There is nothing surprising about compromised web servers dishing out an iframe which redirects users to a potentially malicious site. K7TCL recently came across one such site which belongs to the Indian government and is currently injected with a malicious iframe.

Analyzing the contents of the iframe reveal that the iframe redirects users to urinoor.com

A quick whois on this site shows that it is registered to a user called “saamfoster”, who is infamous for registering other sites which implement “drive-by” exploits and use social engineering techniques to get users to install malware, disguised as a video codec or an anti-virus package.

Although the infiltration vector on the government site is unknown, what is known is that the website referenced by the iframe has been down for a while now. This, however, doesn’t mean that the threat has been neutralized. Many a time, we have seen old domains spring back to life and start spreading malware all over again. The site administrator not only needs to ensure that the malicious iframe is completely cleaned up, but also that the infiltration vector is investigated thoroughly, and fixed appropriately.

K7TCL attempted to contact the site administrator but our efforts were in vain.

Lokesh Kumar
K7TCL

Proactive protection is extremely important in the current threat landscape where malware change faster than the time taken for light to travel from the Sun to Earth.

Along with robust static and dynamic proactive Anti-Virus protection, K7TCL is contemplating providing a unique, bespoke service to the individual based on complex astrological calculations which have evolved since Vedic times in India.

We are hoping to help answer questions such as “How likely am I to get infected now or in the future, and with what?”. The mathematical formulae involve asterisks, i.e. “stars”, geometric positions, and “signed” comparison operations on individual horoscope data.

K7TCL advice may include corrective steps to be taken to counter any warnings of impending doom. Even under these circumstances one ought not to panic as there is always room for one’s destiny to be what one makes of it.

In addition, given the nature of fatalistic heuristics, 100% accuracy cannot be guaranteed. Nevertheless, today, the 1st of April 2011, is a “good” day to let people know about some of the plans we are considering.

Credits:
Images courtesy of vedic-academy.com and paceywilliams.com

Samir Mody
Senior Manager K7TCL

The increase in the number of internet users in India, and the concomitant rise in the number of people who bank via the internet have proved an irresistible temptation to cyber criminals bent on exploitation. There exist multiple phishing kits which specifically target Indian banks.

In a nutshell phishing is the criminal act of extracting sensitive information, usually related to financial activities, from users using social engineering techniques. These techniques include spam messages purporting to be from well-known banks, and imitation internet banking sites which bear a striking resemblance to the originals.

Let us compare some examples of fake internet banking sites with the original inspirations behind them to get an idea of how potent phishing attacks can be.

Example 1 (ICICIBank)

Fake page:

Legitimate page:

Example 2 (IDBI)

Fake page:

Legitimate page:

There are several steps that an internet banking user could take to mitigate the chances of being phished:

1. Avoid emails, especially those which claim to be from a bank, perhaps not even your bank, which ask for sensitive information such as login details. No legitimate bank will ask for such details via email.2. When visiting an internet banking site, confirm that the main part of the website conforms to your bank’s name, e.g. the website address must be of the form:

https://<your specific bank>.<com or co.in>/<rest of website address>

3. Ensure that the website address starts with the letters ‘https’ which means that transactions will be conducted over a secure connection.

4. Ensure that a padlock icon is displayed by your browser which confirms that the connection is secure.

There is further information provided by the banks themselves to help you counter phishing attacks:

http://www.icicibank.com/safe-help.html
http://www.icicibank.com/emailfraud.html
https://inet.idbibank.co.in/corp/web/L001/images/helpfile/safeinet/do’s&don’ts.html

In addition to user vigilance, K7 products provide robust in-built Anti-Phishing protection in the Anti-Virus products as well as in the SecureWeb product specifically designed for conducting safe and secure online transactions.

Be the one that got away!

Samir Mody
Senior Manager, K7TCL

We recently noticed that one of India’s biggest telecom service providers is currently serving up an infected version of a modem application on its website. This application is infected with a notorious file infector named “Sality”. While this is not the first time that a big player in the software market has served up an infected version of an application, it simply goes on to prove that good software quality assurance is still not taken up seriously.

Quality assurance as a function in any organization should not only ensure that the code written is bug free, but is also virus free. Implementing simple security protocol during different stages of a software release cycle would go a long way in ensuring that virus free software are provided to potential users.

The build environment used to compile the source code, for example, should be secure and could be isolated. There have been known cases where malware such as “Induc” infects the source code, which in turn produces infected executables. This drives home the point that even an isolated environment still needs an Anti-Virus solution installed. Once the executable is compiled, it is imperative that it is checked for any malware infections before release.

Additionally, the hosting environment used to serve the file to the customers should especially have beefed up security practices in place. Submitting the file served by the telecom service provider to Virustotal shows that the file is detected by almost all Anti-Virus vendors. This could imply that either the server hosting the file doesn’t have any Anti-Virus solution installed, or if one is, the product could have been compromised.

Organisations which take their reputation seriously cannot afford to tarnish it by getting their customers infected, even if it were unintentional. Several attempts were made by K7TCL to contact the organization in question, but it fell on deaf ears. The malicious file is still being served in their website.

Lokesh Kumar
K7 TCL

It is no shocking news that cricket fans all over the world are gearing up for the upcoming ICC Cricket World Cup 2011. Apart from the sporting venue, there is one major difference between this world cup and the previous one – cyber technology has come a long way. For example, social networking sites which enable instant exchange of information, and video streaming sites which enable live streaming of events, have now become extremely popular.

Needless to say, millions of cricket fanatic Indians, in the hope of catching their favourite demigod – Sachin Tendulkar in action, will search for sites streaming the cricket match live. Innocent users need to be aware that, unfortunately, malware authors could lure you into fishing outside your off stump. They may attempt to install what purports to be a “video codec” to begin watching the stream, but this turns out to be a mechanism to deliver malware.

Malware authors can also be found attempting to spam users on social networking sites such as Facebook. Such spammed messages could eventually be used to distribute malicious code, disguised as an application intended to provide live score feeds, post match discussions, etc. Such malware could steal the user’s personal information from his/her computer.

We aren’t dissuading users from using social networking sites or watching cricket on the Internet. Rather, we are simply advising users to exercise caution while doing so, and to keep your Anti-Virus software up-to-date. If users come across such malicious applications or sites distributing malware, please feel free to send them to K7 computing’s Threat Control Lab for further analysis.

Credits:
Images courtesy of 87pestspray.com, wikipedia.com

Lokesh Kumar
K7TCL

Think of the movie Mr. & Mrs.Smith and the first thing that comes to your mind is probably the love-hate relationship the protagonists share. When things are good, they experience a functional marriage, to say the least. But when things aren’t, they go to great lengths to attempt to kill each other, any chance they get. Malware are no different in this aspect. Under favourable conditions they work in harmony on the computer, sharing its resources, stealing data and proliferating while staying undetected the whole time.  However, when a reversal of fortune occurs, the malware don’t just destroy each other, they often end up causing serious damage to the host computer too.

There are  several examples of symbiotic relationships, both intentional and inadvertent. A file infector like Virut could inadvertently gain worm-like capabilities when it infects an auto-run malware, and start spreading through removable media. A keylogger with an existing detection by an anti virus vendor, if infected with a new variant of another file infector such as  Sality, could now go undetected, and start logging away keystrokes again. There have been horror stories in the past involving an ancient network worm getting infected with Sality, such that Sality gains network-spreading capabilities, whilst the erstwhile network worm gains camouflage. In terms of planned partnerships malware toolkits like SpyEye have now combined with the Zeus toolkit to deliver an even more deadly concoction of malware.

On the  flip side malware relationships, regardless of specific intent, can turn antagonistic. For example, a file infected with two entirely different file infectors, such as Sality and Virut, could end up not just corrupting the original file, but could also expose  a previously undetected layer of  one malware component to Anti-Virus detection due to an extant detection of its accidental partner. Many malware of yesteryear ended up being detected even before they left their creators’ computer because they unknowingly had a Parite (an old-school file infector) wrapper. Sometimes the mutual hatred between malware can be made explicit, as was the case in 2004 when the authors of the email worms Netsky, Mydoom and Beagle vied for supremacy in the global prevalence stakes by attempting to uninstall each other on the victim’s computer.

Where do these malware relationships leave the poor victims and their avowed protector, the Anti-Virus industry? Well, the scenario where a would-be-undetected piece of malware is compromised by a detected file infector can be seen as a positive result. However, the overall implications of malware relationships are generally negative for the security industry. As mentioned earlier malware can combine to corrupt an original host file, or render each other undetected, or provide each other with new malicious powers. The end result could be severe complications in the subsequent detection, cleanup and disinfection procedures. An unpalatable scenario indeed. As ever we recommend keeping your computer patched and up-to-date with Anti-Virus data to reduce the chances of it becoming a malware speed-dating and shaadi venue.

Credits:
The love-hate image courtesy of geeks.pirillo.com

Lokesh Kumar
K7TCL

In a consumer economy where the customer is king, we often find that product material is tailor-made for a target market. Even a good product could fail to impress if the information available on it is not effectively communicated. The Internet is no different on this aspect. For example, most consumer websites redirect a user to a localised version of the site, based on the visitor’s geographic location.

Malware authors have been quick to implement this idea in their social engineering techniques. It is now common to see spam and malicious sites use local languages to spread regional malware. Some driveby downloads, for example, deliver custom malware based on the user’s geo-location.

However some malware authors do not bother to make the extra effort. At K7TCL we recently saw an example of ransomware which appears to have come from Russia. The malware holds the computer to ransom by locking the user out. Access to the computer is denied until the victim enters a serial number, which needs to be requested from the attacker for a price. Shown below is the screenshot of the ransom message:

The point is that though the sample was accessed from an IP address originating from India, and from a site serving English content, the malware displays the ransom message in Cyrillic text. Most non-Russians are unlikely to be able to understand the ransom message, and will not even be able to decipher the text using online tools since the machine is locked out.

How does one resolve this situation? One solution could be to consult a Russian friend, and have sufficient funds in your bank account. A far better solution would be to use up-to-date Anti-Virus software. Detection and cleaning for this malware is available in K7 Total Security as Riskware ( 0015e4f01).

Lokesh Kumar
Collection Manager, K7TCL

It is no secret that over the last few years complicated malware have been on the rise. Authors of such malware make a great effort to ensure that their code and its associated payload remain hidden on the infected machine. Stuxnet, for example, was the first malware to include a Programmable Logic Controller rootkit, and had the capability to hide its changes via reprogramming the PLC. Complex malware have become so common that we forget it is still possible to write really simple malware which are capable of as much exacting damage as that for a complicated one.

Last week we at the K7 Threat Control Lab (K7TCL) spotted one such malware. It is a very simple perl script converted into a windows executable using perl2exe. When executed, the malware collects documents from the infected machines and uploads them to the author’s FTP site. Perhaps not as impressive as Stuxnet, but it does the business.

Decompiling the executable gives us the perl script and the user credentials used to upload the stolen files. Just out of curiosity I decided to follow the malware trail back to the FTP site, and I was in for quite a surprise. The FTP site was not just full of stolen documents, but some came from what appeared to be world renowned financial institutions.

This malware is detected by K7 Security products as Trojan (001ECA471). Such malware spread using social engineering techniques, masquerading as something beneficial. Distribution channels tend to include IRC, peer-to-peer networks, newsgroup postings, email, etc. Users are advised to exercise caution while downloading files from untrusted sources.

Lokesh Kumar
Collection Manager, K7TCL

In something of a blast from the past, an email borne worm has been sighted spreading around the internet.

Although we’ve not seen too many actual attacks from this, it’s been widely reported in the media, perhaps as it’s quite a novelty these days to see a worm spreading in this way.

It spreads itself as an executable in email, but disguises itself as a PDF file, when executed it attempts to download some other malicious files on the victim machine, and drops some files in an attempt to let the worm spread via autorun.

K7 Total Security detects this worm as  ”Emailworm (0019e4ae1)” (yeah, it’s that uninteresting!)

Full information is here:

http://viruslab.k7computing.com/index.php?option=com_k7virus&view=showvirus&Itemid=1&id=818

If you’re interested in more, Dan Goodin has written a short piece about the worm on The Register http://www.theregister.co.uk/2010/09/10/email_worm_spreading/

Andrew Lee
CTO K7 Computing

A recent report on an air crash that happened in Spain prompted several articles that seemed to imply that a computer infected with Malware contributed to, or caused the disaster – most of these reports arose after the publication of this article (translated from Spanish via Google Translate): http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepuesp/20100820elpepinac_11/Tes&sl=es&tl=en

Subsequently, the news got even more sensationalised and less accurate, for example in this Gizmodo article (http://gizmodo.com/5618287/malware-blamed-for-disastrous-plane-crash)  that seems to lay most of the blame on a malware infection and fails to mention any of the more serious problems leading to the disaster.

Such sensational news is of course interesting to security professionals, particularly those of us working in the Anti-malware industry, and has prompted a lot of debate and investigation behind the scenes.

So what’s the real story? Did malware crash a plane? No, not even close. The reality is much more mundane, though still has worrying aspects (that I’ll discuss shortly).

One of the best articles (that shows that some journalists still go and look up the original sources) was this piece by Ed Bott (http://www.zdnet.com/blog/bott/fact-check-malware-did-not-bring-down-a-passenger-jet/2354). He carefully points out that the malware in question was on a ground based maintenance system (a long way from the aircraft when it crashed), that the MD-80 aircraft that crashed (not an Airbus A320 as some incorrect reports stated) is not a computerised aircraft (and therefore couldn’t be infected with malware anyway), and that the mechanics were actually still entering their maintenance report on the infected system at the time of the crash.

Another well reasoned article (though it does have some inaccuracies – the TOWS system was never infected) was this by Bow Sineath (http://www.secureworks.com/research/blog/index.php/2010/08/23/malware-and-the-failure-of-aircraft-systems/). This points out that the correct take off configuration for the aircraft was not in place because of a failure of the Take of Warning System (TOWS) that tells the pilots that the flaps are correctly deployed (and other important parts of the takeoff configuration are in place) And, this brings us to the real cause of the accident. The pilots had not checked that they had deployed the flaps correctly – this is essential to a correct take-off configuration.

Anyone who flies regularly will have seen the way that the flaps extend from the wings of aircraft on take-off and landing; this is to provide the necessary lift to let the aircraft gain the air on takeoff (and keep it from falling too rapidly on descent). Without the flaps extended, the aircraft could not gain enough lift to take off correctly and therefore crashed, with the resultant tragic loss of life. This is very much a human error story, with an added coincidence of an incorrectly maintained computer system. Much more significant than any malware infection was the separate and unrelated (to the malware infection) failure of the TOWS alerting system. Bow’s article above explains that this is a known problem with MD-80 aircraft, and the fact that the failure had occurred three times before should have raised an alert – this is where the malware comes in – the maintenance system was working slowly, because of the Trojan infection, and this meant that the mechanics didn’t enter the reports in a timely manner, so the necessary alerts weren’t given. It does not excuse, nor explain the pilots’ failure to correctly and completely follow their paper checklist. The failure of the TOWS system meant that the pilots (who did not correctly follow take-off procedures) were not alerted when they did not deploy the correct takeoff configuration, and this most serious error led to the aircraft’s demise. All the configuration systems on aircraft are backed up by manually followed paper checklists, unfortunately, routine is not easy for humans, and it seems that the pilots just made a lapse in following their checklist (which is what the TOWS system is there to alert them to), and it sadly happened at a time when the backup system (an audible alert) wasn’t functioning correctly.

So, did malware cause the air disaster? No, not at all; but as is often the case, some parts of the media don’t like the facts to get in the way of a good story. Malware is frequently sensationalised, and “Pilot error causes Plane Crash” isn’t as exciting a headline as “Malware Blamed for Disastrous Plane Crash”, although the results are just as tragic.

No one can deny that as the world becomes more and more reliant on computers, that malware will continue to be a big problem, or that computers used in critical systems such as control of aircraft, life support, nuclear reactors etc are particularly likely to give rise to disastrous situations if they get infected. However, the reality is that by far and away the greatest proportion of malware is written for criminal gain, such as credit card fraud and is targeted at systems that are widely used (such as Windows or Macs), because that is where the gains are to be made.

Far from worrying whether malware might bring down your plane on your next flight, you should rather ensure that your own computer system isn’t leaking critical information like your banking details or your personal data. The best way to do that is to ensure you keep it well maintained with the latest security patches from vendors like Microsoft and Adobe, and that you run robust and updated anti-virus, such as K7 TotalSecurity, and if you’re using online banking or sites that require you to enter your financial information, consider using a secured browser like K7 SecureWeb.

Andrew Lee
CTO K7 Computing.