Prevent Syskey Scammer Attacks

[LedHed]

Before I get started, YES I Googled this, AND Yes, I searched the forums first, no luck.

Okay, so a new client calls me and tells me that he let
someone from "Microsoft" remote in because they say his computer is "infected."

Yep, this is one of "those" stories.

The computer was an HP Desktop that originally had Windows 8 but it had been upgraded to Windows 10.

The scammer setup a syskey password and somehow damaged the user's account so that I couldn't access the system restore points.

The user was still an admin but when I would try to access the system restore, it would give me a message about this user not having access rights to system restore.

I ended up having to do a nuke and pave, after backing up his data, of course.

What I would like to know is this, is there a way to prevent syskey from running? I considered deleting syskey.exe from the system but it is really small. It would be very easy for a scammer to replace it via file transfer.

I want to be very clear, I'm not interested in "bypassing" a syskey password. I want syskey locked down in such a way that it will not run for anyone, period.

I'm not even sure this is possible, I just thought I would ask.

 

[Digital Micro]

I got past this the one time I came across it. I will look at my notes when I get back and post if nobody else does.

Update.
Sorry didn't pay attention where you didn't want to know how to bypass it.

 

[Markverhyden]

How about creating a full screen popup saying "A scammer is working on your computer. Unplug the power cord immediately". I'm sure it would be easy to make it an exe and then name it syskey.exe.

 

[Larry Sabo]

... or better yet, replace syskey.exe a script that automatically does a fast shutdown, just in case the scammer blanks the user display, and add a start-up screen that explains what happened and why.

 

[phaZed]

I'm trying to learn C++ all over again it seems. This could be a viable project

I imagine if we removed syskey or replaced it, it would throw SFC errors - would the file be corrected during an SFC? Hmmm.

 

[Markverhyden]

I'm trying to learn C++ all over again it seems. This could be a viable project

Go for it!!!!!

 

[ZenTree]

You could use image file execution options to redirect any queries for syskey.exe to go to your own custom exe. That way if they tried to copy over their own syskey.exe it would still get blocked and then you could have your own custom exe pop up with a message warning the customer (and even email you as well so you can be proactive).

 

[LedHed]

To all: I'm not really a coder. I wouldn't mind learning, but coding a solution myself is beyond my current skill set.

@Markverhyden: Your idea is pretty good, except pulling the power plug might cause other issues and it wouldn't work at all for a laptop.
@Larry Sabo: This is a good idea, except I think it would be better to maybe disable the ethernet ports (to kill the remote session) and then pop up a screen that says "You have been scammed, please call (insert your business name here).
@phaZed: I think you're right about sfc, that's one of the reasons I would like to disable syskey.exe instead of removing it.
@ZenTree: Your idea sounds very promising, please elaborate.

It looks like I have hit upon a good idea, I would be happy to test your ideas or work with anyone (to the best of my ability) to help make this happen.

Thank all of you for your input so far.
Andy

 

[ZenTree]

https://blog.malwarebytes.org/development/2015/12/an-introduction-to-image-file-execution-options/

I found out about it a while back because D7 provides the option to easily edit them as well which has proved invaluable when fighting some malware. Simple registry change.

 

[Eagle21]

The title is "Prevent Syskey Scammer Attacks" but the attack is often "Scammer installs remote control app and gains admin access to your computer". And the naive user actually helps the scammer to break into their computer. That is the main threat that should be addressed.

Once the scammer has admin access on the machine they can run syskey, but they can also do anything else they want to, including deleting your files, formatting the drive, encrypting your files ... So even if you lock syskey the scammer can still do plenty of damage.

CryptoPrevent 4.4.1 and higher, by FoolishIT, has the ability to block syskey.exe from execution.

 

[LedHed]

So, after reading your suggestions, this is what I think needs to happen:

Syskey.exe needs to be pointed to a script using IFEO. Ideally, the script should:

1. Disable the ethernet ports (LAN and WLAN) to kill the remote session
2. Pop up a screen with information about what happened and contact info for your business

Does this sound like it would be a good idea? Any comments or suggestions?

 

[nlinecomputers]

CryptoPrevent 4.4.1 and higher, by FoolishIT, has the ability to block syskey.exe from execution.

This. No need to reinvent the wheel.

 

[LedHed]

I was unaware that CryptoPrevent would stop syskey from running.
@Eagle21: I agree with this:

"Scammer installs remote control app and gains admin access to your computer". And the naive user actually helps the scammer to break into their computer. That is the main threat that should be addressed.

Once the scammer has admin access on the machine they can run syskey, but they can also do anything else they want to, including deleting your files, formatting the drive, encrypting your files ... So even if you lock syskey the scammer can still do plenty of damage.

However, I've spoken with my clients at length about this subject, but they keep falling for it anyway. When I ask them why they let someone they've never met remote into their machine they say, "He said he was from Microsoft." Or, they tell me that they got a pop up from Microsoft with a phone number to call to remove the "infection."

I submit that nothing can be done about a user who refuses to listen. I recognize that yes, once a scammer has admin rights, he can do whatever he wants. I was simply trying to prevent syskey from being executed because it is a particularly hard problem to solve.

I will take a look at CryptoPrevent, but I don't see how that would stop the scammer from doing whatever they want, as you mentioned, including uninstalling CryptoPrevent. I still like the idea about the script I mentioned above because disabling the ethernet ports would kill the remote session, preventing further damage.

Again, comments and suggestions are welcomed, as long as they are respectful.

 

[nlinecomputers]

I believe cryptoprevent can be password locked. But the best option is to train your users to stop the computer and call you.

 

[cypress]

I believe cryptoprevent can be password locked. But the best option is to train your users to stop the computer and call you.

Which is why I am constantly sending out newsletters at least every other month about this. Every time another type of scam comes up I send another newsletter through Mailchimp. That allows me to keep a record of who saw my e-mail and they can't say I didn't warn them.

 

[carmen617]

I got past this the one time I came across it. I will look at my notes when I get back and post if nobody else does.

Update.
Sorry didn't pay attention where you didn't want to know how to bypass it.

I have my first one of these getting dropped off tomorrow and would love to see your notes. Not sure how bad it's going to be but no need to reinvent the wheel if I don't have to, thanks!

 

[Digital Micro]

I have my first one of these getting dropped off tomorrow and would love to see your notes. Not sure how bad it's going to be but no need to reinvent the wheel if I don't have to, thanks!

My folder for this has an iso file in it, but not notes. I remember burning a disc and booting to it. It's a small file if you want it send me your email in a message and I'll send it to you. Sorry I don't have the notes.

 

[Digital Micro]

I found the page where I found the answer.
http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

 

[carmen617]

I found the page where I found the answer.
http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

Great, thanks. Computer getting dropped off this afternoon, not sure how bad it is (i.e. if there are still restore points, etc) as I just have upset clients description (I was scammed, all my fault, now my computer is all locked up) to go on. Had found that thread as well, will see how it goes!

 

[Mick]

Coming very late to this, but a guy here reckons that Offline NT Password and Registry Editor now works with Windows 10, although the author's website makes no mention of it. Haven't tried it myself but interested to know if anyone else has had success this route.