These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:


This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )


Trojan ( 0049882d1 )


The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

August 5th, 2014

‘tis the season for filing Income Tax Returns in India! Fa la la la la la la la!  To make the task easier, nowadays there are agencies that help people file their IT returns online. On 1st August 2014 one of the researchers in our lab received an email in his spam folder from an agency with the subject stating, Today is the last day for filing your Income Tax return, i.e. well after the deadline of 31st of July, IST, for filing returns.

The actual message received is shown in the image below:

What caught our attention is that, on hovering over the button “File your Income-tax return Today!” the website in the hyper link was different from the website address the email was claiming to come from. The resulting website when you click on this button asks for sensitive information like PAN card and bank account details.

Further investigation helped to identify the websites as clean. However, it has been constantly advised by the Government of India not to carry out these kinds of sensitive activities through any unauthorized third-party websites, to avoid any unhappy situations, as explained in the following popup image from, the bona fide portal through which ITRs ought to be filed:

The websites involved in such ITR-filing activities seem to be  unaware of the future consequences of their ill-thought-out email campaigns to promote their businesses.

It’s a known issue that hackers are always in search of new ways to harvest private/critical information from users for their own gain. The strategies used here by the third-party agency to redirect to its own tax filing page might also be used by hackers in phishing activities to exploit GOOD RETURNS!

Let’s now look at other facets of the above email which increase suspicion levels:

  1. The email is not addressed to the receiver but rather to a generic “Hello [NAME]”
  2. Questions are to be emailed to an email domain name which appears, at first glance, to originate from outside India

No wonder this email, which by the way was received TWICE within a short span of time, ended up automatically in the spam folder.

Vivek Das
Automation Developer, K7Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

July 24th, 2014

Occasionally, we at K7 Threat Control Lab receive reports from our clients that the website they visited is being blocked by our product, claiming it as a URL false detection. In a lot of such cases, our investigations have proved that the reported URL turns out to be injected with malicious scripts.

Recently, we came across one such incident from a client regarding an Indian government site being blocked.

When analyzed, many of the pages on that website were found to be injected with a JavaScript pointing to a randomly named PHP file “QwYygBKV.php” as shown in the image below.

It is likely that the web server has been compromised by remote hackers via exploitation of some vulnerability. Here is the code which writes the script tag in HTML files:

Inspite of the random name, the above said PHP file was found in many other domains as well. Even though the web page to which the URL redirects is not alive and gives “404” error, the reported website is still detected because its pages hold the link to malicious content. Interestingly, the malicious PHP was hosted on the reported domain itself, usually the link is a redirection to another malicious website.

In this case, the administrator possibly would have removed the aforementioned PHP file. Unfortunately the infection is not cleaned completely -the web pages still carry the link to the currently unavailable malicious content.

We have informed the concerned authority of the reported website about the scenario and the recommended course of action.

One would hope that such incidents would remind administrators that when weeding websites of infections, identifying the vulnerabilities that were exploited and patching them in the first place and ensuring the integrity of the website content, are as important as removing the malware component itself.

As for K7 users, this website shall remain blocked since the loophole that the attacker exploited to host this file on the site might still be at large.

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

July 22nd, 2014

This is the first part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

The Internet landscape is about to witness profound changes with the mass adoption of Internet Protocol Version 6 (IPv6) and Internationalised Domain Names (IDNs) in the near future. While these developments have the potential to be immensely beneficial, they also present certain challenges to the security industry which need to be addressed. These changes not only increase the attack surface for malware authors and spammers, but also render traditional methods of URL and spam blocking obsolete.

The exhaustion of the 32 bit IPv4 addresses assigned by the Internet Assigned Numbers Authority (IANA) has led to the roll-out of its 128 bit successor, IPv6. This provides a significant increase in the address pool available to assign unique IP addresses, not only to computers, but also to other Internet-connected devices. Spammers and malware authors would now have a larger address space to infect and cycle through, vitiating existing methods of detecting spam/malware URLs.

The Internet Corporation for Assigned Names and Numbers (ICANN) has expanded domain names to include non-ASCII based IDNs in a user’s native language script. While these transitions have the potential to localise the global Internet, they also provide cyber criminals (spammers/phishers/malware distributors) enhanced opportunities for exploitation, especially via social engineering.

These cyber criminals will now have the ability to redirect a user to a URL with a character set unfamiliar to him/her. Given the exponential increase in the number of URLs shared among users in our socially inter-networked world, validation of these URLs by the user prima facie now becomes much more complicated, leading to a higher compromise success rate for cyber criminals.

This paper describes the imminent major changes to the Internet networking infrastructure. It attempts to explore the security challenges involved in these milestone developments and presents potential solutions to address them.

The IPv4 Clock is Ticking

The expansion of the Internet from an esoteric academic project to a publicly accessible resource, coupled with the surge of Internet enabled devices over the last decade have contributed to the shrinking pool of available IPv4 addresses.

Fig.1 depicts the number of expected Internet enabled devices and Internet users by 2016, and how they measure up with the number of IPv4 addresses available.

Fig.1: Number of connected devices & Internet users by 2016 [1]

Conservation efforts like Network Address Translation (NAT), Classless Inter Domain Routing (CIDR), reclaiming unused addresses etc., only prolonged what was unavoidable – the depletion, and eventual exhaustion, of IPv4 addresses.

Given that ICANN, which is responsible for distributing IP addresses, gave away the last block of IPv4 addresses to the five Regional Internet Registries (RIR) in early 2011 [2], the need for change is rather pressing.

IPv6 to the Rescue

This IPv4 address crunch has been anticipated for many years, and the Internet Engineering Task Force (IETF) has been working on refining IPv6, the successor to IPv4, since the early 1990s [3]. This version of the Internet Protocol can support up to 300 undecillion addresses compared to the relatively miniscule 4 billion, a number smaller than the current world population, offered by its predecessor. Apart from this massive increase in the address space, the IETF also embedded other features to IPv6 such as support for IPSec, auto-configuration of devices, etc. [4]

These benefits, along with the availability of IPv6 from ISPs, increased end-user device support & IPv6 content, will ensure the adoption of IPv6 in the years to come, eventually making it the dominant Internet Protocol.

Fig.2 shows that, as expected, the percentage of users accessing Google over a native IPv6 connection has seen a steep rise over recent times.

Fig.2: Percentage of IPv6 users accessing Google [5]

What’s in a Domain Name

The demand for Internationalised Domain Names (IDNs) has always existed in view of the fact that 60% of the countries around the world have an official language other than English [6]. ICANN, which has domain names within its remit, has recently started allowing IDNs to satisfy this unmet demand.

The introduction of IDNs allows non-ASCII character sets like Arabic, Cyrillic, Tamil, Hindi, Chinese, etc, to be included in a domain name, potentially paving the way for a truly globalised Internet.

These IDNs are converted into ASCII using Puny Code, an encoding syntax invisible to the user, which allows for standard domain name resolutions.

Fig.3 shows a domain name in English, its nonexistent IDN equivalent in the Tamil script, and the Puny Code representation of the IDN which is used for a domain name resolution.

Fig3: Domain Name, IDN, Puny Code representation

The current demand for IDNs, combined with registrars throwing them away at a price cheaper than the regular domains, could see a surge in the number of non-English sites registering domain names in their local language.

To be continued…

[4] Information on

Images courtesy of &

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

June 26th, 2014

This is the second part of a two-part blog based on my paper for AVAR 2011 that discusses the Android Threat Landscape and the ways of mitigating the risk.

Continuing from the first part of my paper…

Threat Store

Similar to the change in the malware trend for PCs, Android also has a change in the trend for its threats. During the early stages, most of the Android threats were found to be of less severity. Compromised devices were used to send out SMSs or make calls to premium rate numbers without the user’s knowledge, e.g. Trojan-SMS.AndroidOS.FakePlayer.a [Kaspersky].

Towards the end of the year 2010, Android malware took a different shape with botnet behaviour that works with a Command & Control method, awaiting remote commands from the malware author. As per the commands received, most malicious applications either download various other applications or send out confidential data, unique device identifiers, and the SIM card number to the malware author. Trojan.AndroidOS.Genimi is one such malware, which takes pride in behaving like a bot.

Some malware avail of certain vulnerabilities to gain root access to the device and perform their desired actions. The infamous TrojanSpy:AndroidOS/DroidDream.A (aka Backdoor.AndroidOS.Rooter.a [Kaspersky]), is of the kind that acquires root access to the victim’s device. Droiddream is often found to be bundled with legitimate applications, like games, and gets installed with the original application. The first time round it requires user intervention to start itself. Once the infected application is started, to gain root access, it uses the PoC exploit called Exploid. If this action fails, it tries another PoC exploit, RageAgainsttheCage.  Once root access has been secured, Droiddream checks if the DownloadsManager package is installed on the device, and if not installed, it installs the application that it carries within itself in the system/apps directory. This time the user will not be requested for the permissions needed to install the application. The malicious DownloadsManager application installs silently in the background and starts the specified service. This application can now act as per the commands from the C&C server.

The recent Android malware trend has advanced further. Android threats can now even make new outgoing calls, record the conversation on calls without the user’s knowledge, monitor and log the activities of the user in the device, and pass on all of this information to the malware controller. Trojan.AndroidOS.NickiSpy, mentioned earlier, functions as described.

Let us have a quick look at the behavior of some of the known Android malware, which were found since August 2010. The threats are listed in chronological order:

Threat Name Behavior
Trojan-SMS.AndroidOS.FakePlayer.a, Trojan-SMS.AndroidOS.FakePlayer.b, Trojan-SMS.AndroidOS.FakePlayer.c Manual install, distributed via SMS,sends out SMS to premium rate numbers, third party market
AndroidOS_Droisnake.A Manual install, sends out GPS information to a server, downloads an application and gains user data, Android Marketplace
Trojan- Spy.AndroidOS.Geinimi.a Both manual and automatic install, botnet, works on C&C method, third party Chinese market
Trojan-Spy.AndroidOS.Adrd.a (Less severe version of Trojan- Spy.AndroidOS.Geinimi.a), manual install only, botnet, works on C&C method, third party Chinese market
Trojan-Spy.AndroidOS.Adrd.c Manual install, works on C&C method, Third party Android Marketplace
Backdoor.AndroidOS.Rooter.a, Well-Known, DroidDream Malware Manual install, first to exploit Exploid and RageAgainsttheCage code, gains root access, Android Marketplace
Backdoor.AndroidOS.SerBG.c Manual install, Android Marketplace, gains root access, bundled with a security tool released as a Droiddream Cure
Android.Zeahache Manual install, gains root access, first found in a Chinese application downloaded from a Chinese application market
Trojan.AndroidOS.Pirater.a Manual install, both Android and third party markets, sends out SMS or makes calls to premium rate numbers, gathers information like phone status, network status, accesses address book, also capable of malfunctions like switching the phone on or off
Backdoor.AndroidOS.Adsms.a Distributed via SMS, targets Chinese users, installs a configuration file that sends out SMS to premium rate numbers, Android Marketplace
Trojan-SMS.AndroidOS.Raden.b Manual install, Android Marketplace, targets Chinese users to send out SMS to premium rate numbers
Trojan-Downloader.AndroidOS.DorDrae.b, well-Known as DroidDreamLight New version of the same DroidDreamLight, manual install, works on C&C method, Android Marketplace
Backdoor.AndroidOS.KungFu.b Both manual and automatic install, gains root access, works on C&C method
Android.Basebridge Manual install, third party market, gains root privileges, sends out SMS to premium rate numbers, capable of malicious functions like making calls, deleting all inbox messages, etc
Trojan.AndroidOS.Plangton.b Both manual and automatic install, Android Marketplace, sends out the device information to a remote server, downloads a file from the remote server that monitors all activities and sends back the information to the remote server, simply works in C&C fashion
Backdoor.AndroidOS.Xsider.b Both manual and automatic install, third party market, targets Chinese users and those who use custom ROMs
Android.Golddream Both manual and automatic install, third party and Android Marketplace, works on C&C method
Trojan-Spy.AndroidOS.Smser.a,    Trojan-SMS.AndroidOS.Hispo.a, Manual install, third party market, sends out all the SMS from the compromised device to a remote location
Android/Sndapps.A Manual install, Android Marketplace, works on C&C , sends out personal information like email addresses and numbers in the contact list to a remote server
Android.NickiSpy Manual install, third party market, first to spy on user conversations, record and send it to a remote server, works on C&C method
Trojan-Spy.AndroidOS.Cosha.a (well-known as Android.LuvTrap) Manual install, Chinese third party market, downloads premium rate numbers from a website and sends out SMS to those numbers by masking the confirmation alerts from users
Android.Premiumtext Manual install, third party market, sends out premium rate SMS
Android.Nickibot Manual install, third party market, newer version of Nickispy, but controlled by SMS messages instead of C&C messages,
Android.Dogowar Manual install, Third party market, sends out SMS to all of the contact numbers

Table 1: Android Malware from August 2010 to September 2011

The list in Table 1 is extensive and does not include the malware seen after the time mentioned. Some of the malware are found to be bundled with Chinese applications when they are spotted for the first time, and most Android malware are believed to originate in Russia or China.

With the advancement in technology, smartphones play a vital role in managing business communications. There is a huge risk that sensitive data stored on smartphones may get stolen. Mobile security reports reveal the immense growth of Android malware since 2010, as exemplified in Table 1. All Android users should be aware of the risks of infection, and the possible ways of safeguarding themselves.


Most of the time users, when downloading applications either for their PC or mobile device, during the installation process, are impatient when reading through the licence agreement or any alerts that popup.  They tend to simply say ‘OK’ for the installation. Hackers find gaining the user’s own permission as their easiest way of compromising a mobile device. This process is called “social engineering”, a classic exploitation of “PEBCAK”, i.e. “Problem Exists Between Chair And Keyboard” when applied to PCs. In the case of mobile devices, a more appropriate acronym could be …”SUPER”, i.e. Smart User Prevents Error Root.

Social networking plays a major role in the modern world and is a widely used global communication medium.  Hackers take advantage of the users of smartphones that facilitate social networking, often via applications that trick the user into providing the required permissions to access the contacts list or email address book. Once these permissions are granted, it may be possible to send out unwanted SMS or spam mails from the compromised device. Users have the responsibility to pay close attention to the permission levels they grant for the applications they install, deciding whether each application is in need of the requested Capabilities to perform its activities. Of course, this is no easy task given that many users may be technically unable to gauge the specific permissions required per application. More information and education in this respect might be helpful.

Additionally, users need to be aware of the usage of the applications which they download and from where they are downloaded. Users are strongly recommended to download applications from the established and dedicated online Android application market(now play store), rather than downloading from a new or unknown source. This will reduce the risk of becoming a malware victim to an extent, since the well-known markets are scrutinized on a regular basis and infected or malware applications will be cleared off. It also helps that applications from the Android Marketplace(now play store) come with review comments and a reputation level for the applications. This may guide the user in validating applications prior to install.

Users, as always, should have updated security software installed to protect their devices from being hijacked. Security software will block known malware, whilst also monitoring the runtime behavior of applications such that any malpractice identified would be blocked. Security software could also block access to unwanted or blacklisted websites, in addition to blocking suspicious network activity without explicit user consent.

Some of the Android Security software products have Parental Control included in their features list that helps users to either blacklist or whitelist a contact number, which holds good even for SMS services. User would then be able to add contact information to a whitelist database, restricting the numbers to which SMS can be sent.

As Android malware aim at obtaining root access, few security products go a step further and identify if the device is ‘rooted’ and warn the user about the same. This feature also explicitly alerts the user if any application requests root access.

In the event that a phone is lost or stolen, in which case all the information stored in the phone is now exposed to the outside world, some security software provides the users with the ability to remotely clear off the data from the stolen device, and block the device itself, with an online data backup to recover the lost data.

With Freedom Comes Great Responsibility

Google’s target to spread Android in Asia is being achieved with great success, as exemplied by the Android sales graph which shows a persistent upward trend. The cost effective Android phones have already conquered much of the smartphone-user and gadget-lover market. However, the popularity of Android makes it a viable and tempting target for hackers, and therefore the increasing spread of Android-specific malware has to be expected.

Current Android malware functionality ranges from sending SMS (to premium rate numbers) to stealing confidential data, and being controlled via remote Command & Control servers. Hackers use online Android application markets as a pathway onto the victim’s device. It’s a must that users make themselves well aware of the online stores, which must be of good repute, from where they download applications.

The Android OS strives to fulfil the user’s demand for security features within its current security model. The concept of permissions via application ‘Capabilities’, to an extent, holds good to protect the device from abuse. However, the hackers use clever social engineering techniques to entice users into providing the requisite permissions to their malware programs. Users should be wary of attempts to trick them into granting permissions which are inconsistent with the advertised functionality of the application in question.

It goes without saying that each device should have security software installed to detect and block any untoward activity. However, as the proverb goes, “Prevention is better than Cure”. User education and vigilance would go a long way in mitigating the spread of Android malware, and users have a role to play in this respect.

Images courtesy of:

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

June 18th, 2014
Since we recently added  K7 Mobile Security, to our portfolio of security products, we thought it would be apt to revisit one of my research papers that discusses the Android Security Model and the Android Threat Landscape. Here is the first part of a two-part blog based on my paper submitted for AVAR 2011. The Threat Landscape is still relevant today.

Evidently there has been a large and sustained growth of Android use in Asia in recent times. With the increasing popularity of Android comes the danger of malware attacks. Studies on Android mobile security reveal that the growth rate of Android threats is at a faster pace than that for computer malware at the development stage.

Given the fact that the Android business model allows users to download new applications from the internet, no doubt social engineering will play a major role in propagating malware. Thus far, most of the identified Android threats avail of this simple route to reach a victim’s device, then obtain the user’s permission to get installed, and finally make use of the potential flaws in the Android security model to send out confidential data. The consistent increase in the number of threats suggests that it is high time that users are made aware of the possible ways in which their device could be compromised for them to safeguard against attacks. In addition, it is necessary that users be made aware of the current Android threat landscape to help identify and isolate the applications that could contain malicious code.

This paper will discuss the Android Security Model, and hopes to present a detailed account of the nature of the Android threat landscape so that users in Asia and elsewhere are made aware of the dangers involved in the use of Android, whilst also focussing on the ways and means of mitigating the risk.

Nurturing a Behemoth

The year is 2008. Android, the mobile operating system developed by Google, gains in popularity amidst other leading mobile platforms like iPhone OS, Symbian or Windows Mobile, because of its open source status. The success of Android mobiles will be a chain reaction, feeding on its own popularity, since people would prefer cost-effective devices with smartphone-like features rather than costly mobiles with a load of gimmicks.

Unlike Windows Mobile, iOS and Blackberry that have a limited number of applications and strict copyright policy, Android users have the choice of many applications. In other words, the openness in the Android application development environment, allows the application developers and handset manufacturers to develop customized applications which suit customer requirements. This also paves the way for new business opportunities for Android application developers.

The Android operating system is incorporated with the Dalvik VM , mainly for the reason that applications can run even on low-end mobile models with minimal memory usage. This stands as yet another advantageous feature of the Android platform as it overcomes the complaint of high memory usage, which results in application slow down, reported by the users of other high-end mobile platforms.

Given the above characteristics, Asian users are migrating to Android phones at a phenomenal pace, and Google’s plans to capture the smartphone market in Asia are succeeding. However, this increasing popularity provides hackers and malware authors an irresistible opportunity for exploitation and financial gain, and the number of Android mobile malware in the wild has grown at a very high rate, despite Android’s seemingly adequate security features.

Hark! Who Goes There?

Android was developed with the idea of delivering a cost effective smartphone with almost all of the features of a ‘real computer’. The above idea is greatly facilitated by allowing users to install applications of their choice. Unlike Apple or other smartphone markets, Android users are not restricted to download applications solely from one dedicated, proprietary site, i.e. Google’s Android Marketplace, but are free to obtain programs from different marketplaces. This idea of an open market exposes the user to a higher security risk, however Google has incorporated certain security features to protect users from malware attacks, with a negligible compromise on performance or flexibility.

With the target of security, Android isolates applications installed on the device from each other at the system level by assigning each application, and its dedicated process, a unique user identity that is visible only to the system. Whenever an installed Android application or one of its components is called to perform an action, the Linux kernel identifies the application by its assigned user ID and starts the corresponding process in its own sandbox. No two processes can generally run with the same user ID, i.e. within the same process space. This helps to protect the applications from intrusion by any other applications. If the same user ID needs to be shared by two applications, it can be done at install time, provided both the applications have the same certificate. Note, Google allows application developers to upload self-signed applications to the marketplace, i.e. the programs do not necessarily have to be signed by an independent certificate authority. The point made by the certificate concept is to distinguish the application author, and a formal registration process is in place.

The security enforcement of the Android OS is further strengthened with the concept of Capabilities of the components. Applications have a manifest file which defines the API levels that they need, and most importantly, the Capabilities, in other words the Access Permissions over and above the default level for the Dalvik VM, for each of the applications’ components to access device data. An application’s or component’s Capabilities to access another application’s components or the device data are declared statically at install time, perhaps requiring explicit user consent, and they cannot be changed dynamically. Inter-application communication happens only if the requesting application, the caller, has the authorized Capabilities with respect to the callee application.

In the above figure, Application 1 with Capabilities X is authorized to access a component of Application 2, and Application 2 with Capability Y is authorized to access a component of Application 3. Application 3 does not have the Capabilities to access the components of Application 1 or Application 2. All 3 applications run within their own Dalvik VMs and their access permissions are enforced by the Android OS.

Please Sir, Can I have MORE?

Since inter-component communication is really based on the Capabilities of the applications, and these Capabilities may require explicit user consent, malware applications can pretend to be legitimate and entice users into granting permissions to access sensitive areas such as the device or user data, the network, etc. Access permissions have to be requested and granted at install time itself. These malicious applications have to take advantage of social engineering techniques to receive the desired Capabilities to accomplish their tasks.

Hackers are able to enter the Android Marketplace by using the fact that applications can be self-signed, as mentioned earlier. Hackers upload self-signed malicious application to the market bundled with legitimate applications. For instance, the Android malware Nickispy is actually supposed to be part of an alarm receiver but it gains access from the user to make or cancel a call, send out SMS to the numbers in the contacts list, and other actions, by requesting permissions through its manifest file. Let us have a look at Nickispy’s manifest file:

Nickispy, a supposed simple Alarm Receiver application requests the below listed permissions from the user as shown in the figure below:

In fact Nickispy sends out data without the user’s knowledge.

…To second part

Images courtesy of:

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

April 24th, 2014

Much has already been written about the infamous Heartbleed vulnerability (CVE-2014-0160), the best technical piece being on Cloudflare’s blog. Unfortunately, as always in such cases, there has also been a lot of junk spewed out causing undue panic amongst the masses. A glaring example of this was a recent article in a well-known Indian daily newspaper reprehensibly titled the “Heartbleed Virus”, at which point one ought to stop reading the article.

Heartbleed is NOT a virus! It cannot spread from machine to machine, from device to device, and it cannot directly damage your computer. That is not to say that Heartbleed is not a serious issue. It is! Rather, the gravity of the situation very much depends on who you are. If you are an average individual surfing the internet on your home computer, one could argue that Heartbleed is unlikely to affect you very much. We must perforce qualify this opinion.

Heartbleed is a vulnerability in the OpenSSL library, which is used to encrypt vast amounts of internet traffic to protect it from being snooped upon, unless the NSA is involved that is. The SSL/TLS protocols use Public Key Infrastructure (PKI) which is a proven technology for achieving Pretty Good Privacy, and hence is ubiquitous on the internet. Heartbleed, by potentially allowing the exposure of private keys on a secure webserver to a remote attacker, threatens the integrity of PKI-protected communication over a network. One could picture a heavily-reinforced steel vault, with the master key visible under the door mat outside.

It would be entities such as corporates, governments, etc, that have webservers using a vulnerable version of OpenSSL that are most at risk of potentially revealing critical confidential data, especially private keys. If you are such an entity we urge you to upgrade your version of OpenSSL immediately, and make a call on revoking and reissuing your private keys. Unfortunately attempted exploitation of Heartbleed does not necessarily leave evidence behind, and the nature of the vulnerability is such that it may be virtually impossible to tell what, if any, data has been leaked. Note, the vulnerability itself has been around for a couple of years before its discovery.

Let us now address the risk posed to the individual surfer. Although there is indeed some risk of your password and other data being leaked from some website you have logged into if the server hosting the site was being targeted, the chances are rather slim. This is because successful Heartbleed exploitation tends to reveal only ephemeral data, and on a webserver hosting a popular site with several concurrent logged-in sessions, especially one where the average individual logs out after visiting the page (assuming this frees up the session resources on the server for the next user), the probability of leaking confidential data, and that too data specifically pertaining to you, is low. Notwithstanding, to be on the safe side, you may yet wish to change your passwords if the site in question has admitted to being vulnerable earlier and has since patched the flaw. After all, based on GitHub’s advice, we in the Taggant Library Maintenance Committee (part of the IEEE Anti-Malware Support Service) did change our passwords for the following repository:

In addition client-side devices, including those running certain versions of Android (reportedly 4.1.0 and 4.1.1), could also be vulnerable to Heartbleed-based data leakage, and ought to be patched ASAP, even though exploitation on the client side is an even more remote possibility.

Images courtesy of:

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

April 1st, 2014

Virus Authors’ International Network (VAIN), the body looking after the interests of malware authors around the world, has unanimously voted for strike action with immediate effect. The number of malware written today, the 1st of April 2014, could be badly affected.

Otto Runn Würm, General Secretary of and spokesperson for VAIN, said

“It’s about job security, pensions, … and, of course, about better conditions in jail. Our members seek comfort at all times.”

Unfortunately malware writing services are expected to return to normal by tomorrow, if they haven’t done so already.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

March 28th, 2014

This is volume III (…a lengthy one…) of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

How Do I Do It?: Obfuscation and Encryption, Immediate-Invocation Techniques

This Java Script worm employs heavy obfuscation, encryption and immediate-invocation techniques to protect itself from prying eyes. This reduces readability by a large extent

Figure 1: Image Showing a Single Line of Script with Around 40K Characters

From the screenshot above it is evident that the script contains just one line of forty four thousand and odd characters

The script heavily uses some random strings for variable names, sized at 7-9 characters they seem to be uniform but are not. In the function expression, the four variable parameters are unique, their first three characters and the last two characters are the same with random characters filled in between.

Formatting the above script (as shown in Figure 1) using tools like Malzilla1, introduces some readability into the script. Note that the function expression is enclosed within parentheses and once the expression ends another set of parentheses encloses a large string (encrypted string in our case).  This form of invoking a function without explicitly calling it is widely called as ‘self-executing anonymous functions3’ or ‘Immediately-Invoked Function Expression2

Below is the first level of obfuscation in the script:

Figure 2: Obfuscated Script with Simple Formatting Applied

This worm deploys its script as a ‘self-executing anonymous function’ / ‘Immediately-Invoked Function Expression.’ To understand this better consider the below example:

Figure 3: Normal Function

The above shows a normal function expression and how it is invoked.

Now consider this:

Figure 4: Immediately-Invoked Function Expression

Here the expression and invocation happen simultaneously. The function expression here is immediately invoked by introducing the argument along with the expression as:

Figure 5: Expression and Argument

The expression is highlighted in red and the argument in green. The underlining factor here is that this function doesn’t need an implicit invocation to get initiated. The code as shown in Figure 2 has just a single function expression with four parameters. The actual arguments are however found within the last parentheses, the function decrypts these encrypted strings into another script as shown in Figure 6:

Figure 6: Second Level of Decryption

This first level of decrypted code is again an immediately invoked function. This would again get decrypted into another script and an array of strings.

Figure 7: Screenshot Showing Array Values Being Referenced

This second level of decrypted script refers to array of values from 0-380; these values are referenced from the array ref Figure 8.

Figure 8: Array of Strings Showing What Will be Referenced in the Script

Applying the appropriate array values in the script made it more readable. One can conclude that this was done to avoid readability.

Figure 9: Final Script with Array Values Replaced

The script in Figure 7 turns into the above shown script (Figure 9) once we substitute the array values in the script. As seen from the screenshot it is clear that the worm is trying to extract several classified user information from “Winmgmts” object.

Apart from the above, the script also uses a lot of size optimization techniques. For instance it uses exponent form to reference large numbers and “!0” for true and “!1” for false This can be seen in the code snippet shown in Figure 10.

Figure 10: Optimization Used in Code

How I Own You?:  Command and Control Module

For a script based malware, ProsLikeFan boasts of quite complex C&C functionalities. Once the script is deployed it can keep checking the C&C server regularly for any commands. Below is a screenshot containing the C&C commands found in the malicious script:

Figure 11: Command and Control Module

The commands include: “u”, “d”, “b”, “redu”, “fbl”, “fbc”, “hp”, “fbf”, “e”, “r” and “dns.”

The command “u” is to update the virus itself or update the C&C with any new changes in the victim’s computer. Command “d” can be used to download a file from a specified URL, while the command “r” can be used to run any executable in the victim’s computer. When used in conjunction these commands can download a file and run it in the victim’s computer. This could possibly download other malware from any location.

The next set of commands target the popular social networking site Facebook “fbl”, “fbf” and “fbc” that can be used to like a Facebook page, become a fan of a Facebook page and send out chat message on a Facebook chat respectively.

Apart from this there are commands to perform other activities like setting the Homepage of Internet Explorer, modifying the DNS settings of the victim’s computer, etc.

A botnet of such infected machines would provide a perfect framework that can be used by other perpetrators who wish to infect the victims with their own bunch of malware. The administrator of the ProsLikeFan botnet can provide it as a service to anyone who wishes to attack unsuspecting victims. Most cases of infection that were reported back to the lab had instances of other malware infections found in the victim’s machine.

This Is Me!: Conclusion

Though the worm’s activity may seem nothing out of ordinary, it is necessary to analyze why the worm achieves this using unconventional methods. Like using a JavaScript based worm to infect a victim and make him part of a botnet. This may be because non-PE format introduces a level of freedom when the attacker needs to modify a specific module in the script. It can be freely spammed out via email unlike executable which would get filtered out. Initial versions of this worm had just one level of encryption, and then it went on to being a multi-level obfuscated script. Text files unlike PE binaries do not have a fixed structure, making detection a bit more complex. Even then they are detectable.






4. “Fans Like Pro, Too” – Peter Ferrie, Virus Bulletin, Sep’13

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

March 21st, 2014

This is volume II of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

Who aM I?: What is ProsLikeFan?

While the typical autorun malware is usually a Microsoft Portable Executable(PE) file, ProsLikeFan however, is JavaScript based. Unlike PE malware, malware written in a scripting language have their limitations like exposing their malicious intent in plain text. To overcome this, the malware author needs to employ various encryption and obfuscation techniques.

ProsLikeFan uses the WMI (Windows Management Interface) query language to retrieve sensitive system information and posts this information to a remote host. It also exploits the autorun mechanism to propagate to other computers, brings down system security level by modifying certain registry entries, infects pen drives, sends out Facebook chat messages, ‘likes’ a Facebook page, downloads and runs an executable, changes IE homepage settings etc., all the while actively listening to any commands from its C&C server. It does all the above mentioned without giving away much about what it intends to do, to a large extent. This is achieved by keeping its code encrypted to multiple levels there by avoiding readability.

What I Can Do?: Overview of What the Worm Can Do

To begin with, this worm is VM aware i.e., it can detect if it is being run on a virtual environment like VMware, Bochs, and VirtualBox etc. It achieves this by retrieving the system information using the Windows Management Instrumentation interface and verifies the same against known virtualization systems. It looks for BIOS manufacturers, processor names, SCSI Controller’s manufacturer names, disk drive model, computer system manufacturer name etc. for matching.

The worm hides itself from the victim, by using standard registry modifications techniques that are widely employed by most malicious software. It disables notifications from the ‘Windows Security Center’, turns off the Windows firewall, blocks the usage of proxy servers, prevents access to the user’s homepage settings and disables system restore.

The worm then copies itself to a location under %appdata% and %program files% with a random filename of 5-6 characters.  It also places a copy of itself in the startup folder. Once executed, it can retrieve a trove of information from the user’s machine. It looks into specific locations for stored FTP passwords and user names. It then uploads the stolen data (Computer Name, Anti-Virus Software, Current User Name etc.) extracted through WMI and other means to a remote server. It keeps enumerating all running processes at regular intervals and tries to terminate any security software related process.

To spread across to other computers, the worm uses the autorun technique. It waits for a removable drive to be connected on the infected computer. Once connected, the worm creates a directory with a copy of the main JavaScript file in the removable device. It then proceeds to hide all folders and creates shortcuts to these folders with a folder icon. This shortcut would in turn execute the main ‘.js’ file before opening the corresponding folder.

Apart from removable devices, the worm also uses file-sharing networks to spread. It places a copy of the main script in a zip file in the shared folders of well-known P2P application like Ares, Bearshare etc.

…To Volume III

Images courtesy of:

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: