These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

July 2nd, 2015

The Honourable Prime Minister of India, Shri Narendra Modi, launched the Digital India project yesterday, an ambitious undertaking to interconnect and deliver government services to India’s 1.25 billion citizens.

Fortunately, the challenge of securing the vast cyber space for netizens has been keenly recognised by the Government of India as the Prime Minister stated the following in his speech:

“I dream of a Digital India where cyber security becomes an integral part of national security”

The Prime Minister made unambiguous references to the potential vulnerability of India’s current and future critical infrastructure and services to cyber-attack. The plethora of international spying, hacking, and Denial-of-Service attacks, which have made the headlines in recent times, allows one to put things in perspective. India has its own share of inimical nation states, along with non-state actors, both beyond as well as within the country’s borders.

The Prime Minister also recognised the dangers posed to an average netizen at a personal level. He related how common theft has progressed from stealing somebody’s wallet on a bus, in the past, to the current ability of criminals situated thousands of miles away to wipe out a bank account within the time it takes to click one’s fingers.

Indeed, as highlighted previously on our blog, there exists legislation to aid the protection of netizens from common cybercrime, as well as provisions to safeguard national cyber security. However we believe there is lot more to be done. In this blog we wish to highlight certain problem areas which need to be taken into account to boost cyber security for the netizen, and thus, for the nation.

There is a lot of emphasis on the use of online social media and sharing of data “securely”. Of course netizens are only too keen to share Personally Identifiable Information (PII) on public sites, which may not even be hosted in one’s home country. Apart from its general nuisance value, leakage of PII allows the mounting of sophisticated targeted attacks. We recommend thinking several times before posting private information on public sites.

Plans to provide many services online, including secure private document storage, will require netizens to be made aware of basic security hygiene, at least vis-à-vis the use of strong passwords which must be difficult to crack. However, for ease of remembering, it is likely that many, if not most, netizens would employ the same credentials across multiple portals. The compromise of just one password could leave your data exposed on several other sites. In addition, the secure storage of digital certificates, used to authenticate the source and ownership of documents, is a cause for concern as a stolen certificate could lead to complete identity theft.

The exploitation of vulnerabilities on both the client and server side poses a real and present danger to all users. On the client side, software installed on a user’s computing device can and do have hidden weakness that can be taken advantage of during attacks. Vulnerabilities on the server side, especially web servers, have the potential to compromise thousands, and with the advent of Digital India, perhaps millions. A huge proportion of websites, including many with ‘gov.in’ in the domain name, are not necessarily implemented and managed with security in mind, leaving netizens vulnerable. Several trusted Indian state and central government sites have been hacked and defaced in the recent (and not-so-recent) past. We have blogged previously about website hacking, and remediation techniques with which webmasters ought to be familiar. We hope that the government portals which deliver services will be made robust to any form of attack, particularly intrusion and Denial-of-Service.

Mobile devices are set to play a crucial role in the Digital India project. Android is likely to be the most common mobile platform used to communicate with government portals, given the relatively low cost of Android devices. It must be noted that despite Google’s assertions to the contrary, Android devices are certainly not invulnerable to malware attacks. Mobile devices must also be secured, with the user being made aware of the do’s and don’ts of app installation.

The above list of issues is far from exhaustive. We have touched merely the tip of the iceberg. Covering other potential issues is beyond the scope of this particular blog.

An interconnected, inclusive Bharat via the Digital India campaign is an exciting prospect. We wish the campaign all the very best, and we, as IT security professionals, hope to contribute significantly to its success. We would simply like to reiterate the cyber security threat potential to netizens and the Government of India so that robust security hygiene is maintained with discipline, allowing the freedom of a safe online service experience. Jai Hind!

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

June 29th, 2015

Online free software exists aplenty, keenly attracting a user’s attention. The question is, “Are these free software applications really trustworthy?” . With security as the main concern, a computer user must be careful enough while installing any software that is downloaded online. Many of these free software install toolbars or other kinds of unwanted software that are bundled with them.

On the other hand, there are popular free software like Adobe Reader, Adobe Flash Player, etc., that seem to have become an almost mandatory part of computer use these days. Thankfully, these software installs do not include any compulsory extra activity apart from their core functionality, and even attempt to keep themselves secure with regular security updates as and when required.

Security updates are necessary given that many of these free software utilities have loopholes (also known as vulnerabilities) that are left unseen even after they are released to the outside world. These loopholes tend to attract attacks from remote hackers to compromise the user’s computer.

It is a known fact that many users globally, including a high proportion in India, have pirated software (especially the Windows OS) installed on their computers for whatever reason. Historically pirated versions of the Windows OS have not been eligible to receive either security or product updates, leaving the computer far more vulnerable to attack as cyber criminals always strive to exploit a new route or loophole in installed software to enter the target machine.

Therefore one should always be aware of the importance of the security updates. K7 users can run a “Vulnerability Scan” to determine if any known vulnerable components of certain high-profile software exist on the computer. At least in the case of popular free software users are strongly advised to avail of free security updates such as those provided by Adobe Reader, Adobe Flash Player, Java etc., to better guard against unpleasant surprises.

Image courtesy of:
Yadadrop.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 19th, 2015

Windows 10 and its imminent launch have fuelled many discussions within tech circles. In this context we decided to share our thoughts on one interesting Windows 10 security provision.

Windows has had long-term issues with security. Hence over the last couple of years Microsoft has devoted extra resources on bumping up its security focus and image. With recent versions of Windows, Microsoft has added security-centric features like Secure Boot, ELAM, Windows Store Apps and AppLocker, and introduced SmartScreen at a desktop level. In addition, Windows Defender was upgraded from an antispyware solution to an antimalware solution in an attempt to make Windows more secure than before.

With Windows 10, Microsoft is trying to up the ante in terms of security. MMPC recently published an article explaining their new Antimalware Scan Interface (AMSI) which aims to curb malware at the memory level. The article goes on to explain how obfuscation is employed even in script-based malware, from string concatenation to a simple XOR to more complex encryption. AMSI will provide an interface to Anti-Virus products to contextually scan for specific mal-content in a target memory region. An obfuscated mal-script must be fully deobfuscated before it is fed to a scripting engine. Any bonafide security product can register for a callback in this context to invoke a scan of this deobfuscated content using the AMSI APIs provided by Microsoft.

This would aid security vendors since there is no current documented way to intercept a dynamic script buffer. Hence, security products have had to occasionally resort to undocumented methods to attempt intercepting the content fed into the script engine, which could entail stability and performance issues.  Microsoft’s AMSI should prove a more reliable alternative to DIY solutions for script-interception.

Please refer to our earlier blog post for a detailed example of obfuscation in script-based malware.

K7 is getting ready for the Windows 10 release, and we will ensure that all our products are automatically upgraded through regular updates to remain compatible with Windows 10. As a K7 user, there is no effort required from you to prepare for this upgrade.

Images courtesy of:
royalwise.com
encrypted-tbn2.gstatic.com

Kaarthik RM
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

June 10th, 2015

Ransomware attacks appear to be ubiquitous. Ransomware is a type of malware which denies access to your computer resources, say by encrypting your personal documents, until a hefty sum is paid to the criminal gang which caused the infection. We recently blogged about two examples of ransomware, namely CTB Locker and TeslaCrypt.

We constantly advise against paying anything to the malware syndicates for two primary reasons:

  1. Generating income for these cyber crooks would only serve to incentivise their criminal activities, and would fuel their future attacks.
  2. There is absolutely no guarantee that paying up the ransom of potentially hundreds of dollars would actually restore your files.

In this blog we will focus on the latter point, drawing on a real-life case study involving a friend of mine.

A few weeks ago my friend (not a K7 user at the time) was, unfortunately, struck hard by a ransomware pretending to be the mother of modern ransomware, the infamous CryptoLocker. The above image is a screenshot of the ransom demand which was splashed on his screen. The ransomware was not, of course, CryptoLocker, but yet it was lethal enough, encrypting my friend’s personal files with advanced algorithms. The sample was packed with a custom NSIS SFX wrapper which has been used by CTB Locker in the recent past, suggesting a potential link between the two strains of ransomware.

My friend did not care too much about his local files which were hit. However, as (mis)fortune would have it, his plugged-in external drive containing the early photos of his kids was ravaged. Ransomware tend to enumerate and modify as many target files on as many drives as possible. By targeting personal or confidential files such as images, Microsoft Office documents, etc., the criminal elements increase the pressure to pay up. Even police departments have occasionally felt compelled to part with funds.

Given the importance of the images on his external drive, my friend was prepared to satisfy the ransom demand to the tune of US$ 237; no piddling amount. I had urged him against paying up, arguing the case based on the points made above. However he felt that if there were any chance of getting his kids’ pictures back he would have to give it a try.

A couple of days later, after having secured the requisite bitcoin, the ransomware kicked into action displaying a status bar and claiming it was in the process of decrypting all the files it had encrypted earlier. Many hours later, having left the “decryption tool” to do its business overnight, my friend assumed his files had been restored. However he was unable to open most of the images and the documents he attempted to view. I offered to look at the files at the binary level to determine whether any data could be recovered.

He sent me several example files which were failing to open. My analysis showed that for many files absolutely no attempt had been made to decrypt them since they had no visible headers. In other cases some headers were visible but large chunks of the files remained garbled junk. Such was the extent of the damage to the image files that even clever image-fixing-software was not able to recover anything.

To cut a long story short, despite coughing up more than US$ 237, my friend was yet unable to recover his kids’ photos. The moral of the story is: refrain from paying these nasty criminals in any way, shape or form. They are hardened thieves without any sense of compunction or honour, so please do not be fooled by apparent largesse.

As always we highly recommend taking regular backups of your important files on media which are not constantly connected to your computer (external media and/or on online repositories), thus, in the event of a ransomware attack, you could still have your files without paying the bad guys a single paisa.

Samir Mody

Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

June 1st, 2015

Last week in our K7 Threat Control Lab we came across an Android ransomware “locker” sample with a difference. This one splashes a lockscreen that recommends to the user a list of free applications to install in order to continue using any already installed application as shown below:

However, if the user chooses to install one or all of the listed applications, the list seems endless since a new application is inserted for the one that is chosen for installation. This implies that the user may not be able to access his already installed applications or it might take a long time to exhaust the displayed list to access them. Interestingly, the applications installed from the lock screen list are free to open and are not blocked by the splash screen.

Now let us see how this malware actually works.

Analysis of this locker shows that the AndroidManifest.xml file of the package has RECEIVERS (net.fatuously.Unengaged and net.fatuously.Encephalitis) registered to receive the broadcasts BOOT_COMPLETED, USER_PRESENT, SCREEN_ON, NEW_OUTGOING_CALL, PHONE_STATE and DEVICE_ADMIN_ENABLED respectively. But the registered RECEIVER classes are not referenced in the corresponding classes.dex.

click to enlarge

In addition when this locker sample is executed the application displays an additional custom explanatory message that is also not referenced in the top-level package, as shown in the picture below:

click to enlarge

Digging further it is understood that the APK under study carries within itself an encrypted (XORed) ZIP file (test.dat) in the assets folder which in turn carries the classes.dex file that is loaded at run time.

The studied APK file loads the classes.dex from the encrypted ZIP using the dynamic loading feature as shown in the java source below:

click to enlarge

The RECEIVERS registered in the top-level AndroidManifest.xml and the additional explanation in the Device Admin request screen are referenced in the dynamically loaded unzipped classes.dex file.

click to enlarge

click to enlarge

When the user tries to open any of the applications that is installed prior to the locker, the malware loads the splash screen by setting the splash screen content as the data to the intent “android.intent.action.VIEW” as seen in the following code:

This malware when run without an internet connection, or during application initialization, loads a different splash screen as shown below:

The corresponding code to load the above screen is:

And the contents of none.html are follows:

Base64 encoded data in this HTML contains the image (.PNG) content to be displayed.

A few of the websites to which this malware connects are:

sexualletube[dot]biz
pornigy[dot]biz
pornsage[dot]biz
adeffective[dot]org

Strangely the splash screen does not seem to demand any payment from the user. However, it proves to be malevolent as it does not allow the user to open any application that is installed earlier than the locker.

As we discussed in our VB2014 paper “Early launch Android malware: your phone is 0wned”, an updated boot and broadcast framework in the Android OS that allows the security products to load before any other application will help to keep these locker variants at bay. K7Mobile Security protects its users from this locker with the detection called “Trojan (004c2fc61).”

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 26th, 2015

In our previous blog, we mentioned that it might be beneficial for Indian netizens to have a high-level understanding of existing cyber laws that are articulated to protect them. We did write about certain activities deemed to be illegal and the punishments for them.

Today, we provide a bird’s eye view of how the Information Technology (Amendment) Act 2008 aims to safeguard national security. The following provisions, illustrated with an image and its associated description, are the highlights of the Act vis-à-vis national security:

The Act also deals with cybercrimes deemed to be perpetrated by foreign actors, i.e. beyond the “Cyber Line of Control”

  • Section 75(1 and 2) applies to foreign nationals if contravention of the Act involves Indian computer resources.
  • Intermediaries providing computing services are also liable.
  • Part III includes amendments to the IPC specifically related to attacks beyond Indian borders.

Policing cybercrime is an extremely difficult task even within India’s bounds, leave alone beyond them. It is critical for Indian cyber sleuths to establish mutually cooperative relationships with law enforcement agencies in other countries to fight cybercriminals and bring them to justice.

Once again, we hope this blog helps netizens to understand the provisions in the IT (Amendment) Act 2008.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

May 22nd, 2015


Despite device manufacturers’ announcement to the user about the void warranty on rooting Android phones, users still root their phones for various reasons such as installing special applications that runs only on a rooted device, removing built-in apps, USB tethering, turning the device into a Wi-Fi hotspot, etc., compromising on the features of security, performance and at the potential cost of the phone itself, as the user might fail at any step in the device-dependent process of rooting the device without a warranty safety net.

Apart from the traditional rooting methods, there are tools available online to root the device that can be run through either ADB or installed directly on the device.

One should also be aware that many Android malware require root access (administrative power) to execute the desired malefide functions on the victim’s device. They acquire root access by bundling with other good applications that require root access, by triggering an application in the victim device that requires root access, or by invoking exploits that they carry within themselves, as in the case of Android/DroidDream that carries the exploits RageAgainsttheCage and Exploid. In addition the recent Android PowerOffHijack malware exemplifies the ill-effects on the Android operating system if administrative power is acquired by a malware.

Security enhancements in Android notwithstanding, there are still new vulnerabilities and exploits for the OS being identified regularly. As per the recent Microsoft report that includes statistics on vulnerabilities and exploits reported in the second half of 2014, lots of the non-Windows exploits found on Windows computers are for the Android operating system and Open Handset Alliance.

All this implies that Android smartphone users should:

  • Ponder whether they really need to root the device
  • Be vigilant about the applications downloaded to root the device
  • Download the required application only from the official Google Playstore
  • Turn on the feature of “Verify apps” that is available with Android 4.2 or higher

Images courtesy of:
Talkandroid.com
Rootmyandroid.org
www.techlegends.in

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 11th, 2015

This is the third part of the blog series on women’s cyber safety, discussing “ONLINE SHOPPING”, the popular term doing the rounds in recent times, continuing from the second part which described cyberbullying and its consequences in one’s life . A survey states that the majority of the goods sold online are of fashion categories, which in turn could suggest that there are a huge number of women customers indulging in online/mobile shopping.

The convenience of online shopping is coupled with its own risk. Online shoppers should be aware of the possibility of online fraud as cyber criminals continue to engage cyber space to target credit/debit cards, bank accounts and miscellaneous user credentials to carry out financial transactions.

Online buyers should be aware of the following:

  1. Phishing attacks where a fraudulent website resembles a popular legitimate website enticing the user to carry out financial transactions which results in both monetary and data loss to the user or causes the download of a malware hosted on the crafted website.
  2. One should also be careful about the online portal at which she/he opts to shop, as there are online fraud campaigns reported where the purchased goods are either never delivered or a different product is delivered to the buyer with a time delay. In either case ultimately it is a financial loss to the buyer.
  3. Shop online only through the portals whose website address starts with “https://” (‘s’ stands for secure) with a lock symbol appearing next to it (or sometimes on the bottom right corner of the browser window), which indicates that the portal uses SSL encryption.

With the increasing usage of smart devices, shopping is being made mobile- “SHOPPING ON THE GO”. The number of Indian customers for mobile shopping is growing given the special deals on purchases and the reduced time factor. In addition, the concept of e-wallet has attracted a large user base by presenting the shopper with additional deals and discounts.

E-wallet portals or mobile shopping applications are seen to:

  1. Provide the choice of saving the buyer’s credit/debit card details in their database for future use. This raises the question “how secure is the data stored at the merchant’s end?”
  2. Auto-login with Facebook or Google account. In case of the mobile being stolen or lost, auto-logging in along with saved credit/debit card details might be a recipe for disaster.

Regardless of whether the shopping is through online computers or mobile devices, one should always:

  • Choose a reputed portal by reading through the reviews available and its track record
  • Download the mobile shopping/banking apps from the official app store
  • Think twice before saving your banking information or credit/debit cards details
  • Avoid opening advertisements or mails from an unknown seller or portal

Images courtesy of:

Dealwithus.co.in
betanews.com
globaldatacompany.com
thinglink.com

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

April 27th, 2015

This is the final part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. Continuing from the fifth part of our paper…

Data Exfiltration and Cleanup



This stage of the APT involves the assailants collecting the sensitive data and transmitting it stealthily to a remote location. Data extraction can either be a one-time event or spread over a period of time, followed by constant snooping of the victim, all the while remaining hidden.

Once the objective of an APT campaign is achieved, the attackers exit the network in a phased manner after covering their tracks and clearing all the potential evidence of an intrusion.  The attackers could also plant or manipulate data in the target’s environment in an effort to create misdirection.

Extraction methodology

Confidential data that is collected during the period of the APT is copied to a staging server, compressed, encrypted and kept ready for transfer. Outbound sessions are then established that resemble legitimate traffic thereby attempting to fly under the security radar. The confidential data is thus extracted possibly in small chunks over a period of time.

The bad actors could exfiltrate data using any/all of the following methods:

HTTP/FTP/Cloud Storage Uploads

An HTTP/FTP upload or a cloud transfer is initiated by an application which is already approved by the firewall. Additionally, the packets could be SSL or custom encrypted making it difficult for security solutions to sniff.

Outgoing Emails with Password Protected Attachments

Sensitive contents are password protected and then transmitted using either a compromised employee’s email credentials, or by using a custom SMTP server.

Customized DNS Queries

Small chunks of data such as user credentials may be sent as custom DNS requests to DNS servers controlled by the attackers. The packets are then reassembled as required at the attackers end.

Fig.14. shows encrypted data sent as a DNS query

VPN/IPv6 Tunnels

VPN and IPv6 tunnels are created from the staging server to a remotely controlled machine. The contents are then securely transmitted through these tunnels.


The hacking outfit commonly known in computer security circles as Comment Crew [13] has been observed using the above data exfiltration techniques. Sensitive data which could potentially be Gigabytes in size would first be collected in a centralized location & compressed in a password-protected RAR file. The final archives would be split into chunks and uploaded using FTP, custom file transfer tools, etc.

Cleanup Methodology

The attackers tend to delete their malicious code and its associated components by remotely issuing self-destruct commands from their C2C server. A time/event bound kill switch built into the malicious code could also be automatically triggered to avoid being caught.

System logs that maintain login attempts, security logs that maintain protection status, audit files that track system changes, etc. are modified by the attackers to make a forensic reconstruction of the attack impossible.

Indicators of Compromise

Capturing and transmitting confidential data is the raison d’etre of any APT. In order to facilitate this transmission, the attacker must contact external servers from inside the victim’s network.

Here are some of the common symptoms that indicate suspicious activity within the organization’s network:

Wrong Data in the Wrong Place

Movement of encrypted or confidential data from a machine containing sensitive information to a potential upload server with Internet access, all within the organizations internal network could indicate that something is wrong.

Similarly, availability of large quantities of known-encrypted or sensitive data on a machine it’s not supposed be on could also indicate that something is amiss.

Anomalous Traffic


The following anomalies could indicate a compromise:

  1. Connections made directly to IP addresses
  2. HTTP/FTP connections on non-standard ports
  3. Connections to previously unused or high risk geo locations
  4. Accessing algorithmically generated domain names (DGA)

Other Indicators

Inconsistent events in audit logs maintained at network and endpoint level, changes in the system drivers list without an application uninstallation progress, etc. can also be used as indicators of compromise.

Prevention/Detection

Confidential information is the crown jewel of any company and typically it is this information that the attacker is focused on stealing. The following solutions can be involved in protecting the exfiltration of this confidential data:

Hardened DNS Servers


Outgoing DNS queries should be logged and monitored extensively for anomalies. Organizations could also create and maintain their own hardened DNS servers.

Security Solutions

Data aware technologies like Data Leakage Prevention (DLP) can be added to the organization’s existing layer of defense. Once critical and confidential data is identified, DLP solutions track and prevent this data from falling into the wrong hands.

URL scanners with built-in reputation intelligence can be used to detect:

  1. Access to subdomain/domains which are not popular or appear suspicious
  2. Repeated attempts to connect to domains which no longer resolve
  3. Attempts to connect to blacklisted or malicious IP addresses/domains
  4. Newly registered domains

Network scanners with Deep Packet Inspection and machine learning capabilities can be used to build a knowledge base of general network usage trends. Alarms are raised when deviations exceed pre-defined thresholds. This knowledge base includes:

  1. Commonly used protocols with source and destination information
  2. Common geo locations contacted
  3. Number of connections and the length of connections made depending on the time of the day

Software that take disk backups and dump physical memory images at regular intervals are of great help during incident response and forensic analysis of a potential APT attack.

Conclusion

The implications of the complexity and perseverance of Advanced Persistent Threats are of major significance to the existing security infrastructure. The evasion techniques discussed in this paper have exerted colossal pressure on the current methods used to detect and report these threats, especially where the human element is involved.

Safeguarding oneself against APTs requires more than just traditional security solutions. The need of the hour is a comprehensive, holistic security plan that intelligently integrates events reported from numerous forms of security established at various levels of the organization. This solution should be able to handle massive volumes of logs and spot patterns of an attack, find sources of a breach and stop new threats in their tracks.

Things are about to get a whole lot more difficult with compromised mobile devices joining the fray. Strategies to identify and stop sophisticated, multi-pronged APT attacks have been discussed; however coordinated implementation is far from straightforward. We live in interesting times.

References:

[13] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

April 20th, 2015

Following positive feedback on our blog a couple of months ago describing CTB Locker we have been requested to do a piece on another ransomware, TeslaCrypt.

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources, e.g. by encrypting your personal documents, etc., until a hefty sum is paid to the criminal gang which caused the infection. Ransomware is terribly destructive which is why my colleague Gregory and I have decided to present our views on how to curb this scourge at the international Virus Bulletin security conference later this year.

Now then, TeslaCrypt. There has been plenty of publicly-available data on TeslaCrypt since its emergence in February. It is possible that many currently believe that TeslaCrypt attacks only gamers and gaming software. This is not the case, of course. Similar to most other ransomware TeslaCrypt encrypts documents, music and photos. In addition to these common filetypes it also encrypts files with extensions which are used specifically by gaming software.

A fresh sample of TeslaCrypt from a couple of days ago reveals that its functionality has not changed much from its first avatar, even as it is enveloped in new robes to evade detection, which it fails to do, by the by. This “latest version” (VV3) of TeslaCrypt encrypts files with the following extensions:

.sql;.mp4;.7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.zip;.sie;.sum;.ibank;.t13;
.t12;.qdf;.gdb;.tax;.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;
.hplg;.hkdb;.mdbackup;.syncdb;.gho;.cas;.svg;.map;.wmo;.itm;.sb;.fos;.forge;
.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;.vcf;.vtf;.dazip;.fpk;.wb2;
.vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;.ltx;
.vfs0;.mpqge;.kdb;.db0;.dba;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset;.xf;
.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;
.py;.m3u;.flv;.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem;.crt;.cer;
.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;
.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;.eps;.pdf;.pdd;.psd;.dbf;
.rtf;.wpd;.dxg;.dwg;.pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;.xlsm;.xlsx;
.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt;.pkpass;.mov;.vdf;
.icxs;.hvpl;.m2;.mcmeta;.mlx;.kf;.iwd;.xxx;.desc;.der;.x3f;.cr2;.crw;.mdf;


A diff between the extension list then (February-end) and now shows the following entries:

> .sql
> .mp4
< .sc2save

> .zip
< .mcgame

> .mov
< .001

> .vcf
< .DayZProfile

> .dba
< .dbfv

> .dbf

“>” indicates a new entry and “<” indicates a removed entry. Interestingly it appears there’s now a reduced emphasis on gamers and more on the general public, targeting ZIP archives and database-related files, etc.

The main ransom demand splash screen and “help” message remain relatively unchanged:

Note, the threat to double the decryption price is somewhat different from the previous one which, as usual, claimed that the private key would be deleted after the time counter has run down to 0.

Encrypted files still appear as <original file name with original extension>.ecc:

TeslaCrypt still masquerades as the infamous Cryptolocker, a year after its demise, by continuing to create a shortcut on the desktop with the said name:

As can be seen from the above image TeslaCrypt continues to execute itself as a randomly-named EXE at the root of the Application Data directory. It still drops a file called key.dat in the same location. It has been reported that key.dat contains the 256-bit AES symmetric key used to encrypt the target files, which is eminently possible. It is worth mentioning that TeslaCrypt contains references to OpenSSL functions, e.g. BN_CTX_new(), which must be used to perform the encryption. The exact format of key.dat is as yet unknown so we are unsure which part of it may be the AES key.

Thus far we have covered several indicators of compromise, and we hope you are not experiencing an uncomfortable sense of déjà vu whilst reading this blog. Let’s now address the typical queries related to malware, with the focus on TeslaCrypt and other ransomware:

  • How did it get on my computer?

TeslaCrypt’s modus operandi vis-à-vis spreading itself is via hacked websites which trigger exploits for your browser, typically referred to as a drive-by-attack. Other ransomware tend to spread via mass-mailed attachments.

  • How should I prevent an infection?

The malware should be arrested as soon possible before any damage is done. As in the case of any other malware, we would recommend the usual hygienic best practices:

  1. Surf only known, highly-reputable sites
  2. Don’t open email attachments from unknown sources
  3. Keep your security software up-to-date. Some security software such as K7’s Total Security contains Carnivore Technology to heuristically block attempts to exploit your browser
  • Now that I am infected, what should I do?

We’ll have to be brutally honest. In the case of modern ransomware you have found yourself in a difficult situation. It is typically impossible to decrypt the targeted files without the appropriate key. We strongly discourage paying any ransom to potentially obtain the key and recover your files, though, since this would only serve to fund and encourage further criminal activity.

Restoring a previous known good state from OS system restore points is sometimes an option but TeslaCrypt attempts to prevent this escape by deleting the restore points by executing the following command:

vssadmin delete shadows  /all

Instead it is hoped that you would have backed up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, we would highly recommend this practice. Please note, a general hard disk failure is much more likely to strike you than a ransomware infection!

We hope this content helps build awareness about malware in general and ransomware in particular, with an emphasis on TeslaCrypt, thus aiding the relentless battle against innumerable cyber bandits.

Generic ransomware image (first) courtesy of:
files.itproportal.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed