These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Email’ Category

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Scareware, Rogue AV & Ransomware

Thursday, December 31st, 2015

This is the third part of the blog series on cyber security, continuing from its second part on mobile security, focussing on the malware type that utilizes a user’s fear of data loss to extort monetary benefits, and a few precautionary steps to follow to avoid being a victim of this type of malware.

Scareware


In the modern day most malware are written for monetary gain. Scareware is a generic term to describe a category of malware which use the strong emotion of fear to force alarmed victims of an attack to pay an amount of money, typically tens to hundreds of US Dollars, to the attacker to restore normality on their computer/device.

Examples of scareware include malware which:

  1. display fake messages to the user about virus infections or system errors on the computer for which the fixing solution requires payment of a sum of money
  2. lock-down or claim to have locked-down access to some aspects of computer functionality such as use of the screen or personal documents, for which regaining access involves payment of a sum of money

Scareware typically infect users’ computers through downloading malicious attachments or clicking links in spam, or through accidentally visiting hacked websites.

As always it is important to ensure that you:

  1. Do not open emails from strangers, including fake messages from well-known companies such as FedEx or DHL
  2. Keep your operating system and third-party software, e.g. browsers and document readers, completely up-to-date with security updates. Avoid pirated software
  3. Use top-rate, genuine, up-to-date Anti-Virus software such as K7 Internet Security with strong Internet Security features such as malicious spam blocking, malicious website-blocking and browser-exploit protection

Scareware can affect both PCs (typically with a Windows operating system) as well as mobile devices (typically with an Android operating system which can be protected by K7 Mobile Security).

Rogue AV

Rogue AV or Fake AV is a subset of the scareware category of malware. Rogue AV pretends to be a legitimate Anti-Virus program which proceeds to display fake warnings of numerous virus infections on the computer.The fake warning window may steal the computer’s focus and then remain persistent with the malware preventing attempts to close it. Users are made to believe that only if they fork out a sizeable sum of money would the virus infections be cleaned up and the computer restored to a good state.

Historically Rogue AV has been associated with the use of Search Engine Optimization (SEO) poisoning which ensured that hacked websites controlled by the attackers ranked highly when trending topics were searched for in a web search engine such as Google. When the user clicked on one of these attacker-controlled links the user’s computer would get infected. Rogue AV is most commonly found on Windows PCs, but has also been known to infect MacOS computers.

Ransomware

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources until a hefty sum is paid to the criminal gang which caused the infection.

The typical resources held to ransom are as follows:

  1. Personal documents, images, and other files – In this case the files are encrypted so that they become unusable. After the files are encrypted the ransomware displays a splash screen informing the victim of this action and demanding a ransom payment to restore the files. Recovering these files requires obtaining the decryption key from the malware syndicates for a fee amounting to hundreds of US Dollars. Payment is made through guaranteed anonymous channels such as the BitCoin network. The first major ransomware family of this type was called Cryptolocker.
  2. Device screen – In this case the screen is frozen by the malware with a ransom demand visible. The user is allowed to make the payment to unlock the screen. One prevalent family of ransomware which locks the screen is called Reveton.

Users are advised to avoid paying this type of ransom demand for the following reasons:

  1. Generating income for cyber crooks would only serve to incentivise their criminal activities, and would fuel their future attacks
  2. There is absolutely no guarantee that paying up the ransom of potentially hundreds of dollars would actually restore your files or unlock your screen

In addition to the recommendations above, to guard against Scareware in general, it is also important to ensure that you back up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, this practice is highly recommended since data loss from a failed hard disk at a future date is a probable event, far likely than a ransomware infection.

Happy New Year!

…to part4: Passwords – Hashes to Ashes

Images courtesy of:

Adeevee.com
Huffingtonpost.com
Cloudave.com

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Dealing with Spam

Thursday, November 26th, 2015

In the interest of educating the general public about secure computing, we would like to share a blog series that intends to explain the various types of security threats over the Internet and a few precautionary steps to avoid falling prey to these security threats. This is the first part of the blog series that talks about the basic concepts of spam emails, their dangers and a few preventive measures to adopt to deal with them.

The message or email which we receive over the Internet but we never asked for is called spam. Mostly such messages are sent from unknown email addresses, using computer programs called spambots, to a bulk number of users for marketing a product or cheating the user, typically for financial gain. Spam uses social engineering tricks on victims to trick them into performing an action specified in the message.

In recent years the number of spam messages has considerably increased so much that one cannot differentiate them from legitimate messages in one’s inbox.

Spam includes unwanted messages using varied themes like:

  • a person requesting for help
  • being told that we have become a lucky winner of a prize or a victim of blackmail
  • a newsletter that is never subscribed to
  • fake job offers
  • malware
  • obscene material
  • a huge bounty is promised out of the blue from an individual from a different country
  • someone offering a business partnership
  • a claim that we need to prove our identity by logging in or resetting the password of our bank account, email account, etc. This dangerous attack is called “phishing”
  • causing a social issue with fake news
  • offers on weight-loss products, medicines, drugs, etc.,

Spam consumes lots of storage space, internet bandwidth and other resources on a user’s computer or device. It can defame a brand and the products advertised are mostly illegal or banned. Some spam messages may also try to steal the victim’s personal information as in the case of phishing attacks. Apart from exhausting one’s time, and spreading malware, the above-mentioned points provide several other reasons to declare spam to be dangerous. Filtering out spam from our inbox helps us to use email services at ease.

How do we deal with spam? When we suspect an email to be spam, we can:

  • Mark it as spam through the feature available in most of the email service providers

  • Create filters to move emails to a spam folder, thus preventing them from polluting one’s inbox. Filtering is also possible by adding specific email addresses to the ignore list, specific contents in the subject line of the email, etc.
  • report such messages to various spam control authorities
  • use anti-spam software which can block a spam email based on previously recorded spam activities, suspicious titles or content, spam score and various other factors. K7 products contain in-built anti-spam features and also block malware which harvest email addresses from the computer

Additionally, the following safety guidelines are recommended when dealing with spam:

  • Do not open emails that you never expected or suspect to have come from an unknown user. Most certainly don’t respond to such emails
  • Avoid using the “unsubscribe” option that sometimes comes in spam emails as this would intimate to the spammers that your email address is a valid one
  • Do not forward chain emails and suspected spam emails
  • Do not publish your email addresses in public forums and comments sections. Use of temporary email addresses can help to some extent in these cases

We need to realise that changing our email address is not a long-term solution to the spam problem, as email harvesters can obtain one’s email address through various ways. Unless and until, we habituate better Internet practices, we can never learn to safeguard ourselves from spam.

…to part 2: Mobile Security

Images courtesy of:
Marketingland.com
Gfi.net

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Gone in 60 Seconds: Is the Internet Becoming Volatile?

Friday, August 14th, 2015

This blog intends to inform the general public about the impact on the Internet of an increase in the prevalence of self-destructing messaging services.

Almost everyone of us is so happy with more than one genie at hand; as we own a smartphone, tablet, laptop, etc … and a click of a button or a screen-touch can satisfy our cravings from food to knowledge. Also the communication world is never running short of new stuff popping up now and then with tweets, pokes, chats, likes, posts and so on.

Don’t we enjoy a twist in the movies we watch? One has to wonder if the Internet is the next ‘anterograde amnesia’ victim, where an unforeseen whirl takes over social networking services silently.

On one hand, Hadoop technology is booming to handle the exponential growth of data, and spiders are crawling over the internet to feed search engines. But there is a potential balance created by self-destructing communication methods important enough to discuss, as the number of apps and services providing this functionality are increasing with more number of users everyday. In addition the social networking giants’ competing feature is shifting focus from providing nearly unlimited storage space to providing an expiry time on demand. A silent balance is inching toward creating major chunks of the lost internet.

When communicating confidential information over the internet, there is a jolt in us. We think several times, whether we can trust the internet and its services. And for one reason or another, we compromise ourselves with the communication services we get online.

Now, the privacy jolt is taking a noticeable turn because it seems to give more power to the users like data wiping, evidence shredding, and “suicidal messages”. It is not strange for us to regret sending a wrong file or a message to an unintended recipient, for liking a wrong post or comment by mistake too. But it is also important to note that these auto-timed or customisable self-expiring messages are redefining secretive communication.

This trend seems to cure the privacy fever of social media with email bombs, ephemeral messages, auto-expiring tweets, timed chats, self-deleting pokes and much more; from its suffering to hold itself together with features like ‘recall’ or ‘undo’ a sent email, off the record chats, etc.

Such self-destructing email services promise to destroy their path traversed over the servers and the email itself in a prescribed amount of time. These promises are not new to us as we have been relying for years on strong encryption and secure channels.

There is always more than one solution to a problem. Few apps use temporary hyperlinks. Some provide a one-time password to access the timed webpage. The passwords and the websites are not available after the expiry time. Some store the contents temporarily in servers until the message is delivered to all the intended recipients and delete the contents from the servers and from the recipient’s inbox once the message is read. Some use external apps and browser extensions too.

Some apps face issues like screenshots being taken, accessed via different modes instead of viewing the content via the app, and message ID vulnerability hacks on related sites too. Some apps have already fallen victims to cyber forensic studies as they save the images and videos in hidden folders or rename the files to unknown file extensions; because researchers are ready to spend a number of hours and thousands of dollars for their research. But competitors release newer products with upgraded versions which offer more sophisticated artificially-intelligent communication systems.

Cyber criminals use such service widely to communicate their secrets or threaten victims. Of course anyone can use this service for having a legitimate conversation as well. One need not forget self-expiring attachments are also joining hands with this feature which prevents the messages from being copied, forwarded, edited, printed, or saved.

With competitors focusing on providing the self-destruction feature, the following questions certainly arise:

  • Will the internet become erasable?
  • Will social networking become the most secret communication method going forward?
  • Did we just discover invisible data or communication?
  • Will these mortal messages force cybercrime lexicology to accept its demise?
  • Will the expansion of SMS be changed to Short-lived Messaging Service?
  • Will the cyber crime investigators exclaim: “Eureka! But where did the evidence go?”?

Looks like we just have to wait and watch what surprises the future brings.

Images courtesy of:
cdn-media-1.lifehack.org/wp-content/files/2014/04/7557deec.jpg
blog.ericgoldman.org/wp-content/uploads/2014/08/shutterstock_167170781.jpg

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Gmail Passwords Leaked

Friday, September 12th, 2014

A list of millions of Gmail user names and passwords were recently posted in a Russian bit-coin site. While details on how exactly the passwords got leaked remain murky, the popular email service provider has confirmed that none of their servers were breached to ex-filtrate the data. Users of these compromised accounts are now being re-directed to Google’s password reset page to regain access.

To be on the safe side, users should consider implementing two factor authentication for Gmail accounts.

If history has taught us anything, sensational news like this is likely candidate for social engineering based abuse. Web sites purporting to allow people to check if their Google accounts have been compromised are already cropping up and it could be only a matter of time before we start seeing phishing campaigns on this subject. Users are advised to be vigilant and avoid such emails at all costs.

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

“Now You See Me, Now You … Errr … See Me”

Wednesday, August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )

and

Trojan ( 0049882d1 )

respectively.

The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Cryptolocker – A New Wave of Ransomware

Wednesday, October 16th, 2013

The infamous ransomware malware works by restricting access to the computer or files that it infects. The malware on behalf of the malware author then demands a ransom to be paid by the victim, in order for the restriction to be removed.

At K7′s Threat Control Lab, we recently noticed a new wave of this ransomware malware. This notorious variant called CryptoLocker, by most security vendors, installs itself into the victims “Documents and Settings” folder. The malware then adds itself to the Windows auto start location in the registry to ensure that it loads automatically every time the user logs on.

Cryptolocker then makes an HTTP POST request to a pre-determined set of domain names to download a unique password file, using which it then encrypts the victim’s documents. The documents targetted include images, spreadsheets, presentations, text files among others.

Once encrypted, the ransomware then pops up a ransom page like the one displayed below:

The malware gives the victim a limited amount of time, to buy the password file to unlock the user’s data.

Protection for this threat is provided at multiple layers by K7′s Threat Control Lab. We proactively detect both the spam emails and malicious URLs, used to spread this ransomware, which seem to be the current infection vector. In case the malicious content does get through this layer of protection, we detect the malicious files themselves by our on-access-scanner as Trojan ( 0000c3521 ) and Trojan ( 0040f66a1 ). We have also provided detection for the this ransomware based on its run time malicious behaviour.

Our usual sentiments about keeping one’s security solutions & Windows patches up-to-date and being vary of downloading files from unknown sites apply.

Lokesh Kumar
Malware Collections Manager, K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Depths Phishermen Go To Catch a Phish

Monday, October 3rd, 2011

It is common knowledge that phishers [Authors of a phish] attempt to steal sensitive information such as passwords, credit card details etc. by masquerading as a trustworthy entity. Some key elements of a phish are:

  • A fake website created by simply ripping content off the original site and pasting them on the spurious one

  • A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

  • Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

  • Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Of One Time Passwords and Empty Bank Accounts!

Thursday, June 9th, 2011

Recently we received an email from the RBI (Reserve Bank of India), or so it claims to be, regarding a ‘One Time Password’ registration.  This ended up in the spam folder. Let us see why.

Here is the email in question:

  • The source of this email (highlighted green) is ‘rbi.org.in’ which is not suspicious but is probably spoofed.
  • It informs us to ignore any warning (highlighted red) that the email client might give us. This is suspicious.
  • The attachment (highlighted cyan) has a double extension. This is clearly suspicious.

There is even a tail-piece of advice to ‘Beware of Phishing’ to make the user feel good about the message. After all, no thief warns you about impending thievery, right? Wrong!

Once you download and open the attachment you are directed to the following page:

This looks like a normal RBI page. But a closer look at the address reveals for a fact that this not an RBI page. It is a login page but it is not secure, and there is no ‘https’ authentication. This is a cleverly constructed page. Only the ‘Login ID’ and the ‘Password’ fields are custom made. The rest is ‘borrowed’ from the actual RBI site, therefore clicking on any of the menu items would still take you to the valid RBI page.

Let us check what is inside the attachment:

This URL has quite a number of sub-domains (grayed out for security reasons), none of which is even remotely related to the RBI. This is highly suspicious. Double-clicking on the attachment would take you to the page shown above which masquerades as a  bona fide RBI site.

Let us start filling in the form with some fake details:

Once you fill in the details and click next you will be taken to the following page wherein you’ll be asked to fill in your transaction password and mobile number:

Once you click submit it throws a message that the registration is successful. But there was no actual password registration done during the entire exercise. The mail states an additional password is to be created, which was never done here. Whenever a new password is created any valid system would ask you to confirm your password, which was not the case here. Hence this is a clear attempt to phish out confidential details.

The network captures of the above exercises show the password and user names being sent over the Internet as plain text messages:

Never would your bank send your banking credentials as plain text. They are always sent over a secure connection in an encrypted format.

At the time of writing the attack domain was still live. To avoid being a victim of such social engineering attacks, the solution to a large extent still rests with the user, even though URL filtering and phishing heuristics do thwart many of these attempts at phishing. Please read through one of the earlier entries to find out how to recognize and stay away from phishing scams – ‘Teach a Man to Anti-Phish

Kaarthik R.M
K7 TCL

Has Bred Fallen on the Buttered Side?

Wednesday, March 9th, 2011

Bredolab is a family of Russian botnets which are frequently spammed out purporting to be from reputed organisations such as DHL or UPS. The messages have ZIP archive attachments containing the malicious bot executable. This particular spam campaign has been alive for the best part of the last couple of years with little change, which implies that it is still efficacious. Why “fix something that ain’t broke”?

Yesterday, however, as blogged by my colleague in the Anti-Virus community, the campaign unexpectedly changed insofar as several grammatical and spelling mistakes made their way into the standard fake message “from DHL”:

It is true that on several occasions in the past cybercriminals have been found wanting where communication in English is concerned. However, the latest message with all the errors breaks with the trend seen over the past couple of years. Previous versions of the social engineered message body were largely error free, at least ostensibly, and therefore rather convincing … well, probably only to the uninitiated. In fact the executable file within the ZIP archive in the current campaign even has an Adobe PDF icon.

Given the discrepancy between the old and the new versions of this campaign, one wonders whether there has been a change of helmsman coordinating these attacks who attaches less importance to quality control. On the other hand it is possible that the spelling mistakes have been deliberately introduced to evade targeted spam rules based on standard text patterns. After all the only reason that the bot executable is sent within a ZIP attachment is to circumvent heuristic rules at the gateway which may quarantine emails containing raw executables.

In any case it is important to stay informed about this particular campaign to reduce instances of PEBCAK (Problem Exists Between Chair And Keyboard), and to ensure that your Anti-Virus software is kept up-to-date. K7 products detect the latest bredolab executable as Trojan (0021b05e1).

Samir Mody
Senior Manager, K7TCL