The magazine of the Melbourne PC User Group
Malicious Diallers -
Or Not So Free Porn?
Dennis Parsons |
|
|
Dennis Parsons highlights one of the methods used to help you and your money to
become separated on the Internet |
Unfortunately, these days the Internet must be treated as a hostile place full
of viruses, spam and scams. If you are innocent, careless, gullible or just
plain stupid you will be mugged. The rest of us are just a step or two away from
a mugging and need to remember this.
The hazards fall into two broad overlapping categories. Malware or malicious
software such as viruses, worms, spyware and Trojans, which everyone would be
familiar with to some extent, and can be largely overcome or prevented using
other software and a modicum of common sense.
The second category relies upon social engineering - convincing another person
to provide you with something or to do something for you, and relies on human
traits such as trust, curiosity and greed. Examples are the infamous Nigerian
scam (I am the son of the former President ...) and the current spate of Bank
spam scams (e-mail asking you to visit a bogus Bank site to verify your Internet
banking details - collect them in reality).
Some basic (and incomplete) definitions:
- virus - code that replicates by inserting copies of itself in other files.
Spreads by execution of infected files on other systems.
- worm - code that replicates by generating copies of itself without a host file.
Spreads for example by e-mail attachment - the attachment is the worm and not an
infected file.
- trojan - as in Trojan Horse. Non-replicating code that purports to be useful but
is in fact harmful. Generally acquired by running downloaded software or e-mail
attachments.
- adware - software that collects personal information such as browser usage for
advertising purposes, reporting it to a third party.
- spyware - software that monitors systems and collects personal information such
as passwords, reporting it to a third party.
- dialler - software that causes your modem to a dial a particular number for
Internet access.
Malicious diallers will be the subject of the rest of this article, although
much of the information and advice is relevant also to the above hazards and
nuisances.
What is a dialler?
As mentioned a dialler is software that dials a number to connect to the
Internet. It may be totally innocent -for instance provided by an ISP to
simplify connecting. Or it may have an altogether more malicious and harmful
intent - costing the user money.
Malicious diallers (hereafter referred to simply as diallers) perform what is
known as "Internet dumping" or the dropping of your normal Internet connection
and the subsequent dialling of another number. The harm and cost result from the
new number being a 1900 premium rate one or an IDD international number. The
call costs can exceed $5.95 per minute.
The dialler can be just a one-off dump and call or it can be installed to
replace your regular dial-up. Almost humorously some disconnect themselves after
twenty minutes! Very kind. Obviously the costs can mount very rapidly. Bills of
$200 or so would seem typical but they can range into the thousands. The highest
I've heard of is $7500.
Where Do Diallers Come From?
The dialler is generally downloaded inadvertently while visiting pornographic,
gaming (gambling), "warez" (file sharing and software "cracks") or illegal MP3
sites - what could be termed "dodgy" sites. Don't feel too smug and holy if you
never visit such sites because recently I've read of cases associated with very
legitimate sites with the dialler seemingly originating from an advertising
server.
|
Figure 1. A page redirection to a dialler site — note the
plug-in reference
and attempt to convince you it's genuine. |
Often it comes in the form of a page asking the user to install some software
that enables access to a site, or it says it's a plug-in required to view
content on a particular page. In other words it may be a trojan - malicious
software masquerading as useful and harmless software. They can also attempt to
automatically download and install themselves when you simply visit a page, if
your browser isn't configured to prohibit such an installation.
Reducing the Risk-User Behaviour
Aside from avoiding the dodgy types of site that are more likely to yield a
dialler, the best advice is to never download or install unsolicited downloads.
These are where you are asked to accept download of a file without having
clicked a link - you have no idea what it is. Ensure your browser security
settings do not allow automatic software download or installation.
Be very cautious when a page asks you to download a browser plug-in, although
they can be quite valid for things such as Flash graphics. Instead of allowing
your browser to download from the requesting site obtain the plug-in directly
from the author's site or use another known, trusted site.
Be wary when you've been redirected to another page, particularly if it then
asks you to download something and especially when it prompts an unsolicited
download.
Above all caution is always required so keep your eyes open and your brain
thinking - don't just blindly click away. Close suspect windows by clicking the
"X" in the window frame, right clicking on the listing in the taskbar and then
close, CTRL+ALT+DEL to kill the browser off, or ultimately shut the computer
down if all else fails (they can be very difficult to kill) because you just
don't know what the "yes" or "no" button will actually do.
Is the "Click Here to Enter" really taking you to another page to enter a site
or are you actually giving permission to download or install something
malicious? Hover your mouse over links or buttons and try to read from the
status bar at the bottom of your browser, where they lead or what they will do.
Ask yourself "do I really need to view this content?" when prompted to install a
plug-in. If you're uncertain then don't do it!
Basically it's up to you to be careful and sensible. Preventative software can
only do so much to prevent download and installation of malicious software - the
rest is up to you to be a smart and savvy user to overcome the social
engineering aspect of this problem.
Reducing The Risk - Telecommunications
There are a number of things you can do to help reduce the risk of a dialler
going undetected if you happen to cop one.
Configure your modem to have the speaker on when dialling so you can hear it
when it's actually dialling. This will also help you learn the tune made when
it's dialling your normal connection. This isn't foolproof as the volume can be
turned off by using an appropriate modem string (although I don't know if
diallers actually do this) but at least it gives you a chance to possibly catch
strange modem activity. If you have an external modem watch the lights and learn
what regular dialling activity looks like.
Configure your normal dial-up to not automatically redial on a dropout so that
if it does start dialling during an Internet session it will appear unusual and
raise your suspicions. Not auto dialling is recommended anyway as it prevents
multiple redialling if you exceed your time allocation or are having line
trouble for instance. It's not unusual for a user to clock up 30 or 40 phone
calls due to automatic redialling. If you have any doubts about why your modem
is redialling turn it off, unplug the phone line or immediately shutdown your
computer.
Contact your phone company and ask them to block access to 1900 and IDD numbers
except by password. This doesn't offer complete protection as the dialler can
use a "bypass" prefix to dial through another phone company - e.g. you may use
Telstra but the dialler can dial through Optus by using a prefix number. Being
able to demonstrate you didn't want to be able to make such calls by having them
blocked by your telco may help your case if you ever happen to be caught out by
a dialler. |
Figure 2. An unsolicited download in Internet Explorer |
Reducing the Risk - Software
Diallers aren't viruses or worms as they don't replicate but fall under the
broader category of malware - malicious software. As such your antivirus
software may detect it, but not necessarily. It is better to use software
specifically designed for the task such as Ad-Aware
http://www.lavasoft.de and
Spybot Search & Destroy http://www.safer-networking.org. These are free programs
and are highly recommended for routine use in keeping your system clear of
assorted malware and adware. They are on demand scanners (not actively
scanning), and can also be used in conjunction with Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html
which aims at blocking the installation of undesirable ActiveX components and
Spyware Guard http://www.javacoolsoftware.com/spywareguard.html which aims at
blocking undesirable .EXE and .CAB files.
No software solution is perfect so treat them as backup to careful and sensible
behaviour. Ensure you run and update them regularly to maximise their benefit.
As diallers utilise dial-up and are designed to run on Windows systems the
consequences can be avoided by having a broadband connection or using an
operating system other than Windows such as Linux or MacOS.
I came across one dialler that gave the option of using broadband - you manually
dialled the 1900 number!
Using a browser other than Internet Explorer (IE) such as Mozilla or Opera may
help as much malware, diallers included, aims at exploiting security
deficiencies and misconfigu-ration in IE. Ensure you keep IE and Windows fully
patched and updated - again this is all just good, safe computing practice.
Solution - If You Have or Suspect You Have a Dialler
If you're online or have the modem turned on or it's plugged into the phone line
when you realise or think you have a dialler, then unplug. This could be costing
you $5.95 per minute so turn the modem off and/or unplug the phone line
immediately.
Aside from unusual modem activity other signs of a possible dialler include the
appearance of mystery desktop icons or new items in the system tray area of the
taskbar. Examine the properties to see if you recognise anything or if its looks
suspicious. Search for the filename in Google.
Run your antivirus software, Ad-Aware and Spybot Search & Destroy. You may need
to do this in safe mode or as administrator to effect removal -between them they
should remove a dialler. If you don't have them installed, obtain them - ask a
friend to burn a CD, talk to your computer guru or look for them on a computer
magazine cover disc. Try your local library. Get the most recent, up-to-date
version you can. Do not use the affected computer to go online. Be careful even
if you think it's gone as there is no guarantee the removal software will work
in every case.
Obtain a phone bill to check if you've incurred unusual charges although this
won't be definitive as the costs could have been incurred through another phone
company.
If you can't remove it or are uncertain then seek help to do so. Another point
to ponder is if you managed to acquire a dialler you will most likely have other
undesirables (adware and spyware) on your system too, so keep an eye out for
them.
If you find yourself a victim with a phone bill as the result of a dialler
follow the advice given by the Telecommunications Industry Ombudsman (TIO)
http://www.tio.com.au. Contact the relevant phone company and if they refuse to
waive the dialler related charges, noting they may be reluctant as they still
pay the cost incurred to the scammer, then contact the TIO. Reading what the TIO
says on their Web site would be a good start if you have trouble
http://www.tio.com.au/FAQ/int_dumping.htm.
It may be embarrassing to admit you have a dialler given it probably came from a
porn site and that is what others will think - you might feel stupid. I'm sure
the scammers rely on this in part, so just remember you've been ripped off and
stick to your guns.
About the Author
Dennis Parsons has been a Melb PC member since 1996 and became a penguin in
1999. He finds a little paranoia goes a long way.
Reprinted from the May 2004 issue of PC Update, the magazine of Melbourne PC User Group, Australia
|
