These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

October 1st, 2015

In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

September 23rd, 2015

This blog is to share with the general public an internal milestone that was achieved by K7’s Product Engineering Team.

K7 Web Categorization, engine hosted on K7 Cloud Infrastructure, has been tirelessly serving our customers for close to a year. Recently we zoomed past an average serving up of more than one billion queries every month. Web Categorization is the process by which a website previously unknown to K7 will go through an automated Artificial Intelligence (Machine Learning) system that evaluates the page content, and thus predicts the category of website. This categorization of web pages is single-handedly responsible for providing the Category-Based Web Filtering for our enterprise customers. It also provides our home users with an enhanced browsing experience.

Those of you who are “cloud savvy” would probably be wondering if one billion queries is a low number considering our customer base – it indeed is. Utilizing efficient caching on the client side, as well as smart use of internet infrastructure & protocols, we are able to optimize the load on our cloud servers. The server software running on these cloud servers has been developed in-house using highly-optimized but traditional programming techniques to minimize hardware resources, and maximize throughput such that the inflow which peaked at 10000 queries per second a few months ago was handled with ease.

In this day and age of cloud computing the use of interpreted/JIT-compiled languages is predominant. However, there is still a special place for custom-built C/C++ compiled server software, if you care to extract every ounce of performance out of your hardware and provide a quality service to clients seamlessly.

Image courtesy of:

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

September 17th, 2015

This blog is to inform the general public that two researchers representing K7 Threat Control Lab will be presenting and explaining their generic anti-ransomware solution at the Virus Bulletin international security conference. This blog also aims to solicit from fellow conference delegates a few of the latest ransomware samples to test the effectiveness of a new generic anti-ransomware prototype to be demoed for the very first time at the conference.

Are you attending the Virus Bulletin international security conference later this month? If so, my colleague, Gregory Panakkal, and I are due to present ways and means of fighting back against destructive modern ransomware on Friday, the 2nd of October, right after the lunch interval. We have a heuristic anti-ransomware Proof-of-Concept prototype which we will be demonstrating to delegates, explaining its modus operandi.

Have you got a brand new sample of ransomware you would like to throw at our anti-ransomware PoC demo? We are inviting conference delegates to help test the efficacy of the PoC vis-à-vis unknown variants of ransomware in real time, i.e. in our live demo. However, given the demo environment, the following pre-conditions exist for the samples:

  1. Must run in a VM
  2. Must encrypt target files without an active internet connection

If you have a suitable sample please use the VB 2015 demo public key to encrypt it.

Then send the encrypted sample to any time before 13:00 (local time in Prague) on Friday, the 2nd of October 2015.

We hope to see as many of you as possible at the conference and at our presentation, and of course we are hoping to receive a couple of samples to test live as well.

Samir Mody

Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

September 10th, 2015

K7 Computing Private Limited celebrated its 23rd anniversary on August 27, 2015, with great enthusiasm. It was a day marked with fun, recognition, to acknowledge K7’s incredible journey over the years. When you work for a company with a positive environment that encourages individuality, spirit of ownership and creativity, a milestone reached by the company is akin to achieving a personal milestone. This sense of belonging was reflected in each and every employee, and that made the event great fun.

The agenda was set; our work family was formed into teams; Orange, Green, Blue, and Red. The preparations began in full swing a couple of days prior to the big day. Each team took up the challenge to creatively bring in some mojo into their workspace. We found out what happens when engineering meets design, and what can happen when marketing takes on engineering. The events were officially kicked off. The response was tremendously positive; we experienced a space odyssey; got spooked in a scary house; travelled back to the past, experienced the present, and glimpsed the future; and dedicated the “PSLV Concept” to the man who made it possible, the late Dr. APJ Abdul Kalam.

Then, we experienced a moment of pride when our Founder and CEO, Mr Kesavardhanan, appreciated all the employees for their unyielding support with his speech straight from the heart, and presented awards for the outstanding contributions of the employees. As the event drew to a close, we couldn’t help but look forward to yet another year filled with purpose, achievement, and of course lots of fun.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

September 2nd, 2015

This blog intends to inform the general public about some of the feature enhancements in the next version of Android (6.0), labelled “Android Marshmallow” focussing on the significance of the permissions list of an application.

Last week Google announced its next version of Android, Android 6.0 nicknamed “Marshmallow”. Though the final release date of Marshmallow is not yet confirmed, here are some of the interesting features included in Marshmallow, by no means an exhaustive list:

  • Android Pay

With this feature users can enter their credit card details and Google will create a virtual account to enable an easy checkout process using the NFC system.

  • Application linking

As of now when a user clicks on a link, a dialog box pops up prompting the user to select one of the available applications like Chrome or another suitable browser application to render the link. With Android Marshmallow, the Android OS verifies the link with the respective application server (provided the corresponding app is installed) and post authentication, with the help of an auto-verify feature (application developers can code an auto-verify feature in their application) the link is opened within the application.

  • Unlock feature

Fingerprint scanner support.

  • Power

Though not security-related it is interesting to know that “Doze Mode” is incorporated to improve the device’s standby time. Using motion detectors, Android will identify if the device is idle or in use. If the device is found idle, Android kills the background processes to improve the battery life.

  • App permissions

Yes! Now I can choose what an application should be allowed to do in real time!. Traditionally, Android applications request the user for their required resource-access permissions at install time. These permissions cannot be modified post installation. With Android Marshmallow, users can choose to allow or deny a specific permission from the permission list of an Android application whilst the application is active. The description of this feature claims that the applications will request for the required permissions the first time the application’s feature is invoked, instead of requesting all the permissions in one go at installation time. As many of Android malware disguise themselves as legitimate applications or are bundled with other legitimate applications, restricting an application based on the permissions (which in turn restricts the app’s functionality) would help increase the security of the user’s device and personal data.

However, users-awareness about the importance of the permissions granted and the functionality of an application is still essential. As we discussed in our previous blog, a taxi-booking application does not typically need permission to access the files in the device’s SD card to perform its functionality. Similarly, a gaming application does not require permission to access contacts information for it to operate. One should be aware about the permissions that should be granted or denied to avail of the application’s actual functionality.

In addition, for Android Marshmallow, if the same permission restrictions hold good for a legitimate security application as well, there is a possibility that a malware with super-user access could modify the granted permissions list of the security application. As suggested by us in our VB2014 paper, updating the Android OS framework such that trusted security applications are loaded earlier than any other application installed could help handling these situations.

Image courtesy:

Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

August 20th, 2015

This blog intends to highlight some of the dangers faced by the general public associated with an ever expanding use of social networking sites, all set to grow at an even greater rate post the launch of government initiatives such as the Digital India campaign.

Social networking sites such as Twitter and Facebook provide an efficient interface for communication with multiple people in a user-friendly manner. People are connected to their friends, family and followers in real-time, on-the-go using mobile devices. The ugly side to this increasing use of social networking sites is the potential for controlled, targeted abuse within a very short space of time. Recently the Hindu newspaper reported the abuse of Twitter in the recruitment programme of banned organisations.

Users of social networking sites do not appear to think twice about sharing large amounts of their private Personally Identifiable Information (PII) online. This freely available PII, which includes date of birth, phone number, address, and so on allows malevolent actors to hone their attacks’ penetrative function. In addition, given the speed of transmission, it is possible for attackers to reach a large number of victims very quickly, potentially triggering a mass panic scenario, or spreading malware, or increasing recruitment for banned organisations, etc.

There is at least one documented case of the use of social networks to trigger mass panic in India through the use of doctored images and targeted, threatening messages. In August 2012 thousands of Indians from some North-Eastern states of the nation were made to feel threatened to the extent that they decided to flee in large numbers to their home states from other parts of the country; a grave situation indeed.

The above real-world example provides a stark reminder about the havoc that can be caused when malicious content goes viral, either intentionally or otherwise. Legislation related to IT in many countries provides for monitoring of online content, inclusive of social networking sites, especially given that national security could well be at stake. In the documented case mentioned above, the attack vectors were neutered and some semblance of normality restored only after the offending sites were temporarily blocked and bulk SMS/MMS were banned for a short time as per the provisions in law.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

August 14th, 2015

This blog intends to inform the general public about the impact on the Internet of an increase in the prevalence of self-destructing messaging services.

Almost everyone of us is so happy with more than one genie at hand; as we own a smartphone, tablet, laptop, etc … and a click of a button or a screen-touch can satisfy our cravings from food to knowledge. Also the communication world is never running short of new stuff popping up now and then with tweets, pokes, chats, likes, posts and so on.

Don’t we enjoy a twist in the movies we watch? One has to wonder if the Internet is the next ‘anterograde amnesia’ victim, where an unforeseen whirl takes over social networking services silently.

On one hand, Hadoop technology is booming to handle the exponential growth of data, and spiders are crawling over the internet to feed search engines. But there is a potential balance created by self-destructing communication methods important enough to discuss, as the number of apps and services providing this functionality are increasing with more number of users everyday. In addition the social networking giants’ competing feature is shifting focus from providing nearly unlimited storage space to providing an expiry time on demand. A silent balance is inching toward creating major chunks of the lost internet.

When communicating confidential information over the internet, there is a jolt in us. We think several times, whether we can trust the internet and its services. And for one reason or another, we compromise ourselves with the communication services we get online.

Now, the privacy jolt is taking a noticeable turn because it seems to give more power to the users like data wiping, evidence shredding, and “suicidal messages”. It is not strange for us to regret sending a wrong file or a message to an unintended recipient, for liking a wrong post or comment by mistake too. But it is also important to note that these auto-timed or customisable self-expiring messages are redefining secretive communication.

This trend seems to cure the privacy fever of social media with email bombs, ephemeral messages, auto-expiring tweets, timed chats, self-deleting pokes and much more; from its suffering to hold itself together with features like ‘recall’ or ‘undo’ a sent email, off the record chats, etc.

Such self-destructing email services promise to destroy their path traversed over the servers and the email itself in a prescribed amount of time. These promises are not new to us as we have been relying for years on strong encryption and secure channels.

There is always more than one solution to a problem. Few apps use temporary hyperlinks. Some provide a one-time password to access the timed webpage. The passwords and the websites are not available after the expiry time. Some store the contents temporarily in servers until the message is delivered to all the intended recipients and delete the contents from the servers and from the recipient’s inbox once the message is read. Some use external apps and browser extensions too.

Some apps face issues like screenshots being taken, accessed via different modes instead of viewing the content via the app, and message ID vulnerability hacks on related sites too. Some apps have already fallen victims to cyber forensic studies as they save the images and videos in hidden folders or rename the files to unknown file extensions; because researchers are ready to spend a number of hours and thousands of dollars for their research. But competitors release newer products with upgraded versions which offer more sophisticated artificially-intelligent communication systems.

Cyber criminals use such service widely to communicate their secrets or threaten victims. Of course anyone can use this service for having a legitimate conversation as well. One need not forget self-expiring attachments are also joining hands with this feature which prevents the messages from being copied, forwarded, edited, printed, or saved.

With competitors focusing on providing the self-destruction feature, the following questions certainly arise:

  • Will the internet become erasable?
  • Will social networking become the most secret communication method going forward?
  • Did we just discover invisible data or communication?
  • Will these mortal messages force cybercrime lexicology to accept its demise?
  • Will the expansion of SMS be changed to Short-lived Messaging Service?
  • Will the cyber crime investigators exclaim: “Eureka! But where did the evidence go?”?

Looks like we just have to wait and watch what surprises the future brings.

Images courtesy of:

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

August 7th, 2015

This article intends to inform the general public about ‘Edge’, the newest browser from Microsoft shipped with Windows 10. It sheds some light on what’s new, what’s changed and why Edge was considered necessary.

It has been more than a week since Windows 10 started hitting users’ PCs; it has however been around for a couple of months via the Windows Insider program as a public beta. Reviews on the operating system have been trending in the tech review sites. Opinions in general have been on the positive side for Microsoft’s la(te)st operating system. One of the features that is generating interest is the new browser “Edge” offered in Windows 10.

Microsoft finally bid goodbye to its ageing browser, Internet Explorer (‘IE’). Antiquated design, interoperability issues and security holes riddled IE, warranting a better, modernized browser. Codenamed as project Spartan it finally shaped up as Edge. Microsoft reworked its browser almost from scratch, borrowing bits of goodness from its competitors while being unique in its own way by having a personal assistant or being able to annotate on webpages and share them; most important of all, though, improvements to security were made.

Security was probably one of the main concerns that pushed Microsoft to reimagine its browser design. So from a security perspective, Microsoft has got rid of its ActiveX support, infamous for its security vulnerabilities. Added to the “gone” list were BHOs (Browser Helper Objects, which went on to be synonymic to toolbars) and VBScript support. Over the years support for these three features caused numerous security headaches for Internet Explorer.

Edge would remain sandboxed from the rest of the Operating System, hence attempting to prevent any malicious scripts or code from affecting the OS itself. SmartScreen introduced in IE8 is also a part of the Windows 10 shell and is supported by Edge. This can filter out phishing sites by performing reputation checks and blocking them out. The new rendering engine would greatly eliminate interoperability problems for web developers, thereby allowing them to devote more time to security and stability.

Most security features that had been an opt-in in IE until now have been made mandatory and will always be on and protecting users. Though Edge looks promising it is a bit rough-edged at the moment. Microsoft is in the process of embracing the extensions model like its competitors, Google’s Chrome and Mozilla’s Firefox, which is said to roll out by the end of this year. Once this is done, Edge would be in a better position to handle the internet; at least way better than IE, one would hope.

A word of caution to our readers; while you may be impatient to upgrade your operating systems to Windows 10, beware of a new wave of spam emails doing the rounds. These are bogus emails offering users a free Windows 10 upgrade; even if you are not a Windows 7 or 8 user (free upgrades are given by Microsoft to genuine Windows 7 and 8 users only). These mails mostly come with a malware of the nasty ransomware category. Microsoft states that users will be informed of the upgrade on their screens and not via emails. Kindly refrain from clicking on such fraudulent emails.

Some images (adapted to suit the article) are courtesy of several sites.

Kaarthik RM
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

July 31st, 2015

This blog intends to discuss a few real-time difficulties in identifying whether a downloaded Android application is safe or not, along with a few precautionary steps for Android smartphone users to follow when downloading an application.

Year-on-year, smartphone usage in India is growing at an enormous rate. These days almost everything is mobile, i.e. smartphones have accommodated users in such a way that users welcome applications even for their day-to-day commercial activities like paying bills, ticket booking, etc.

Now, there arises a serious question of trust, “How far is the downloaded application safe?” It is generally believed that an application can be reasonably judged by the permissions that it requests from the user during installation. Unfortunately, in recent times, most of the legitimate applications are seen to request permissions that appear to be in no way related to their current core functionality, but only in view of the application’s future enhancements.

Recently, I came across a popular taxi booking application requesting permission to access media files (photos/videos) as shown below.

The above scenario was observed in a well-known banking application as well.

I would also like to share another interesting incident. A couple of days ago, we at K7 Threat Control Lab, received a “false positive” report from an end user claiming that a famous game application has been flagged incorrectly.

Upon further investigation, it was noticed that the application is actually a fake installer. Unlike the original game app, this fake application tries to download further applications.  The above described unexpected behaviour from a game application is not acceptable.

With many other potentially fake applications of this kind doing the rounds and the latest trend of online portals moving onto app-only services, the security risk level is certainly increasing. Worst-case scenario could involve the case of mobile wallet applications, where a user may also save his/her credit card information for future use.

It goes without saying that identifying an application as suspicious or safe remains a tough job especially for an end user. With a mobile malware application exhibiting similar permission requests and functionality to a legitimate application, the malware analysis process is complicated. Security experts invest more time in code and metadata study to confirm an application as safe, one example being the exhaustive permissions list requested by both  legitimate and malware applications, that may not even be needed for their operation.

Even though the risk cannot be eliminated completely, it can be effectively reduced by following the following oft-stated traditional but yet effective precautionary steps:

  1. Think twice before you download an application whether you really need it.
  2. Download applications only from the official Playstore.
  3. Use the “Verify apps” feature from the Android OS to check whether the app is safe or not.
  4. Install trusted mobile security software, also typically downloaded from the official Playstore.

Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

July 23rd, 2015

This blog intends to inform the general public about some of the potential challenges posed to the security industry allegedly by international intelligence and law enforcement agencies.

A couple of years ago in an article for Virus Bulletin magazine, in response to insinuations pertaining to a tacit collusion between some members of the security industry and intelligence/law enforcement agencies, I had suggested that these agencies do not require the collaboration of Anti-Virus companies to conduct their spying activities:

“Let us not be naïve…. Should these agencies wish to snoop, they don’t require the cooperation of AV vendors.”

Recent revelations bear witness to the above statement. It is apparent that international intelligence agencies, through their codenamed “Project CAMBERDADA”, have been investing effort in their attempts to compromise several well-known Anti-Virus products, our very own K7 Computing’s products included, in order to circumvent detection and blocking of their spying activities.

Above image courtesy of Project CAMBERDADA presentation

In addition to reverse-engineering Anti-Virus products, there have even been allegations of infiltration within Anti-Virus companies’ internal networks to siphon out sensitive data.

We stand shoulder-to-shoulder with our colleagues in security companies all over the world in our pledge to protect users in any event against formidable opposition and an increasingly complex threat potential.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: