Social engineering is the art of manipulating people’s behaviour. Some malware authors rely on social engineering to disguise their code and get it executed on a user’s machine. A key element of a successful malware campaign, which relies on social engineering to lure its victims, is the visual appeal of the attack. Under the right circumstances, a malware which is strikingly similar to a file it is trying to impersonate, is more likely to get executed by a naive user.

Fake Anti-Virus malware authors, for example, are known to put in considerable effort to make their scare ware messages look more authentic. We had blogged about one such sample, which even goes to the lengths of copying malware descriptions from security vendors’ websites, in order to get the user into executing it.

Recently, we came across a website which takes this visual aspect of social engineering quite seriously. The site under discussion, www.vista.[Removed] claims to provide a number of [already freely available] applications for download. Here’s a brief list of the files that were distributed from this site over the last week:

• Divx.exe
• MySQL.exe
• VideoLAN.exe
• WinPcap.exe

To boost the chances of having the files downloaded and executed, each software listed in the site has a brief description of itself, screen shots, user reviews, comments etc. It appears that the author of the site has spared no expense, at least in terms of effort, in plagiarizing the content from other genuine software distribution sites, making the site appear as legitimate as possible, to lure people into downloading and executing the files.

Not all that glitters is gold though. Closer inspection reveals that all files downloaded from this site are around 2.5 MB in size and on execution, the files prompt the user to send an SMS to a premium rate number, from which a reply is sent back with a code to unlock and install the applications. While the files don’t do any damage to the user’s computer, the innocent user still ends up getting charged for the premium rate SMS that was probably sent. One can only assume that this site could be a landing page for a broader attack scheme.

Social engineering (not to be confused with social networking!) based on PEBCAK (Problem Exists Between Chair And Keyboard) is a very potent weapon for effecting malware execution on various operating systems, including those on mobile devices such as Android. It thrives on temptation, ignorance, and fear on the part of the victim. Even though descriptions of social engineering are ubiquitous and some may consider the topic to be mundane, we at K7TCL feel it our duty to keep the general public at large informed about the use and abuse of social engineering so that users are less likely to be seduced by malware authors. Do not invite the thief through your front door.

Image Courtesy of www.publicdomainpictures.net

Lokesh Kumar
K7TCL

A digital signature applied to an object is meant to verify that the object comes from a known source, and also that the file has not been tampered with subsequently. In addition, the source of the software would have been registered with a well-known certificate authority which confers on the source an aura of legitimacy, and thus a vicarious trust on the signed object.

The mere presence of a digital signature, however, does not intend that the file in question is clean. Malware authors can and do exploit the misconception of trust associated with digital signatures to defraud the user into running their wares. The Zeus family of malware, for example, used self-signed certificates masquerading as a certificate from a legitimate company. The Stuxnet malware generated digital signatures using stolen private keys.

When legitimately signed software exhibit questionable behaviour, it leads to complications. Such applications come from software distributors who digitally sign their code and make it appear clean by bundling them with other legitimate applications. A colleague from the Anti-Virus community had recently blogged about one such software distributor – Pinball Corp., whose software displays dubious behaviour. The software comes bundled with installers for legitimate media related software like:

• XVid Codec
• FLV Codec
• VLC Player etc.

At K7TCL, we’ve been noticing that these digitally signed installers come with a new checksum almost everyday over the last couple of months, and that this trend is still continuing. One wonders why a company claiming to distribute legitimate applications would employ:

• Server-side polymorphism – A technique used by malware authors to avoid being detected by security vendors
• Missing codec scam – A social engineering technique used by malware authors to lure victims into running files

The ethical use of digital signatures states that a digital certificate can be revoked if mis-representation of software behaviour is suspected. But what constitutes this mis-representation? It seems that either the certificate issuing authority is unaware of this abuse, or perhaps it is aware, but is unwilling to act upon it. Either way, the security vendors may be left with no choice but to take matters into their own hands. These files, despite having a legitimate digital signature, are detected as Adware/Spyware by most Anti-Virus vendors.

Lokesh Kumar
K7 TCL

Recently we received an email from the RBI (Reserve Bank of India), or so it claims to be, regarding a ‘One Time Password’ registration.  This ended up in the spam folder. Let us see why.

Here is the email in question:

• The source of this email (highlighted green) is ‘rbi.org.in’ which is not suspicious but is probably spoofed.
• It informs us to ignore any warning (highlighted red) that the email client might give us. This is suspicious.
• The attachment (highlighted cyan) has a double extension. This is clearly suspicious.

There is even a tail-piece of advice to ‘Beware of Phishing’ to make the user feel good about the message. After all, no thief warns you about impending thievery, right? Wrong!

Once you download and open the attachment you are directed to the following page:

This looks like a normal RBI page. But a closer look at the address reveals for a fact that this not an RBI page. It is a login page but it is not secure, and there is no ‘https’ authentication. This is a cleverly constructed page. Only the ‘Login ID’ and the ‘Password’ fields are custom made. The rest is ‘borrowed’ from the actual RBI site, therefore clicking on any of the menu items would still take you to the valid RBI page.

Let us check what is inside the attachment:

This URL has quite a number of sub-domains (grayed out for security reasons), none of which is even remotely related to the RBI. This is highly suspicious. Double-clicking on the attachment would take you to the page shown above which masquerades as a  bona fide RBI site.

Let us start filling in the form with some fake details:

Once you fill in the details and click next you will be taken to the following page wherein you’ll be asked to fill in your transaction password and mobile number:

Once you click submit it throws a message that the registration is successful. But there was no actual password registration done during the entire exercise. The mail states an additional password is to be created, which was never done here. Whenever a new password is created any valid system would ask you to confirm your password, which was not the case here. Hence this is a clear attempt to phish out confidential details.

The network captures of the above exercises show the password and user names being sent over the Internet as plain text messages:

Never would your bank send your banking credentials as plain text. They are always sent over a secure connection in an encrypted format.

At the time of writing the attack domain was still live. To avoid being a victim of such social engineering attacks, the solution to a large extent still rests with the user, even though URL filtering and phishing heuristics do thwart many of these attempts at phishing. Please read through one of the earlier entries to find out how to recognize and stay away from phishing scams – ‘Teach a Man to Anti-Phish’

Kaarthik R.M
K7 TCL

Malware authors have long realized that implementing scare tactics to rip people off their money works. Why waste time finding a new vulnerability to spread malware when you can scare people into downloading and running it? For a while now, fake anti-virus malware has been one of the top revenue generators for the malware authors.

Lately however, users have turned vigilant towards such fraudulent security tools and simply ignore the spurious warnings. The malware authors, who have realized this, have upped their game by changing the scareware reports to involve hard drive failures rather than virus infections.

Over the last month, K7TCL noticed a steady rise in the number of samples arriving with the name “pusk.exe” from various sources. Closer analysis of one sample revealed that this was a fake disk diagnostic tool. On installation the malware displays the following message:

The malware then goes on to display fake disk diagnosis messages:

It’s no surprise that when the users click on the “Fix Errors” dialogue box, they see the message below:

These samples are detected generically as “Trojan (0026b5241)”.

Lokesh Kumar
K7TCL

Miscreants are always geared up to start a new wave of spam and malware campaign. When a sensational event occurs, users tend to go searching for news on the event, making it easy for the criminals  to do what they do best.

Case in point, last week saw the Internet abuzz with news regarding Osama Bin Laden’s death.  Some research into the user’s search behavior from Google trends revealed that the maximum number of searches were for the keyword “Osama” and the maximum number of searches arrived from the United States.

The second to top the list was India, with Tamil Nadu leading the way, closely followed by Karnataka.

The bad guys tried to capitalize on this news by poisoning search results, spreading malware & spam. They setup fake videos, facebook wall posts, websites, all claiming to reveal “exclusive” information on the death of Al-Qaeda’s top man, thus enabling them to invite potential victims to their trap.

Out of approximately 1,00,000 videos uploaded to date on You-tube with the keyword “Osama”, around 23,000 were uploaded just in the past week.

Also, there were around 1,300 websites registered, in the first 3 days since the news emerged, relating to Osama’s death.

Out of these newly registered websites, the maximum number of registrations was made with the registrar “1 & 1 Internet AG”, followed by namecheap.com.

Queries in domain reputations sites like www.malwareurl.com indicate that both registrars had hosted sites that have spread exploits & spam before.

Lokesh Kumar
K7 TCL

Top level domains (TLD) refer to the suffix attached to domain names on the Internet. A site ending with .com, for example, is meant for websites used for commercial purposes. Similarly, country code top level domains (CCTLD) are meant to denote the country from which a website originates. A site ending with “.in”, for example, is meant for websites from India.

However, lenient CCTLD registration rules have meant that this is not always the case. Sites using CCTLD for purposes other than to denote their origin country have been garnering popularity for a while now. For example, “.fm” is a CCTLD assigned for the federal states of Micronesia. “.fm” which also is an acronym for “frequency modulation”, and is commonly used by radio websites which don’t originate from Micronesia. Similarly “.in” which refers to the CCTLD for India, could also mean “Internet” or “international”. When it comes to registering websites using the CCTLD, the cloud is the limit. Websites like “icome.in/peace”, “rest.in/peace”, for example, don’t just read well but are also easy for potential customers to remember. Apart from this, CCTLD from India are relatively cheaper to register than registering CCTLD from other countries.

While such use of CCTLD has its advantages, it also comes with its share of disadvantages. The number of CCTLD used by malware authors & spammers to lure victims to their sites is steadily on the rise. A simple query for malicious sites which use a CCTLD of “.in” from malwareurl.com resulted in a significant number of hits, as shown below:

Although none of the sites above are active anymore, a closer look reveals that they all originate from the same IP address and spread the same malware.

Users ought to be aware of such sites which pretend to come from one country, when in fact they don’t. Simple networking tools like whois will provide more information on the origin of the website. Also, the INRegistry tightening its registration rules should help significantly reduce the amount of spam and malware that originate from this CCTLD.

Lokesh Kumar
K7TCL

There is nothing surprising about compromised web servers dishing out an iframe which redirects users to a potentially malicious site. K7TCL recently came across one such site which belongs to the Indian government and is currently injected with a malicious iframe.

Analyzing the contents of the iframe reveal that the iframe redirects users to urinoor.com

A quick whois on this site shows that it is registered to a user called “saamfoster”, who is infamous for registering other sites which implement “drive-by” exploits and use social engineering techniques to get users to install malware, disguised as a video codec or an anti-virus package.

Although the infiltration vector on the government site is unknown, what is known is that the website referenced by the iframe has been down for a while now. This, however, doesn’t mean that the threat has been neutralized. Many a time, we have seen old domains spring back to life and start spreading malware all over again. The site administrator not only needs to ensure that the malicious iframe is completely cleaned up, but also that the infiltration vector is investigated thoroughly, and fixed appropriately.

K7TCL attempted to contact the site administrator but our efforts were in vain.

Lokesh Kumar
K7TCL

Proactive protection is extremely important in the current threat landscape where malware change faster than the time taken for light to travel from the Sun to Earth.

Along with robust static and dynamic proactive Anti-Virus protection, K7TCL is contemplating providing a unique, bespoke service to the individual based on complex astrological calculations which have evolved since Vedic times in India.

We are hoping to help answer questions such as “How likely am I to get infected now or in the future, and with what?”. The mathematical formulae involve asterisks, i.e. “stars”, geometric positions, and “signed” comparison operations on individual horoscope data.

K7TCL advice may include corrective steps to be taken to counter any warnings of impending doom. Even under these circumstances one ought not to panic as there is always room for one’s destiny to be what one makes of it.

In addition, given the nature of fatalistic heuristics, 100% accuracy cannot be guaranteed. Nevertheless, today, the 1st of April 2011, is a “good” day to let people know about some of the plans we are considering.

Credits:
Images courtesy of vedic-academy.com and paceywilliams.com

Samir Mody
Senior Manager K7TCL

The increase in the number of internet users in India, and the concomitant rise in the number of people who bank via the internet have proved an irresistible temptation to cyber criminals bent on exploitation. There exist multiple phishing kits which specifically target Indian banks.

In a nutshell phishing is the criminal act of extracting sensitive information, usually related to financial activities, from users using social engineering techniques. These techniques include spam messages purporting to be from well-known banks, and imitation internet banking sites which bear a striking resemblance to the originals.

Let us compare some examples of fake internet banking sites with the original inspirations behind them to get an idea of how potent phishing attacks can be.

Example 1 (ICICIBank)

Fake page:

Legitimate page:

Example 2 (IDBI)

Fake page:

Legitimate page:

There are several steps that an internet banking user could take to mitigate the chances of being phished:

1. Avoid emails, especially those which claim to be from a bank, perhaps not even your bank, which ask for sensitive information such as login details. No legitimate bank will ask for such details via email.2. When visiting an internet banking site, confirm that the main part of the website conforms to your bank’s name, e.g. the website address must be of the form:

https://<your specific bank>.<com or co.in>/<rest of website address>

3. Ensure that the website address starts with the letters ‘https’ which means that transactions will be conducted over a secure connection.

4. Ensure that a padlock icon is displayed by your browser which confirms that the connection is secure.

There is further information provided by the banks themselves to help you counter phishing attacks:

http://www.icicibank.com/safe-help.html
http://www.icicibank.com/emailfraud.html
https://inet.idbibank.co.in/corp/web/L001/images/helpfile/safeinet/do’s&don’ts.html

In addition to user vigilance, K7 products provide robust in-built Anti-Phishing protection in the Anti-Virus products as well as in the SecureWeb product specifically designed for conducting safe and secure online transactions.

Be the one that got away!

Samir Mody
Senior Manager, K7TCL

We recently noticed that one of India’s biggest telecom service providers is currently serving up an infected version of a modem application on its website. This application is infected with a notorious file infector named “Sality”. While this is not the first time that a big player in the software market has served up an infected version of an application, it simply goes on to prove that good software quality assurance is still not taken up seriously.

Quality assurance as a function in any organization should not only ensure that the code written is bug free, but is also virus free. Implementing simple security protocol during different stages of a software release cycle would go a long way in ensuring that virus free software are provided to potential users.

The build environment used to compile the source code, for example, should be secure and could be isolated. There have been known cases where malware such as “Induc” infects the source code, which in turn produces infected executables. This drives home the point that even an isolated environment still needs an Anti-Virus solution installed. Once the executable is compiled, it is imperative that it is checked for any malware infections before release.

Additionally, the hosting environment used to serve the file to the customers should especially have beefed up security practices in place. Submitting the file served by the telecom service provider to Virustotal shows that the file is detected by almost all Anti-Virus vendors. This could imply that either the server hosting the file doesn’t have any Anti-Virus solution installed, or if one is, the product could have been compromised.

Organisations which take their reputation seriously cannot afford to tarnish it by getting their customers infected, even if it were unintentional. Several attempts were made by K7TCL to contact the organization in question, but it fell on deaf ears. The malicious file is still being served in their website.

Lokesh Kumar
K7 TCL