These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

August 19th, 2016

This week’s hot news within network security circles is likely to be about the most recent update to the TCP specification which allegedly allows communication channels to be hijacked by a remote attacker. This latest TCP specification has been implemented on Linux systems, but is yet to be on Windows, apparently.

This is essentially an information disclosure flaw. The latest TCP specification may leak information about established, active connections through a side channel. The researchers who discovered the flaw claim it could allow a hacker to insert malicious or unwanted data packets into a data packet series between any two arbitrary machines whose IPs are known. Interestingly this Man-in-the-Middle type scenario would not require the attacker to insert himself/herself on the same communication channel as the connected target machines.

How serious is this flaw to a typical end user, though? To attack an end user, a hacker would need to identify a spoofed IP address to pretend to come from a specific source with which the user has already established a connection, and the user’s own target IP address. Hence, the probability that any specific user gets targeted at random is less, the reason being that there is a huge user base of dynamically-allocated IPs. Exploitation of the flaw could be more likely to succeed in IPv4 cases, but with the introduction of IPv6 the probability that an individual user’s IP would be found at random is small, both in the case of mobile devices and desktop computers.

Given the nature of an attempted attack perhaps this flaw will be more worrisome to web servers, etc., which are required to be ON all the time, and more likely to have predictable IPs.

As for the malware injection claim, it seems less likely that a malware payload by itself would be sent within a data packet. Rather, it could be a malicious URL that redirects the user to download the malware.

Installing a reputed and updated security product like K7 Total Security should block any malicious URLs being accessed or malicious files from being downloaded onto a victim’s computer.

Image courtesy: wakinguptheghost.com

Samir Mody, K7 Threat Control Lab
V.Dhanalakshmi, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

August 11th, 2016

Shattering the period of calm after the discovery of Android Stagefright exploit, Android Quadrooter has become the current hot topic in the mobile security industry. Quadrooter, as its name suggests, is a group of four vulnerabilities in the software drivers for Qualcomm chipsets within certain Android devices.  These drivers are responsible for communication between chipset components in the Android packages developed by the manufacturer.

Exploiting any one of these four vulnerabilities in the drivers would provide a hacker with root access on the device. Unlike Stagefright, which was exploitable via remotely sent crafted messages, these Quadrooter vulnerabilities are apparently exploitable only through apps which must be explicitly downloaded and installed by the user.  Although this is may be considered another dangerous method that hackers can incorporate into their malware to attain root permissions, at the time of writing, not a single actual sample has been found in the wild.

Patching the vulnerable software drivers with appropriate security updates would be the most suitable solution to mitigate the risk caused by these vulnerabilities. However it is a never ending debate whether a security update from Google (or Qualcomm, etc.,) can be customized to suit a handset manufacturer’s model within a reasonable time frame. In fact how quickly does a manufacturer’s customized security update reach its own users’ devices? “ .

The  good news is that Google claims that these exploits can be blocked by the “Verify Apps” feature in the Android OS from version 4.2 (Jelly Bean). Locate this feature at:

Settings>System>Security>Verify Apps

Here are a few steps to follow to help avoid dangerous security issues when downloading an application and other unwanted scenarios:

  • Always prefer to download an application from the official Google Play
  • Think twice before you download an application whether you really need it
  • Check any documented usage of the application to ensure that it does not perform any functionality separate from your expectations
  • Verify the reputation of the application by checking the reviews available
  • Avoid using free Wi-Fi hotspots, in particular those that are not password protected
  • Install a reputed and up-to-date mobile security product like “K7 Mobile Security”
  • Avail of the available application verification features like “verify apps” in recent Android OSs to identify a malware before installation.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

July 13th, 2016

Ransomware, a nasty and, unfortunately, common subclass of malware, are really bad news. The good news, however, is that K7′s heuristic, dynamic behaviour-based anti-ransomware feature, Ransomware Protection, was “productionised” and released some time ago. We strongly believe Ransomware Protection will provide users with robust safeguards against various strains of crypto ransomware, from the past (e.g. CryptoLocker), the present (e.g. Locky) and the future (???).

Ransomware Protection_cropped.png

Ransomware Protection’s blocking logic is based on recognising and arresting fundamental changes that take place in targeted files when the ransomware’s industry-grade encryption algorithms are applied to them.

At the Virus Bulletin 2015 international security conference we demonstrated a PoC of the anti-ransomware technology in our presentation “Dead and Buried in Their Crypts: Defeating Modern Ransomware”, and explained how the technology works in some detail so that all of us in the security industry could implement an effective strategy against this highly-damaging type of malware.

Elevating a PoC to a full-blown production-level feature is a time-consuming process since many factors related to stability, false positives and performance need to be considered in an end user environment. We are delighted to have been able to develop and release an anti-ransomware jab which will boost end-user resistance to any ransomware attack. Your precious documents, images and videos should now be safe. Note, we still highly recommend that you backup your important files as the spectre of bad sectors developing on your hard drive continues to loom large.

Samir Mody, Senior Manager, K7 Threat Control Lab
Gregory Panakkal, Senior Software Architect, K7 Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 8th, 2016

It is possible for even an unintended person to view the personal information you post online, whether from a PC or from a mobile device. Sadly there is a high possibility of ladies being targeted, bullied or harassed. A recent shameful incident reported in the news where a man in Delhi has been arrested for harassing ladies in the region with unsavoury messages or phone calls after viewing their WhatsApp profile pictures.

Enhancements in social networking sites and their applications have attracted a huge user base especially amongst youngsters. As we recommended in our previous blog, online users, ladies  in particular, should be vigilant while posting their personal information like photos, contact details, address, etc., in all social networking forums, even applications that simply connect people around.

Women should also be aware that the information shared online stays forever and is free for public viewing. Reiterating, here are few tips to avoid falling prey to such incidents.

  • Tweak privacy settings in applications carefully to prevent strangers from contacting you
    • WhatsApp > Menu Button > Settings > Account > Privacy
  • Avoid posting your personal pictures online such that anybody can view them
  • Never accept strangers to your contact list
  • Avoid sharing your personal information especially photos, phone numbers, address,etc. online

Image courtesy:
stonehousedesigns.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 29th, 2016

A few weeks ago we had announced our intention to spread our knowledge about low-level security. We would like to share a proud moment with the public to demonstrate our commitment to the cause of spreading technical awareness, borne from our decades of experience and expertise in malware research and anti-malware technology development.

We were recently invited by the well-known academic institution, VIT Vellore, to conduct a day-long workshop on the malware analysis techniques we carry out at K7 Threat Control Lab (K7TCL). The idea of the presentation was to enlighten VIT staff on analysis techniques for both Windows and Android malware.

We are happy to have had this opportunity to share our knowledge, and we hope that the interactive session we conducted has helped VIT staff to understand the modern malware threat landscape, and the malware themselves in a more effective way.

Kaarthik.R.M
Shiv Chand.K
V.Dhanalakshmi
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 16th, 2016

Here is an interesting persistence technique, which I have not seen before, used by a malware which I analyzed last week at K7 Threat Control Lab. It uses a simple RunOnce registry entry to maintain its persistence but in a unique way. I would like to post a complete analysis, albeit brief, of its functionality.

Functionality in a Nutshell

  • Push-Pop-Call
  • Misuse of Process Environment Block (PEB)
  • API Hashing Technique
  • Anti-Debug & Anti-Emulation Techniques
  • Strings Obfuscation Mechanism
  • Registry Abuse
  • Hidden DLL with multiple entrypoints (Export & DLL main) and its role
  • Multiple Injections into explorer.exe
  • Rootkit-like Behavior
  • Persistence Mechanism – RunOnce entry
  • Final Injection to IExplore.exe to act as downloader

Push-Pop-Call

This malware uses a Push-Pop-Call sequence at the Entrypoint to change the execution flow of the program as shown in Figure 1. This is not a clever technique since it can be used by Anti-Virus software to flag the malware immediately given that this sequence is unlikely to be found in clean programs.

Figure 1

Misuse of Process Environment Block (PEB)

Not an uncommon technique, this malware uses PEB_LDR_DATA, a member of the PEB structure, to locate InMemoryOrderModuleList LinkedList, which is then used to retrieve names of the loaded modules. It calculates the hash for each of the retrieved module names and compares with that of Kernel32.dll (hardcoded in the code), and extracts the base address of Kernel32.dll when the hashes match as shown in Figure 2.

Figure 2

API Hashing Technique

Using the retrieved Kernel32.dll base address, it enumerates export function names and calculates their hashes, which, in turn, are compared with predefined API hashes (in the data section) to identify the addresses of preferred APIs that are listed below. This common technique is to avoid heuristic detection on import APIs.

  • ConvertThreadToFiber
  • CreateDirectoryA
  • CreateFiber
  • CreateFileA
  • CreateMutexA
  • CreateProcessA
  • CreateThread
  • DeleteFileA
  • GetFileSize
  • GetFileTime
  • GetModuleFilenameA
  • LoadLibraryA
  • MoveFileExA
  • ReadFile
  • ReleaseMutex
  • RemoveDirectoryA
  • SetFileAttributesA
  • SetFilePointer
  • SetFileTime
  • SwitchtoFiber
  • WaitForMultipleObjects
  • WriteFile
  • WritePrivateProfileStringA

The hash calculation algorithm is shown in Figure 3 below.

Figure 3

Anti-Debug & Anti-Emulation Techniques

It implements Anti-Debug & Anti-Emulation techniques to prevent or misguide the reverse engineering process. This malware creates a thread which possesses an Anti-Debug technique of Memory Access Violation Exception (shown in Figure 4 below), thus complicating the analysis flow for researchers.

Figure 4

It also adds additional Exception Handlers in the existing SEH chain, which would be triggered by a memory access violation as shown in Figure 5.

Figure 5

It also uses undocumented ntdll.dll APIs which could act as an anti-emulation technique

  • ZwCreateThread
  • ZwResumeThread

Strings Obfuscation Mechanism

It employs an uncomplicated obfuscation mechanism to hide strings to dodge its presence from Anti-Virus products. Figure 6 shows how it decrypts a string to be used as its mutex.

Figure 6

Registry Abuse

It uses the registry to find the default path of “user\%AppData%” by querying the following registry key:

Subkey : “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
Value    : “AppData”

It uses the registry to find the default browser path:

Subkey : “http\shell\open\command”

It also escalates its privilege under Internet Explorer by adding its path to the following registry key:

SubKey : “Software\Microsoft\Internet Explorer\LowRegistry”
Value    : “ms-ldr”
Data     : “%Malware Path%”

Hidden DLL with Multiple Entrypoints (Export & DLL Main) and its Role

It drops its main payload, ntuser.cpl (a DLL file), extracted and decrypted from its ‘data’ section, under a randomly named folder in the retrieved %APPDATA% directory as exemplified below:

USER/%APPDATA%/ {6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}/ntuser.cpl

The decryption logic used is shown below in Figure 7:

Figure 7

It tries harder to misguide analysis by executing the DLL with multiple entrypoints. Initially with the help of rundll32 it executes the dropped ntuser.cpl using its export function “_4CDFA75B”. This export function “_4CDFA75B” then injects the entire ntuser.cpl to explorer.exe with “DLLMain” as its new entrypoint. Injection technique 1 uses the following APIs:

  • CreateProcessA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • UnmapViewOfFile
  • ZwMapViewOfSection
  • CreateRemoteThread

Multiple Injections into Explorer.exe

As ntuser.cpl loads into the memory space of explorer.exe, it uses the ‘ZwQuerySystemInformation’ API to get the snapshot of the current running processes. Now ntuser.cpl injects itself to the running processes that have access to ‘CREATE_THREAD & VM_OPERATION & VM_WRITE & QUERY_INFORMATION’ permissions, including explorer.exe.  But, this time with a new entrypoint being one of its functions. Injection technique 2 uses the following APIs:

  • OpenProcess
  • VirtualFreeEx
  • VirtualAllocEx
  • VirtualQueryEx
  • VirtualProtectEx
  • WriteProcessMemory
  • VirtualQueryEx
  • CreateRemoteThread

The latest injected code in explorer.exe now injects code into IExplore.exe, again with a new entrypoint being one of its functions using a similar injection technique to that described above.

These multiple injections are done just to halt the flow of analysis and to use system processes to download malicious content which will not trigger any alert by Anti-Virus Software, including Firewall.

Rootkit Behavior

It injects all system processes when attempting to act as a rootkit by hooking the following APIs, to maintain its stealth status:

  • NtCreateThread
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread

Persistence Mechanism

The latest injected code in explorer.exe also has the task of maintaining its persistence. This is achieved by creating a thread which checks the availability of mutex (MSCTF.Shared.MUTEX.LDR) and if this fails, it adds the following RunOnce entry:

SubKey : “Software\Microsoft\Windows\CurrentVersion\RunOnce”
Data      : “rundll32 “%APPDATA%\{6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}\ntuser.cpl”,_4CDFA75B”

Hence during reboot, the mutex gets killed and immediately a RunOnce entry is registered to maintain persistence.

Final Injection into IExplore.exe to Act as Downloader

Using IExplore.exe injected code, it checks for internet connectivity every 5 minutes, and if it has access to the internet, it uses ‘URLDownloadToFileA’ to download malicious content from the following URL

“hxxp: / /business-links-today.org/ldr/admin/feed.php?i=6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5&o=2&v=1.0.8″

Post downloading it executes the downloaded content using CreateProcessA.

On final analysis this turns out to be just a mere Downloader, with a high level of obfuscation, injection techniques, and Anti-Debugging/Anti-Emulation tricks along with rootkit behavior.

Sample analyzed:

MD5: 6F14315A8875B1CF04E9FDB963E12966
SHA256: B129D92F6C62B7C81B5EF69FA38194AB3886BA7F18230581BC2D241C997F7FA6

Shiv Chand.K
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 2nd, 2016

Here at K7 Computing we believe it is extremely important to further the education of both those within as well as those outside our organisation.

Security is a vast subject with a plethora of aspects to consider. We cannot of course cover everything, however K7 Threat Control Lab would certainly like to contribute to the security skill set of today’s students in order to help address the acute shortage of security personnel in the workforce. Many students may also enjoy learning techniques to counter cyber criminals.

Our security training programmes ought to be designed to provide students with a strong foundation in the technical aspects of IT security. For example the focus of our Malware Analysis Training Programme would be on learning about low-level malware techniques and analysis from first principles within a controlled “lab” environment.

If we are able to “train the trainers” then a multiplier effect could be triggered to accelerate the dissemination of technical security training across India and elsewhere.

Spread D WORD bit by bit.

Image courtesy of anytraining.co.uk

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 26th, 2016

The CARO Workshop 2016, held in Bucharest, Romania, between May 19-20 featured presentations from notable security vendors and researchers, with a focus on the application of machine learning to security. The keynote speech was by Dr. Ashkan Fardost, who, among other things, talked about connecting reindeer to the internet.

K7’s Gregory Panakkal  and Georgelin Manuel participated in the CARO workshop with their presentation titled “A High-Performance, Low-Cost Approach to Large-Scale Malware Clustering”. Their popular talk suggested a technique to cluster huge numbers of malware files on commodity hardware. This presentation demonstrated clustering 2 million files on a machine with a modest configuration in under 3 minutes. The ideas exhibited were well-received, and attracted considerable attention from researchers who are thirsting for alternatives to distributed computing, which is currently the standard solution for handling large numbers of files.

Image courtesy of 2016.caro.org

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 19th, 2016

This blog intends to educate the general public about the security risks pertaining to pen drives (aka USB sticks/drives, thumb/removable drives), data storage devices that can store text, images, music, videos, etc., and ways of mitigating the risks.

These devices come in handy when the user wants to transfer data between computers. They’re small in size but can hold large amounts of data. However, the utility and ubiquity of pen drives introduce significant security risks.

Pen drives pose a major security challenge to IT administrators. Some surveys indicate that 70% of businesses have reported loss of data through USB. Being small, pen drives can easily be misplaced or stolen and, if data is not backed up, it can mean loss of hours of hard work.  An even bigger challenge is to prevent infection through already infected USB drives.

The Autoplay feature in Windows is the key route to automatically infect PCs as soon as the infected pen drives are plugged-in. This autoplay feature causes removable media such as pen drives, CDs, etc. to open automatically when they are inserted into a computer.

Hackers and autorun worms use the autoplay feature to run malicious executables from removable drives. USB as an infection vector is not new; many older but infamous families of malware, notably Conficker, Sality and Gamarue use USB as part of their infection vector.

It is to be noted that many computers still have Windows XP, for which Microsoft withdrew support in April 2014, installed. Windows XP is popular among PC users especially in India, and has the autoplay feature enabled by default. Thus they are at greater risk of an autorun infection on their system than users who have updated their computer’s OS to recent versions of the Windows Operating System such as Windows 7. It is interesting to mention that most of these autorun worms originated in Asia.

Pen drives also provide an opportunity for malware to spread to stand-alone computers that are not connected to any network. The person carrying the infected pen drive, knowingly or unknowingly, bridges the air gap between the stand-alone computer and the network. It is of high probability that a pen drive used on one infected system (provided the infection on the system is capable of spreading itself) gets itself infected, thus spreading the infection to healthy computers when simply inserted into them.

Hence we advise users to practice one or more of the following recommendations to overcome the risks associated with using pen drives:

  1. Scan the pen drives for malware after sharing with your friends or family as a precaution against infections. Even if you have an up-to-date, reputable Anti-Virus Security product installed on your computer, your friends and family might not on theirs.
  2. Avoid using pen drives on public computers, e.g. at Internet cafes.
  3. If you have not already done so, install a world-class, up-to-date antivirus product like K7 Total Security.
  4. Use the autoscan feature, if any, in your Anti-Virus product to automatically scan all USB drives as they are connected to the system. Also schedule frequent, automatic scans on your PC to keep it infection-free.
  5. To prevent loss or theft of data, you may block USB devices from being used on your system. K7 Total Security has features to block pen drives and restrict read-write access to USB drives.
  6. Vaccinate your pen drive to ensure that it does not get infected by an Autorun worm even if it is used on an infected machine.

Images courtesy of:
Com.net
Technologymess.com

Rathna Kamakshi
Manager – K7 Support

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 12th, 2016

Continuing our series on cyber security following the two-part blog on digital signing, this is the eighth post which hopes to enlighten users on how to safely tread the open WiFi zones in public areas.

Free WiFi hotspots, which were a luxury some time ago in India, have become the norm nowadays. With the Indian government aiming to take the Internet to last tier cities, towns and villages it is only a matter of time before we are encapsulated in WiFi zones everywhere. This is aimed at bringing the wealth of information available on the internet to the masses. However, the omnipresence of WiFi could attract a great deal of sniffing and eavesdropping.

Open WiFi hotspots, though meant for the greater good, could become the medium for information security mishaps. Any data sent to an unprotected network could easily be monitored using packet or network sniffing applications by a hacker with malintent.

When using an open WiFi hotspot the network traffic between your device and the router is not encrypted, as opposed to using a home WiFi connection which should usually be secured by a passphrase which encrypts the traffic and shields it from eavesdroppers. Hence in an open WiFi connection, any data you send to the router is sent in a visible form and can be snooped upon by using packet or network sniffers. Imagine someone filling out details to an online form; the data submitted could fly across as plain text and can be easily grabbed off the air.

It is advisable to avoid using internet banking and online shopping portals, and communication apps when connected to an open WiFi. Also, it is advisable to turn off network sharing, in the case of laptops, since they could be accessible to people who are connected on the same network, and if the shared resource has no authentication then it would become an easy target for intruders.

A user needn’t explicitly open an app (with a potential security loophole) on his or her mobile device to expose its security hole. Most apps today keep looking for an active internet connection either to push or retrieve notifications thereby exposing its security lapse on an open WiFi connection. It is therefore advisable to restrict background data when on an open WiFi network.

Of course one cannot totally dismiss an open WiFi connection as inherently unsafe. It would be user-practices that make it safe or unsafe. For those who are totally dependant on an open WiFi network, they could choose to use a VPN application thereby securing their communication with the network within a secure channel, and decide to post content only to websites that are signed and secure.

Images were courtesy of:
muraldecal.com
toonclips.com

K7 Threat Control Lab
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/