Trolling Customer Support
I was investigating a malware file being hosted at Krypt.com earlier today.
After a host gets infected, it reaches out to this cloud provider and downloads npupdate.exe, which is a known backdoor trojan. I was exploring the site to determine if this was something normal. You know those popup windows on some websites where a customer support agent will start typing at you? Well this happened.
Support
Welcome to Krypt, how may I assist you?9:13 am
Client
What is this file you are hosting at 67.198.244.147 called npupdate.exe?located at customer.krypt.com
9:16 am
Support
This is from a customer. As these are unmanaged services I am unaware what customers host on their servers.9:17 am
Client
ok…..so you are a malware hosting company?
just wanted to clarify your business model.
9:19 am
Support
We do not host malware. If you suspect one of our customers is hosting malware or harmful sites please send a email to our abuse department abuse@vpls.net and they will conduct and investigation into this.9:20 am
Client
or you could do it for me. already gave your the filename and IP address9:23 am GET /dl/npupdate.exe HTTP/1.1Host: 67.198.244.147
that is the IP and directory and filename.
https://www.virustot…66a2de80bbd9ba74a472/analysis/
9:23 am
Support
For our records it would be helpful if you would send a email with your findings and what you believe the site to be hosting to abuse@vpls.net9:24 am
Client
that is the link to VirusTotals description of this malwareFor your records, it would be helpful if you would do your job and email them yourselves. You know how to work email, amIright?
9:25 am How about I get on Twitter and call Krypt out publically for hosting malware?
That would be a hoot
Would put a damper on your cloud backup solution if people stopped trusting you
9:26 am Or your domain started showing up in blacklists
And enterprises stopped allowing visits to your netblocks because they are afraid you will infect them
See, all of this would make a great copy/paste into an email.
Its the icon on your desktop that looks like a little envelope
Way too many companies insist on sending an email to their abuse department rather than allowing anonymous reporting. I prefer anonymity, and hosting companies just need to do their job and take reports of malware hosting seriously.