These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

October 27th, 2017

It is the era of Ransomware and Halloween is just around the corner. We have witnessed yet another ransomware outbreak for the calendar year, lashing eastern European countries and Russia.

This ransomware dubbed “BadRabbit” hit systems in Ukraine, Russia, Bulgaria, Turkey, Germany and even Japan and South Korea, as per news agency reports. Russia and Ukraine have been the worst hit countries, with Kiev Metro and the Odessa airport in the Ukraine being early casualties. An official statement to this effect was released by CERT Ukraine.

It appears the initial outbreak for this ransomware was via drive-by downloads from hacked news agency sites in Russia. The dropper ransomware was served up as an “update for Flash Player installer”, duly named install_flash_player.exe (FBBDC39AF1139AEBBA4DA004475E8839). Ah, social engineering does still work a treat, doesn’t it?

The infected sites contained a script which resolved to the following URL:
h**p://1dnscontrol[.]com/flash_install

The domain 1dnscontrol[.]com was been taken down pretty quickly.

BadRabbit, similar to WannaCry and NotPetya, in the sense that it is multi-component, using several complimentary executable files to infect the user machine. There are even code (none of them employ any form of code obfuscation) and filename similarities between these families. In BadRabbit and NotPetya the main infection modules are actually DLL files but have a ‘.dat’ extension.

The main dropper masquerading as a Flash Player installer must be run with admin privileges since its components are to be written to the C:\Windows directory as follows:

  • c:\windows\infpub.dat -> Main encryption and infection module : DLL (2FE32D2A6BFC72D215496B055E5A53AD)
  • c:\windows\cscc.dat -> Driver file from diskcryptor.net : SYS (B4E6D97DAFD9224ED9A547D52C26CE02)
  • c:\windows\dispci.exe -> Part of the disk encryption module and responsible for the MBR infection : EXE (B14D8FAF7F0CBCFAD051CEFE5F39645F)
  • c:\Readme.txt -> Text file with information about the encrypted files and how to get them back

Scheduled tasks are created to initiate other modules of the infection and to reboot the system. Unusually, the system reboots twice during the entire infection cycle.

Once the main dropper is executed it drops a DLL file which is the file encryption module. It gets initiated using rundll32.exe as shown below:

The argument passed to the infpub.dat denotes that the first export function is referenced by ordinal number followed by the number 15, which is the time until reboot.

As shown in the code snippet below, the main dropper creates infpub.dat in the Windows directory and then calls CreateProcessW to invoke it. Once the DLL is initiated the process of encryption begins.

infpub.dat is in charge of the following:

  • User file encryption
  • Adding scheduled tasks to reboot the machine and initiate the next module
  • Looking for infection targets on the local network

For encryption the ransomware looks for specific extensions:

3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab
cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu
doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe
jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm
odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php
pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb
rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd
vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx
xml xvd zip

One of the scheduled tasks is to reboot the computer at an elapsed time (NB: this can vary depending on the number and size of files that are to be encrypted) mentioned by the main module. The other is to initiate the diskcrypter executable named as dispci.exe:

There are several references to the “Game of Thrones” TV series, e.g. the scheduled tasks are called “drogon”, “Rhaegal” and “viserion”, and the diskcryptor exe is called “GrayWorm” in the version strings in the resources.

The ransom note is dropped in c:\Readme.txt informing the user of the infection and how the files cannot be retrieved without the ransomware author’s help.

Once the encryption is done. The ransomware goes on to scan the LAN for possible infection targets. This is done by sending out requests to look for SMB shares. It uses the Mimikatz tool to scan for any traces of user credentials in memory. The ransomware then uses a list of hardcoded usernames and passwords to bruteforce into any available machine on the LAN.

This list is made up of weak and frequently-used passwords. For better insight on choosing strong passwords one can refer to one of our earlier blog posts.

Shown above is a network capture of the attempted spread to SMB shares. Once the ransomware has bruteforced into any network machine it tries to place the DLL component infpub.dat on those systems and initiates that ransomware module using Service Control Manager.

Once this is done the system gets rebooted and the diskcryptor module dispci.exe takes over. The other file dropped, cscc.dat, is actually a driver that can perform disk encryption. Note, however, that it is a legitimate file. At this point in time another schedule task gets added which is also for a reboot.

The time for triggering this task is updated several times before the scheduled task is finally executed.

Before going for the reboot the ransomware performs one final task which is to overwrite the MBR of the system. It uses CreateFileW on GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1) to get a handle to the MBR.

Once this is done the system reboots and displays the following message informing the user that they have wasted a lot of time trying to decrypt the files by other means.

The user is forced to retrieve their files only by paying the ransom within the timeframe given by the ransomware author. However, we at K7 Threat Control Lab urge users to refrain from paying the ransom for several reasons, including:

  1. Payment of the ransom increases the profitability of ransomware, thus fueling further attacks
  2. There is no guarantee that paying the ransom would result in getting your files back

Shown below is the onion site that displays the custom message for each user depending on their personal installation key#1. The ransom starts with 0.05 bitcoins and keeps increasing with time.

The various malicious components of the ransomware are detected by K7 as follows:

install_flash_player.exe	- Trojan ( 0051a3031 )
dispci.exe 			- Trojan ( 0051a3031 )
infpub.dat			- Trojan ( 0051a2c11 )
16605a4a29a101208457c47ebfde788487be788d – mimikatz 32-bit module - Riskware ( 0051a31b1 )
413eba3973a15c1a6429d9f170f3e8287f98c21c - mimikatz 64-bit module - Trojan ( 0051a5241 )

Apart from this the ransomware’s attempt to encrypt files is completely blocked by K7’s Ransomware Protection feature:

Kaarthik RM, Senior Threat Researcher, K7TCL
Lokesh J, Threat Researcher, K7TCL
Gladis Brinda R, Threat Researcher, K7TCL
Rajesh Kumar R, Threat Researcher, K7TCL
Mary Muthu Fransisca, Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 6th, 2017

In our last blog we assured users of K7 Security products that they are protected against the destructive Petya ransomware. The good news is that we’ve just tightened the noose even further! Now, not only Petya but also other malware which may exhibit similar modus operandi are going to be robustly and proactively blocked. This is an effort to safeguard our users from any such ransomware attacks in future.

Let’s have a gander through what we have done:

  • Blocking the Petya ransomware at the very early stages, even before it enters a computer by including an IDS signature to block all currently known versions of EternalBlue type packets attempting to exploit MS17-010.

  • In order to tackle a situation where a malware like Petya attempts to affect the boot area, we have reinforced a protection rule in our security products to block unauthorized writes to the Master Boot Record (MBR).

  • Last but not least, we tweaked our “Ransomware Protection” logic to block the encryption procedure peculiar to Petya.

As always, we at K7 Engineering focus on complete protection at multiple layers for our users so as to safeguard them from any (new) malware occurrences.

K7 Engineering

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 3rd, 2017

Post WannaCry the world witnessed yet another brutal ransomware-style attack last week by Petya. Yet not a single user of a K7 Security Product reported any issue to K7 Technical Support, although Petya is known to have hit several Indian computers.

We at K7TCL constantly monitor for any new instances of malware, especially destructive ones like Petya. K7 Security Products protect their users by detecting Petya component files from the ransomware’s release time till date, as

  • Trojan (0001140e1)
  • Trojan (00510cfe1)

Unlike WannaCry, in addition to encrypting user’s data files, Petya ransomware may also modify the Master Boot Record (MBR) of the user’s machine as well, complicating the scenario still further.

The image shown above is the screen displayed on an infected computer demanding a ransom of “$300 worth of bitcoin”. However there is reason to believe that the real objective of this variant of Petya was not to make money but just to destroy data in an irreversible way.

Anyway the “ransom screen” appears after a sequence of malicious activities are performed. Let us take a quick look at the technical details of Petya and how it infects a user’s machine.

Petya ransomware comes in as a DLL file (Dynamic Link Library) and is executed as follows:

Rundll32.exe “<path to Petya.dll>” #1

Note: Petya.dll is the pseudo name of the sample executed.

Petya has several spreading techniques. One of these employs the same method as that used by WannaCry ransomware to enter a victim’s machine by exploiting a critical SMB RCE vulnerability, i.e. using EternalBlue to exploit vulnerabilities covered in the MS17-010 update. Petya is also capable of worm-like activity to spread across the systems in a network, remotely executed using PsExec.

As this malware is executed, it first checks if the following privileges are available

  1. SeShutdownPrivilege – Required to shut down a local system
  2. SeDebugPrivilege – Required to debug and adjust the memory of a process owned by another account
  3. SeTcbPrivilege – This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege

Once the Petya DLL confirms that the required privileges are available, it enumerates all the running process in the system to verify if any of the following Anti-Virus programs are installed in that system by using its own XOR encryption routine to determine a hash value.

Hash Value Process Name AV Product
0x2E214B44 avp.exe Kaspersky
0x6403527E ccSvcHst.exe Symantec
0x651B3005 NS.exe Norton

The results of both privileges checks and Anti-Virus process check are stored as bit-masked global variables that affect the flow in which this Petya malware executes on a system.

Assuming that the required checks are satisfied to run, this malware copies the entire file into virtual memory using “VirtualAlloc” and “MemCpy” APIs, so that it can delete the main file using the “DeleteFileA” API, and then jump to a new entry point in the newly created virtual space.

Then by using “LoadLibraryA” and “GetProcAddress” it dynamically rebuilds the import table of the file in virtual space. It also checks for the presence of “perfc.dat” in the Windows folder, and if found exits execution completely.

Otherwise it infects the MBR by opening a handle to logical volume \.\C:, retrieving the drive geometry and overwrites sectors at 0×200 from the start. In the same way, it also retrieves the geometry of \.\PhysicalDrive0 and overwrites sectors on that drive with malicious code.

After infecting the MBR this malware creates a scheduled task to perform a system restart after 15 minutes.

This time is utilized by malware to drop and execute a file from its resource section into the Temp folder which acts as an infostealer, and also tries to spread itself by creating threads which attempt to enumerate all subnets of the local network, then trying to connect to each IP to test its SMB ports.

As the restart task triggers, it displays a fake Chkdsk.exe repair screen as it tries to encrypt the hard drive as shown below

Once the encryption is done, as the final step it shows a ransom note demanding $300 as shown earlier.

Apart from the continuous protection from K7 Security products against malware, we recommend users to regularly and urgently deploy security updates for the operating system as soon as available.

Shiv Chand
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 1st, 2017

teachninja.jpg

One year ago we at K7 affirmed our deep commitment to education. Since then, in addition to the official, successful delivery of our multi-module K7 Security Academy training programme to several universities, it is with utmost pleasure that we also formally announce that we have signed an MoU with Teach for India.

Over the past decade Teach for India has done a sterling job across several parts of the country in delivering top-quality education to thousands of children from the lower income strata of our society. This work is a national priority, of course, and we at K7 are extremely proud to contribute to this great cause.

It is with much hope and excitement that we stand at the threshold of a new era of didactic activity on many fronts for K7 Computing. Join us, learn, teach!

Image courtesy of whatwouldjackdo.net.

Samir Mody
AVP, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 16th, 2017

WannaCry ransomware, a security disaster has already infected thousands of computers all over the world, especially in Russia, India and China, and has hit emergency services in various countries, e.g. the UK. There have been images of infected ATMs, gigantic billboards, etc., making this attack a high-profile event.

This attack is a macabre reminder of the ill effects of

  • exploiting a critical vulnerability in the Windows OS
  • using a pirated version of an operating system
  • leaving computer unpatched and connected to the internet, in other words highly vulnerable

In most of the attack scenarios tracked, WannaCry ransomware infects a computer by using the “EternalBlue” exploit (developed by the NSA and released to the public by Shadowbrokers in April 2017), which exploits a critical vulnerability in Microsoft SMBv1 server (CVE-2017-0143 to CVE-2017-0148) by sending a specially-crafted packet. There was a Microsoft patch MS17-010 available to fix this vulnerability released in March 2017. It is also alleged, although without any concrete evidence, that this malware may enter a computer by the common email-borne route.

Please note that K7 security products contains heuristic anti-ransomware functionality which is capable of stopping WannaCry in its tracks without any signatures updates (please read the Virus Bulletin blog which includes a video of K7’s talk from 2015 about fighting back against ransomware). However to ensure stopping all variants of the ransomware before any encryption starts, we at K7 Threat Control Lab have taken the necessary steps to block it at all of its possible execution points. Users of K7 Security products are protected against this ransomware and the detection names at the time of writing are as follows:

Trojan (0050db011)

Trojan (0050d8371)

Trojan (0050d7201)

In addition, K7 blocks this multi-component malware with the behavioral detection as

Suspicious Program ( ID21236 )

Suspicious Program ( ID21237 )

Suspicious Program ( ID21238 )

Before we look at the technical details of this malware and explore how it works we must urge users to apply the latest Windows patches which Microsoft has made available even for the unsupported Windows XP, and may be applicable on pirated versions of Windows too (note, using pirated software is an extremely bad idea). In order to better protect the computer against being exploited from an external source, blocking in-bound connections on TCP ports 139 and 445 and UDP ports 137 and 138 might be an option to carefully consider. The client firewall in K7 Security Products can be configured to restrict traffic as described on the mentioned ports.

In addition there has been some misinformation aggressively disseminated on social media and the news that using a certain password which is embedded in the code can be used to decrypt the encrypted data. This is far from the truth. WannaCry uses the embedded password to decrypt its internal embedded ZIP containing ransomware components. Users are strongly advised to ignore any mention about this password and avoid being influenced by a whole lot of scaremongering junk information being released irresponsibly. There is currently no way to retrieve all the encrypted data barring use of the cyber criminals’ own decryption service at a cost of US$300-US$600.

WannaCry involves multiple executable files to infect an end user.  The main dropper EXE accesses the URL as shown in the images below,

This URL is now known as the “kill switch” since if it is accessible the dropper stops execution. Such a “kill switch” is unprecedented in the history of ubiquitous run-of-the-mill ransomware and raises interesting questions about the true purpose of the attack. Interestingly the above domain has now been registered by researchers, thus stopping the attack at the dropper stage in many situations. There are few recent samples which ignores whether or not the URL connection is successful.

MD5: d724d8cc6420f06e8a48752f0da11c66

MD5: E8089341EE0442A2ECF82E4B70829143

Anyway, let’s assume the executable proceeds with its malicious behavior. The dropper EXE starts itself as a service with the security parameters as “-m security”, service name “mssecsvc2.0” and display name as “Microsoft Security Center (2.0) service”

Then it tries to load the payload executable which it carries within itself under the resource named “R” in the sample which we analyzed (d5dcd28612f4d6ffca0cfeaefd606bcf).

In any PE parsing tool, it shows that the resource contains an embedded PE

It extracts the file with the name “tasksche.exe” under the directory called “windows\<randomname>” as shown below. Note, we have also seen occurrences of this file being dropped under “ProgramData\<randomname>.”

After which the dropper starts the payload “tasksche.exe” using CreateProcessA. The payload tasksche.exe (84C82835A5D21BBCF75A61706D8AB549) contains the required functionality for encrypting data on the computer, and the files to display the ransom notes, etc. It carries within itself a password-protected ZIP in .resource section, as mentioned earlier. Interestingly, the password for the ZIP is plain text and not encrypted.

Upon further research we found that even though the password is in plain text, the password keeps changing. Sample 4da1f312a214c07143abeeafb695d904 uses the password “wcry@123”.

Unzipping the password-protected ZIP drops the following files in the desktop directory,

Folder “msg” contains the rtf files with extension .wnry for different languages.

Here are the details of the other files that are unzipped:

1. b.wnry – BMP image file (desktop background mentioning the decryptor tool @WanaDecryptor@.exe to receive ransom payment)

2. c.wnry – contains Tor browser download link

3. r.wnry – Text Message

4. s.wnry – ZIP file with has tor.exe along with its dependent DLLs

5. t.wnry – Encrypted data which then decrypts itself in memory (it’s a DLL file)

6. u.wnry

7. taskdl.exe

8. taskse.exe

It also unzips a batch file that writes a VBScript file m.vbs, that points to an LNK file to run “@WanaDecryptor@.exe” a shown below,

This @WanaDecryptor@.exe, once run, calls taskdl.exe and displays the below screen to the user,

It also copies itself to other locations like

C:\ProgramData\<randomfolder>\@WanaDecryptor@.exe

The following file extensions are susceptible to encryption:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Encrypted files would have extension .wncry  appended to the user file name, e.g. if the file name is user_pic.jpg, after encryption it would be user_pic.jpg.wncry.  The bytes of encrypted file at offset zero would be ‘0×57 0×41 0x4E 0×41 0×43 0×52 0×59 0×21’ (ASCII “WANACRY!”)

In all the folder locations in which encryption occurs there also two additional files dropped:
@WanaDecryptor@.exe.lnk which points to @WanaDecryptor@.exe and @Please_Read_Me@.txt, which contains the ransom note.

As with all ransomware, and to guard against data loss in general, it is important to maintain regular backups of critical data to be able to retrieve it in the case of file or disk corruption.

What is in store for the world now with respect to WannaCry? Are we going to see a different infection strategy, will the binaries be custom-packed, will strings be encrypted? Or will the attack lie low for a while? We’ll be monitoring the twists and turns in the WannaCry saga over time, and will publish new information as and when required.

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

April 6th, 2017

We at K7 Threat Control Lab recently encountered an incident reiterating the power of social engineering to trick smartphone users to install bad stuff.

The picture above is self-explanatory. It is clearly a fake message, but it is more convincing since it displays the device make and the current WiFi SSID of the victim, and even uses Google colours and identifiers.

This scareware message attempts to coerce the user to “download the latest Antivirus App”. It is likely from the message “0 minutes and 00 seconds” that upon clicking on the link “REMOVE VIRUS NOW”  user will be redirected to download some dangerous app either from a third party market or even from Google Play Store. The download was never attempted but the app may well have been a deceptor which would claim to have discovered all manner of issues with the device, the fixing of which would require payment.

This fake message may well be generated from the Mi4i device itself (place of manufacture also plays a role in the device’s integrity) or from the WiFi router to which the device was connected at the time.

These kinds of specially crafted user-specific messages exploit the user’s fear factor to force them to download the app recommended in the message, thus compromising their devices themselves.

To avoid any such unwanted circumstances we recommend the smartphone users to:

  • Carefully analyse the messages or alerts which they receive before taking any action. Ignore irrelevant messages
  • Not install apps recommended by strangers
  • Use a top-rated mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security application installed to be free from mobile malware

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

October 21st, 2016

The sensational, massive theft of critical data from Indian debit card holders, and the subsequent abuse of card data in China and USA, have been widely reported in the Indian media.

1421732801789.jpg

Unfortunately the information available seems to be largely based on hearsay and conjecture, some of it even contradictory. The following Donald Rumsfeld (ex-United States Secretary of Defense) quote from February, 2012 comes to mind:

“Reports that say that something <redacted for effect> happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

We may use the above quote to analyse the facts or lack thereof:

  • Known knowns – The critical details of lots of cards (32 lakh may be a paranoid extrapolation of the real figures) have been potentially compromised, many of which have been abused in China and USA
  • Known unknowns –  How exactly was the data stolen? Was there really ATM malware or some skimming device? Or was there a breach on the backend ATM infrastructure either via malware or via direct database hacking? How was the stolen data relayed back to the cyber criminals?
  • Unknown unknowns – Given the nature of this breach, what other parts of the ATM and banking networked infrastructure are vulnerable to attack? What will those scary headlines read in the future?

We are still in the hunt for real technical detail relevant to this particular breach. Malware samples or hashes would be very useful.

ATM and Point of Sale (PoS) malware are not a recent phenomenon. ATMs can be considered to be computers with some customised hardware, e.g. card reader, attached. They tend to:

  • run Windows XP as the OS hosting the ATM services
  • have no Anti-Virus software installed
  • perhaps employ inadequate encryption mechanisms to prevent the leakage of transaction data

Obviously these factors are not conducive to the maintenance of data security on ATM networks. Windows XP is known to be vulnerable and has been unsupported by Microsoft since 2014! Regardless of the true nature of the current breach it seems clear that the banking industry does need to take ATM security more seriously than employing security guards outside terminals who may doze, if even present, or worse. A good place to start would be to address the vulnerabilities highlighted above, i.e.:

  1. Upgrade the host OS to a more secure, light-weight one, and ensure that it is adequately patched
  2. Install customised Anti-Virus software with slim, relevant security updates
  3. Employ industry-standard encryption (AES/RSA/ECDH, etc.) across critical data transfer channels and storage areas
  4. Get the whole infrastructure vetted by competent third-party agencies through black-box (vulnerability assessment, pen testing, etc.), and white-box (code review) mechanisms

We shall keenly monitor developments in this case, especially if samples are forthcoming.

Image by Karl Hilzinger courtesy of:

http://www.smh.com.au/it-pro/security-it/credit-card-fraud-8-ways-your-details-can-be-hijacked-20150119-12ttwn.html

Samir Mody
AVP, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

September 30th, 2016

Continuing our series on Cyber Security, this blog post aims to shed some light on a security term that is casually thrown around these days, Denial-of-Service.

As the term conveys a “Denial-of- Service” (DoS) attack aims to cut off the provision of a service. When we speak of it in terms of computing we would generally refer to an online network-based service that is renderred inaccessible to legitimate users during the course of the attack. A successful DoS attack would require a large number of requests being sent to the network service at a specific point in time.

In general for a seamless network communication to happen a “request-acknowledge” signal is essential, i.e. when a user makes a request to a network service his request would first be acknowledged and then data corresponding to his query would be sent back along with a request for acknowledgement once the data is received. The user then sends an acknowledge signal once the requested data has been received. All this happens in the order of milliseconds hence they are barely noticeable.

Every server that hosts a service would have a maximum request-handling capacity, and when that threshold is exceeded the server or the service becomes unavailable. It is this request limit which is exploited and abused by a DoS attack.

When speaking in terms of malware related DoS, malware authors employ their botnet (a collection of computers infected with silently-running backdoor Trojans) to perform this kind of attack. A botnet controller (aka “Bot Master”) can send out instructions to the entire botnet under his command to target a specific service, typically a web service, to effect a DoS on the target website.

Several DoS attacks have been orchestrated targeting organizations along with ransom demands to call off the attack. In the days of e-commerce and online services it is essentials that business organizations keep their services up and running in order to retain their customer base.

In this series we shall have a look at various flavours of DoS attacks and how they are orchestrated.

Image Courtesy of:
tgm.org

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

September 12th, 2016

Last week one of our Enterprise customers reported that they had received an email threatening them with a DDos attack on their allegedly vulnerable servers if one bitcoin (about US$600) were not paid to them. Furthermore, to force a greater sense of panic, there was a threat of spreading nasty ransomware on their network.

The extortionary email resembled the following:

It turns out that this so called “Armada Collective” group has made similar ransom demands in the past, and the threat has always turned out to be fake to date. No occurrence of an actual DDos attack has yet been reported by the Enterprise customer who received the aforementioned threat or by any of our other customers.

Of course there are real world examples of DDoS attacks which target businesses but the attackers’ modus operandi is typically different from that described above. Historically many DDoS attacks have taken place without prior warning and without a ransom demand.

If any of our customers or any other businesses receive threatening messages of the form shown above we recommend that you do not panic as there is no proof of an actual attack by these scaremongering cyber criminals disguised as “Armada Collective”. There is certainly no need to pay the ransom demanded. Instead we recommend that you implement adequate boundary-level protection for your servers and network, and assess/pen-test the servers for potential vulnerabilities to be identified and mitigated against ASAP.

Image courtesy of newspeechtopics.com

Samir Mody
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

September 2nd, 2016

K7 Computing celebrated its 24th anniversary last week with the annual “bay decoration” event, which puts to the test teamwork, camaraderie, creativity and sheer effort, of course. The following collage should give you an idea of how our workspaces were transformed for a day.

Enjoy…

K7 Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/