These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

June 29th, 2016

A few weeks ago we had announced our intention to spread our knowledge about low-level security. We would like to share a proud moment with the public to demonstrate our commitment to the cause of spreading technical awareness, borne from our decades of experience and expertise in malware research and anti-malware technology development.

We were recently invited by the well-known academic institution, VIT Vellore, to conduct a day-long workshop on the malware analysis techniques we carry out at K7 Threat Control Lab (K7TCL). The idea of the presentation was to enlighten VIT staff on analysis techniques for both Windows and Android malware.

We are happy to have had this opportunity to share our knowledge, and we hope that the interactive session we conducted has helped VIT staff to understand the modern malware threat landscape, and the malware themselves in a more effective way.

Kaarthik.R.M
Shiv Chand.K
V.Dhanalakshmi
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 16th, 2016

Here is an interesting persistence technique, which I have not seen before, used by a malware which I analyzed last week at K7 Threat Control Lab. It uses a simple RunOnce registry entry to maintain its persistence but in a unique way. I would like to post a complete analysis, albeit brief, of its functionality.

Functionality in a Nutshell

  • Push-Pop-Call
  • Misuse of Process Environment Block (PEB)
  • API Hashing Technique
  • Anti-Debug & Anti-Emulation Techniques
  • Strings Obfuscation Mechanism
  • Registry Abuse
  • Hidden DLL with multiple entrypoints (Export & DLL main) and its role
  • Multiple Injections into explorer.exe
  • Rootkit-like Behavior
  • Persistence Mechanism – RunOnce entry
  • Final Injection to IExplore.exe to act as downloader

Push-Pop-Call

This malware uses a Push-Pop-Call sequence at the Entrypoint to change the execution flow of the program as shown in Figure 1. This is not a clever technique since it can be used by Anti-Virus software to flag the malware immediately given that this sequence is unlikely to be found in clean programs.

Figure 1

Misuse of Process Environment Block (PEB)

Not an uncommon technique, this malware uses PEB_LDR_DATA, a member of the PEB structure, to locate InMemoryOrderModuleList LinkedList, which is then used to retrieve names of the loaded modules. It calculates the hash for each of the retrieved module names and compares with that of Kernel32.dll (hardcoded in the code), and extracts the base address of Kernel32.dll when the hashes match as shown in Figure 2.

Figure 2

API Hashing Technique

Using the retrieved Kernel32.dll base address, it enumerates export function names and calculates their hashes, which, in turn, are compared with predefined API hashes (in the data section) to identify the addresses of preferred APIs that are listed below. This common technique is to avoid heuristic detection on import APIs.

  • ConvertThreadToFiber
  • CreateDirectoryA
  • CreateFiber
  • CreateFileA
  • CreateMutexA
  • CreateProcessA
  • CreateThread
  • DeleteFileA
  • GetFileSize
  • GetFileTime
  • GetModuleFilenameA
  • LoadLibraryA
  • MoveFileExA
  • ReadFile
  • ReleaseMutex
  • RemoveDirectoryA
  • SetFileAttributesA
  • SetFilePointer
  • SetFileTime
  • SwitchtoFiber
  • WaitForMultipleObjects
  • WriteFile
  • WritePrivateProfileStringA

The hash calculation algorithm is shown in Figure 3 below.

Figure 3

Anti-Debug & Anti-Emulation Techniques

It implements Anti-Debug & Anti-Emulation techniques to prevent or misguide the reverse engineering process. This malware creates a thread which possesses an Anti-Debug technique of Memory Access Violation Exception (shown in Figure 4 below), thus complicating the analysis flow for researchers.

Figure 4

It also adds additional Exception Handlers in the existing SEH chain, which would be triggered by a memory access violation as shown in Figure 5.

Figure 5

It also uses undocumented ntdll.dll APIs which could act as an anti-emulation technique

  • ZwCreateThread
  • ZwResumeThread

Strings Obfuscation Mechanism

It employs an uncomplicated obfuscation mechanism to hide strings to dodge its presence from Anti-Virus products. Figure 6 shows how it decrypts a string to be used as its mutex.

Figure 6

Registry Abuse

It uses the registry to find the default path of “user\%AppData%” by querying the following registry key:

Subkey : “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
Value    : “AppData”

It uses the registry to find the default browser path:

Subkey : “http\shell\open\command”

It also escalates its privilege under Internet Explorer by adding its path to the following registry key:

SubKey : “Software\Microsoft\Internet Explorer\LowRegistry”
Value    : “ms-ldr”
Data     : “%Malware Path%”

Hidden DLL with Multiple Entrypoints (Export & DLL Main) and its Role

It drops its main payload, ntuser.cpl (a DLL file), extracted and decrypted from its ‘data’ section, under a randomly named folder in the retrieved %APPDATA% directory as exemplified below:

USER/%APPDATA%/ {6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}/ntuser.cpl

The decryption logic used is shown below in Figure 7:

Figure 7

It tries harder to misguide analysis by executing the DLL with multiple entrypoints. Initially with the help of rundll32 it executes the dropped ntuser.cpl using its export function “_4CDFA75B”. This export function “_4CDFA75B” then injects the entire ntuser.cpl to explorer.exe with “DLLMain” as its new entrypoint. Injection technique 1 uses the following APIs:

  • CreateProcessA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • UnmapViewOfFile
  • ZwMapViewOfSection
  • CreateRemoteThread

Multiple Injections into Explorer.exe

As ntuser.cpl loads into the memory space of explorer.exe, it uses the ‘ZwQuerySystemInformation’ API to get the snapshot of the current running processes. Now ntuser.cpl injects itself to the running processes that have access to ‘CREATE_THREAD & VM_OPERATION & VM_WRITE & QUERY_INFORMATION’ permissions, including explorer.exe.  But, this time with a new entrypoint being one of its functions. Injection technique 2 uses the following APIs:

  • OpenProcess
  • VirtualFreeEx
  • VirtualAllocEx
  • VirtualQueryEx
  • VirtualProtectEx
  • WriteProcessMemory
  • VirtualQueryEx
  • CreateRemoteThread

The latest injected code in explorer.exe now injects code into IExplore.exe, again with a new entrypoint being one of its functions using a similar injection technique to that described above.

These multiple injections are done just to halt the flow of analysis and to use system processes to download malicious content which will not trigger any alert by Anti-Virus Software, including Firewall.

Rootkit Behavior

It injects all system processes when attempting to act as a rootkit by hooking the following APIs, to maintain its stealth status:

  • NtCreateThread
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread

Persistence Mechanism

The latest injected code in explorer.exe also has the task of maintaining its persistence. This is achieved by creating a thread which checks the availability of mutex (MSCTF.Shared.MUTEX.LDR) and if this fails, it adds the following RunOnce entry:

SubKey : “Software\Microsoft\Windows\CurrentVersion\RunOnce”
Data      : “rundll32 “%APPDATA%\{6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}\ntuser.cpl”,_4CDFA75B”

Hence during reboot, the mutex gets killed and immediately a RunOnce entry is registered to maintain persistence.

Final Injection into IExplore.exe to Act as Downloader

Using IExplore.exe injected code, it checks for internet connectivity every 5 minutes, and if it has access to the internet, it uses ‘URLDownloadToFileA’ to download malicious content from the following URL

“hxxp: / /business-links-today.org/ldr/admin/feed.php?i=6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5&o=2&v=1.0.8″

Post downloading it executes the downloaded content using CreateProcessA.

On final analysis this turns out to be just a mere Downloader, with a high level of obfuscation, injection techniques, and Anti-Debugging/Anti-Emulation tricks along with rootkit behavior.

Sample analyzed:

MD5: 6F14315A8875B1CF04E9FDB963E12966
SHA256: B129D92F6C62B7C81B5EF69FA38194AB3886BA7F18230581BC2D241C997F7FA6

Shiv Chand.K
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 2nd, 2016

Here at K7 Computing we believe it is extremely important to further the education of both those within as well as those outside our organisation.

Security is a vast subject with a plethora of aspects to consider. We cannot of course cover everything, however K7 Threat Control Lab would certainly like to contribute to the security skill set of today’s students in order to help address the acute shortage of security personnel in the workforce. Many students may also enjoy learning techniques to counter cyber criminals.

Our security training programmes ought to be designed to provide students with a strong foundation in the technical aspects of IT security. For example the focus of our Malware Analysis Training Programme would be on learning about low-level malware techniques and analysis from first principles within a controlled “lab” environment.

If we are able to “train the trainers” then a multiplier effect could be triggered to accelerate the dissemination of technical security training across India and elsewhere.

Spread D WORD bit by bit.

Image courtesy of anytraining.co.uk

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 26th, 2016

The CARO Workshop 2016, held in Bucharest, Romania, between May 19-20 featured presentations from notable security vendors and researchers, with a focus on the application of machine learning to security. The keynote speech was by Dr. Ashkan Fardost, who, among other things, talked about connecting reindeer to the internet.

K7’s Gregory Panakkal  and Georgelin Manuel participated in the CARO workshop with their presentation titled “A High-Performance, Low-Cost Approach to Large-Scale Malware Clustering”. Their popular talk suggested a technique to cluster huge numbers of malware files on commodity hardware. This presentation demonstrated clustering 2 million files on a machine with a modest configuration in under 3 minutes. The ideas exhibited were well-received, and attracted considerable attention from researchers who are thirsting for alternatives to distributed computing, which is currently the standard solution for handling large numbers of files.

Image courtesy of 2016.caro.org

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 19th, 2016

This blog intends to educate the general public about the security risks pertaining to pen drives (aka USB sticks/drives, thumb/removable drives), data storage devices that can store text, images, music, videos, etc., and ways of mitigating the risks.

These devices come in handy when the user wants to transfer data between computers. They’re small in size but can hold large amounts of data. However, the utility and ubiquity of pen drives introduce significant security risks.

Pen drives pose a major security challenge to IT administrators. Some surveys indicate that 70% of businesses have reported loss of data through USB. Being small, pen drives can easily be misplaced or stolen and, if data is not backed up, it can mean loss of hours of hard work.  An even bigger challenge is to prevent infection through already infected USB drives.

The Autoplay feature in Windows is the key route to automatically infect PCs as soon as the infected pen drives are plugged-in. This autoplay feature causes removable media such as pen drives, CDs, etc. to open automatically when they are inserted into a computer.

Hackers and autorun worms use the autoplay feature to run malicious executables from removable drives. USB as an infection vector is not new; many older but infamous families of malware, notably Conficker, Sality and Gamarue use USB as part of their infection vector.

It is to be noted that many computers still have Windows XP, for which Microsoft withdrew support in April 2014, installed. Windows XP is popular among PC users especially in India, and has the autoplay feature enabled by default. Thus they are at greater risk of an autorun infection on their system than users who have updated their computer’s OS to recent versions of the Windows Operating System such as Windows 7. It is interesting to mention that most of these autorun worms originated in Asia.

Pen drives also provide an opportunity for malware to spread to stand-alone computers that are not connected to any network. The person carrying the infected pen drive, knowingly or unknowingly, bridges the air gap between the stand-alone computer and the network. It is of high probability that a pen drive used on one infected system (provided the infection on the system is capable of spreading itself) gets itself infected, thus spreading the infection to healthy computers when simply inserted into them.

Hence we advise users to practice one or more of the following recommendations to overcome the risks associated with using pen drives:

  1. Scan the pen drives for malware after sharing with your friends or family as a precaution against infections. Even if you have an up-to-date, reputable Anti-Virus Security product installed on your computer, your friends and family might not on theirs.
  2. Avoid using pen drives on public computers, e.g. at Internet cafes.
  3. If you have not already done so, install a world-class, up-to-date antivirus product like K7 Total Security.
  4. Use the autoscan feature, if any, in your Anti-Virus product to automatically scan all USB drives as they are connected to the system. Also schedule frequent, automatic scans on your PC to keep it infection-free.
  5. To prevent loss or theft of data, you may block USB devices from being used on your system. K7 Total Security has features to block pen drives and restrict read-write access to USB drives.
  6. Vaccinate your pen drive to ensure that it does not get infected by an Autorun worm even if it is used on an infected machine.

Images courtesy of:
Com.net
Technologymess.com

Rathna Kamakshi
Manager – K7 Support

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 12th, 2016

Continuing our series on cyber security following the two-part blog on digital signing, this is the eighth post which hopes to enlighten users on how to safely tread the open WiFi zones in public areas.

Free WiFi hotspots, which were a luxury some time ago in India, have become the norm nowadays. With the Indian government aiming to take the Internet to last tier cities, towns and villages it is only a matter of time before we are encapsulated in WiFi zones everywhere. This is aimed at bringing the wealth of information available on the internet to the masses. However, the omnipresence of WiFi could attract a great deal of sniffing and eavesdropping.

Open WiFi hotspots, though meant for the greater good, could become the medium for information security mishaps. Any data sent to an unprotected network could easily be monitored using packet or network sniffing applications by a hacker with malintent.

When using an open WiFi hotspot the network traffic between your device and the router is not encrypted, as opposed to using a home WiFi connection which should usually be secured by a passphrase which encrypts the traffic and shields it from eavesdroppers. Hence in an open WiFi connection, any data you send to the router is sent in a visible form and can be snooped upon by using packet or network sniffers. Imagine someone filling out details to an online form; the data submitted could fly across as plain text and can be easily grabbed off the air.

It is advisable to avoid using internet banking and online shopping portals, and communication apps when connected to an open WiFi. Also, it is advisable to turn off network sharing, in the case of laptops, since they could be accessible to people who are connected on the same network, and if the shared resource has no authentication then it would become an easy target for intruders.

A user needn’t explicitly open an app (with a potential security loophole) on his or her mobile device to expose its security hole. Most apps today keep looking for an active internet connection either to push or retrieve notifications thereby exposing its security lapse on an open WiFi connection. It is therefore advisable to restrict background data when on an open WiFi network.

Of course one cannot totally dismiss an open WiFi connection as inherently unsafe. It would be user-practices that make it safe or unsafe. For those who are totally dependant on an open WiFi network, they could choose to use a VPN application thereby securing their communication with the network within a secure channel, and decide to post content only to websites that are signed and secure.

Images were courtesy of:
muraldecal.com
toonclips.com

K7 Threat Control Lab
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 5th, 2016

Yet another reminder of the importance of implementing robust website security, the flash news today alleged that “IRCTC website has been hacked, a major public website! And apparently, thousands of users’  data including PAN card details etc.,  could be in danger of being stolen.

Public websites that are used nation-wide and meant to store huge user data should ensure the highest levels of data security. It should be noted that since such publicly-available websites provide a treasure trove of data to hackers, they are high-value targets of compromise. They could also be a target for pranksters and hacktivists seeking publicity.

Hackers usually hack a website by exploiting one or more of the weak links in the website design. Real-time data stolen from these kinds of websites earn them a lot of monetary benefits, as the stolen data can be sold for huge amounts of money either to legitimate, typically marketing, companies or another hacker group.

Any down-time for such important public portals for even a short amount of time to fix the issue might entail a hefty economic hit, and inconvenience thousands of users. However, security of these public websites demands regular vulnerability assessments and penetration tests to identify weaknesses, and software updates for the hosting platform on which it runs and for third-party installed security software.

Prevention is better than Cure.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

April 28th, 2016

This blog intends to inform the general public about the next version of Android (7.0), expected to be labelled “Android Nutella” focussing on the significance of improved or new security features in the sweet next in line from Google.

The next dessert to taste after Marshmallow, provisionally “Nutella” (Android 7.0), loaded on Nexus devices, is expected to hit the market in Q3, 2016.

Few of the confirmed major new features in Android N as per the Android N Developer Preview version are:

  • Multi-window mode
  • Efficient Doze mode
  • Direct-reply notifications/Quick settings
  • Shifting Android Java language libraries to OpenJDK
  • Faster App optimization by ART
  • Android Beta Program
  • Data Saver mode
  • Video and Picture at the sametime
  • Changing display screen size
  • Dark mode
  • New folder icons
  • Clear All feature in recent apps list
  • Lock screen enhancements

It is to be noted from the above feature list of Android N that there are no major security enhancements in Android N revealed in the Developer Preview versions.

Lock screen enhancements:

  • In Android N, it is possible to enable a setting that allows the user to display user information like name, address, blood group, etc., on the lock screen.
  • The latest developer preview 2 of Android N  allows the user to reply to notifications from the lock screen itself.

Saying that, the enhancements at the lock screen level raises the question of privacy, i.e. data security. Suppose the device is misplaced or lost, it is possible for a third party to know the user’s identity. Credit card and banking divisions always verify a user’s identity for any request of user-profile change or account request, exactly the kind of information which can be obtained from a stolen Android N phone might enable a third party to easily steal or misuse the victim’s account.

It goes without saying that there could be a password protection mechanism to access user’s personal data. However, in that case it might not serve the purpose of helping in an emergency.

As the Android threat landscape seems to have gone a bit silent of late, at least in the IT security  world, after the discovery of the Stagefright exploit, and given Google’s super confidence in the absence of malware for Android, perhaps, the Android N development team might have skipped Security in the major feature enhancement list.

Even though the Android malware landscape has not thrown up too much to write home about in the last few months, it is understood that as there is always a malware threat for any popular OS, and hopefully Google is continuing to take security seriously. Note, apparently not all the features have been revealed in the preview versions of Nutella so let us wait for the release candidate of Android N to have a clear picture of any major security feature changes. The proof will be in the eating…

Image courtesy:
nutella.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

April 22nd, 2016

The Union Home Minister Rajnath Singh recently requested the likes of Google, Facebook and WhatsApp to base their servers in India for security reasons.

WhatsApp has launched end-to-end encryption which makes snooping on WhatsApp traffic via, say, a Man-in-the-Middle very difficult, thus maintaining high levels of privacy. However, the events in parts of the country over the past few days are a reminder of the power of social media in disinformation campaigns.

Such social media services are regularly abused by terrorist groups to communicate amongst themselves as well as to spread propaganda. Therefore security agencies require access to communication content as per the provisions of the Information Technology Act. Since encrypted traffic makes it difficult to monitor the activities of suspects, it is important that content on the servers is made available when lawfully requested.

Such requests would be acquiesced to more readily if social media services for Indian citizens were hosted on servers within India’s jurisdiction, instead of typically in the US as is the case currently. The high-profile battle between the FBI and Apple in the US demonstrates the difficulties Indian security agencies could face in obtaining data from outside of India’s jurisdiction.

As I had mentioned a couple of years ago, the public’s opposition to the government imposing on their privacy is based on their prevailing threat perception. Given India’s history, geography and an unenviable record of victimhood, one would suggest that the threat perception in India is rather high.

Let us see if and how the social media giants bend to the government’s will.

Image courtesy of gadgets.ndtv.com.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

April 15th, 2016

Following part I of the blog series that describes the security problems in IoT, here is the second part of the series that explains technically how the information stolen from IoT users can be monetized.

risk.top_.jpg

The IoT security challenges described in part I give rise to unprecedented risks. Mischievous parties could remotely trigger havoc inside an IoT user’s physical environment: Burning down houses by hacking microwave ovens, or remotely turning off home security systems, or for the sake of fun, just causing devices to work in an irregular manner. These are just a few examples of IoT hacking which can be used by cyber criminals. The possibilities are endless, almost left to one’s imagination.

The associated risks would also extend to the internet used by the  common man. On a daily basis, websites already violate  user privacy by tracking a user’s activity: what you search for, what links you click on, what websites you visit; this valuable data can be sold off to commercial companies. These companies, in turn, use analytics to build user profiles to serve targeted ads to their audience. However, with the data generated by IoT products, these profiles would contain not only cyber-activity logs but also physical activity data for the user. A person using a pacemaker could now be targeted by insurance companies with specific schemes, even though he/she wouldn’t like others to know about their medical condition.

On the Dark Internet, a major chunk of content is based upon selling stolen credit card information and user credentials. The Dark Internet provides services for DDoS attacks and hacking accounts/websites for a fee. With the increasing adoption of IoT, we might see the rise of a new kind of data on these sites. Data stolen from IoT products would provide an entirely new set of data to be used for malicious purposes. There could be malware and viruses written specifically for IoT products which may go on to cause physical damage to life and property. Consider a botnet, capable of infecting a pacemaker device. It requires only a single command to cause irregularities in the pacemaker’s functionality thereby giving malicious parties the nefarious power to carry out mass murder.

We, as a security concern, believe that industry  can definitely reduce the risks associated in using IoT devices by tackling the afore-mentioned known security problems in the IoT ecosystem at different stages such as  manufacturing and custom-designed security quality assurance testing to ensure the maximum security of the IoT devices at the software level, up until the device reaches the user.

Image credits:
www.vipinkhandelwal.com

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/