at Root9b, but he's taken time to detail a zero-day flaw in Ammyy Admin he hopes will be used to fight back against tech support scammers.
This one is personal: Weeks says he became keen on a countermeasure after he "" ... discovered one of these groups had managed to scam my grandparents and leave their computer an infected mess for me to clean up. So I set out to find out if I could counter an attempted scam with a full fledged remote exploit, and turn the tables on the scammers."
The resulting tool is explained in a detailed technical post in which Weeks explains "I put together a Metasploit module that will generate a plaintext transcript to send to the remote end via the injected DLL into a running Ammyy instance that will exploit the remote end trying to take over your computer."
"I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims ... hopefully, it will be a deterrent to those who would attempt to compromise and take advantage of innocent victims."
The hack works from the end-user, meaning victims can send scammers the hijacking exploit when they request access to their machines. Victims should provide scammers with their external IP addresses rather than their Ammyy identity numbers as the exploit was not yet built to run over the Ammyy cloud, according to the exploit readme.
Weeks wrote an executable to automate processes required to pull of the hack targeted at the latest version 3.5 and a module for the popular Metasploit security tool.
The Black Hat speaker, Metasploit developer and former US Air Force reverse engineer said he had not exploited a scammer with the hack since none have called lately.
Ammyy Admin is used by tens of millions of users. Neither Weeks nor Vulture South have consulted legal eagles over use of the exploit. It's likely that doing so, however comedic, would breach some form of broad computer crime laws. ®