These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Personally speaking’ Category

Assemble to Witness the Fight Against Ransomware at AVAR 2015!

Friday, November 6th, 2015

Samir Mody and Gregory Panakkal, our lead innovators in matters of proactive security, will be showcasing a generic anti-ransomware model at the 2015 AVAR Conference at Danang, Vietnam. Their talk is to be held on Dec 4th at  10:00AM.

The duo had recently demonstrated the concept at the VB International Conference held earlier this year in Prague, Czech Republic. They will follow it up with “Fighting Back Against and Defeating Destructive Ransomware”. The overall objective of this proof-of-concept is to demonstrate a solution to generically detect a multitude of ransomware patterns, including samples later contributed by attendees at the VB 2015 conference.

The presentation at AVAR 2015 hopes to exhibit post-R&D enhancements to the prototype based on the audience feedback from the launch at the VB 2015 conference.

So, be there at the city of Danang, Vietnam on 4th Dec 2015 for the AVAR 2015 Conference, and witness the fight against ransomware.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

K7 Threat Control Lab has a Dedicated Vulnerability Research Team

Thursday, October 29th, 2015

“There are only two kinds of companies in the world: those that know they’ve been hacked, and those that have been hacked and don’t yet know it.”

The above is a modern IT security adage. Gone are the days when the bad guys simply wrote viruses for fun and fame. Modern threat actors do some really nasty things for profit; from stealing money and intellectual property to identity theft and denial of service attacks, not to mention state-sponsored espionage (typically referred to as APT or “Advanced Persistent Threat”), etc.

Modern malware delivery mechanisms, silent and deadly, rely heavily on the exploitation of vulnerabilities in various OS software, e.g. Internet Explorer, and popular applications, e.g. Microsoft Word, Firefox and Chrome, Adobe Reader or Flash, Java, etc. In order to maintain an adequate security posture it is critical to remain on top of such issues, advising on the application of security updates to fix vulnerabilities, and to fully understand the scope of exploits and potential vulnerabilities. According to a recent survey most companies believe that their network will be hacked in 2015. The data breach map shows the map of organizations affected by data breaches since 2006.

At K7 our motto is to protect people and corporate information systems from the bad guys. K7’s products and our K7 Threat Control Lab have always endeavoured to protect users from exploitation, but we would like to take our vulnerability response a few notches higher, an enhancement of the K7 armour. We recently set up a dedicated Vulnerability Research team to tackle the complex problems posed by modern threat actors.

The objective of this team is to protect K7 customers with respect to the security triangle; the pre, current and post security environment. These are elaborated upon briefly thus:

  • The pre: Protect customer information systems by conducting comprehensive security assessments – both for servers and applications. Tighten the security posture by performing security hardening.
  • The current: Perform research on known 0-day exploits, hunt for new vulnerabilities and conduct in-depth research on Advanced Persistent Threats.
  • The post: Conduct computer security forensics after a breach has been detected. Determine the What, Where, When, How and Who of the security investigation.

We would, of course, need to constantly evolve our capabilities in combating new threats. Expect more topics, content and blogs from this new team.

Image credit:

Samir Mody, Senior Manager, K7TCL
Senthil Velan, Manager,Vulnerability Research

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Running the Ransomware Gauntlet at Virus Bulletin 2015

Thursday, September 17th, 2015

This blog is to inform the general public that two researchers representing K7 Threat Control Lab will be presenting and explaining their generic anti-ransomware solution at the Virus Bulletin international security conference. This blog also aims to solicit from fellow conference delegates a few of the latest ransomware samples to test the effectiveness of a new generic anti-ransomware prototype to be demoed for the very first time at the conference.

Are you attending the Virus Bulletin international security conference later this month? If so, my colleague, Gregory Panakkal, and I are due to present ways and means of fighting back against destructive modern ransomware on Friday, the 2nd of October, right after the lunch interval. We have a heuristic anti-ransomware Proof-of-Concept prototype which we will be demonstrating to delegates, explaining its modus operandi.

Have you got a brand new sample of ransomware you would like to throw at our anti-ransomware PoC demo? We are inviting conference delegates to help test the efficacy of the PoC vis-à-vis unknown variants of ransomware in real time, i.e. in our live demo. However, given the demo environment, the following pre-conditions exist for the samples:

  1. Must run in a VM
  2. Must encrypt target files without an active internet connection

If you have a suitable sample please use the VB 2015 demo public key to encrypt it.

Then send the encrypted sample to any time before 13:00 (local time in Prague) on Friday, the 2nd of October 2015.

We hope to see as many of you as possible at the conference and at our presentation, and of course we are hoping to receive a couple of samples to test live as well.

Samir Mody

Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Milestones Matter!

Thursday, September 10th, 2015

K7 Computing Private Limited celebrated its 23rd anniversary on August 27, 2015, with great enthusiasm. It was a day marked with fun, recognition, to acknowledge K7’s incredible journey over the years. When you work for a company with a positive environment that encourages individuality, spirit of ownership and creativity, a milestone reached by the company is akin to achieving a personal milestone. This sense of belonging was reflected in each and every employee, and that made the event great fun.

The agenda was set; our work family was formed into teams; Orange, Green, Blue, and Red. The preparations began in full swing a couple of days prior to the big day. Each team took up the challenge to creatively bring in some mojo into their workspace. We found out what happens when engineering meets design, and what can happen when marketing takes on engineering. The events were officially kicked off. The response was tremendously positive; we experienced a space odyssey; got spooked in a scary house; travelled back to the past, experienced the present, and glimpsed the future; and dedicated the “PSLV Concept” to the man who made it possible, the late Dr. APJ Abdul Kalam.

Then, we experienced a moment of pride when our Founder and CEO, Mr Kesavardhanan, appreciated all the employees for their unyielding support with his speech straight from the heart, and presented awards for the outstanding contributions of the employees. As the event drew to a close, we couldn’t help but look forward to yet another year filled with purpose, achievement, and of course lots of fun.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Social Networking Abuse – Potent Threat

Thursday, August 20th, 2015

This blog intends to highlight some of the dangers faced by the general public associated with an ever expanding use of social networking sites, all set to grow at an even greater rate post the launch of government initiatives such as the Digital India campaign.

Social networking sites such as Twitter and Facebook provide an efficient interface for communication with multiple people in a user-friendly manner. People are connected to their friends, family and followers in real-time, on-the-go using mobile devices. The ugly side to this increasing use of social networking sites is the potential for controlled, targeted abuse within a very short space of time. Recently the Hindu newspaper reported the abuse of Twitter in the recruitment programme of banned organisations.

Users of social networking sites do not appear to think twice about sharing large amounts of their private Personally Identifiable Information (PII) online. This freely available PII, which includes date of birth, phone number, address, and so on allows malevolent actors to hone their attacks’ penetrative function. In addition, given the speed of transmission, it is possible for attackers to reach a large number of victims very quickly, potentially triggering a mass panic scenario, or spreading malware, or increasing recruitment for banned organisations, etc.

There is at least one documented case of the use of social networks to trigger mass panic in India through the use of doctored images and targeted, threatening messages. In August 2012 thousands of Indians from some North-Eastern states of the nation were made to feel threatened to the extent that they decided to flee in large numbers to their home states from other parts of the country; a grave situation indeed.

The above real-world example provides a stark reminder about the havoc that can be caused when malicious content goes viral, either intentionally or otherwise. Legislation related to IT in many countries provides for monitoring of online content, inclusive of social networking sites, especially given that national security could well be at stake. In the documented case mentioned above, the attack vectors were neutered and some semblance of normality restored only after the offending sites were temporarily blocked and bulk SMS/MMS were banned for a short time as per the provisions in law.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Gone in 60 Seconds: Is the Internet Becoming Volatile?

Friday, August 14th, 2015

This blog intends to inform the general public about the impact on the Internet of an increase in the prevalence of self-destructing messaging services.

Almost everyone of us is so happy with more than one genie at hand; as we own a smartphone, tablet, laptop, etc … and a click of a button or a screen-touch can satisfy our cravings from food to knowledge. Also the communication world is never running short of new stuff popping up now and then with tweets, pokes, chats, likes, posts and so on.

Don’t we enjoy a twist in the movies we watch? One has to wonder if the Internet is the next ‘anterograde amnesia’ victim, where an unforeseen whirl takes over social networking services silently.

On one hand, Hadoop technology is booming to handle the exponential growth of data, and spiders are crawling over the internet to feed search engines. But there is a potential balance created by self-destructing communication methods important enough to discuss, as the number of apps and services providing this functionality are increasing with more number of users everyday. In addition the social networking giants’ competing feature is shifting focus from providing nearly unlimited storage space to providing an expiry time on demand. A silent balance is inching toward creating major chunks of the lost internet.

When communicating confidential information over the internet, there is a jolt in us. We think several times, whether we can trust the internet and its services. And for one reason or another, we compromise ourselves with the communication services we get online.

Now, the privacy jolt is taking a noticeable turn because it seems to give more power to the users like data wiping, evidence shredding, and “suicidal messages”. It is not strange for us to regret sending a wrong file or a message to an unintended recipient, for liking a wrong post or comment by mistake too. But it is also important to note that these auto-timed or customisable self-expiring messages are redefining secretive communication.

This trend seems to cure the privacy fever of social media with email bombs, ephemeral messages, auto-expiring tweets, timed chats, self-deleting pokes and much more; from its suffering to hold itself together with features like ‘recall’ or ‘undo’ a sent email, off the record chats, etc.

Such self-destructing email services promise to destroy their path traversed over the servers and the email itself in a prescribed amount of time. These promises are not new to us as we have been relying for years on strong encryption and secure channels.

There is always more than one solution to a problem. Few apps use temporary hyperlinks. Some provide a one-time password to access the timed webpage. The passwords and the websites are not available after the expiry time. Some store the contents temporarily in servers until the message is delivered to all the intended recipients and delete the contents from the servers and from the recipient’s inbox once the message is read. Some use external apps and browser extensions too.

Some apps face issues like screenshots being taken, accessed via different modes instead of viewing the content via the app, and message ID vulnerability hacks on related sites too. Some apps have already fallen victims to cyber forensic studies as they save the images and videos in hidden folders or rename the files to unknown file extensions; because researchers are ready to spend a number of hours and thousands of dollars for their research. But competitors release newer products with upgraded versions which offer more sophisticated artificially-intelligent communication systems.

Cyber criminals use such service widely to communicate their secrets or threaten victims. Of course anyone can use this service for having a legitimate conversation as well. One need not forget self-expiring attachments are also joining hands with this feature which prevents the messages from being copied, forwarded, edited, printed, or saved.

With competitors focusing on providing the self-destruction feature, the following questions certainly arise:

  • Will the internet become erasable?
  • Will social networking become the most secret communication method going forward?
  • Did we just discover invisible data or communication?
  • Will these mortal messages force cybercrime lexicology to accept its demise?
  • Will the expansion of SMS be changed to Short-lived Messaging Service?
  • Will the cyber crime investigators exclaim: “Eureka! But where did the evidence go?”?

Looks like we just have to wait and watch what surprises the future brings.

Images courtesy of:

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Committed to Protect and to Serve

Thursday, July 23rd, 2015

This blog intends to inform the general public about some of the potential challenges posed to the security industry allegedly by international intelligence and law enforcement agencies.

A couple of years ago in an article for Virus Bulletin magazine, in response to insinuations pertaining to a tacit collusion between some members of the security industry and intelligence/law enforcement agencies, I had suggested that these agencies do not require the collaboration of Anti-Virus companies to conduct their spying activities:

“Let us not be naïve…. Should these agencies wish to snoop, they don’t require the cooperation of AV vendors.”

Recent revelations bear witness to the above statement. It is apparent that international intelligence agencies, through their codenamed “Project CAMBERDADA”, have been investing effort in their attempts to compromise several well-known Anti-Virus products, our very own K7 Computing’s products included, in order to circumvent detection and blocking of their spying activities.

Above image courtesy of Project CAMBERDADA presentation

In addition to reverse-engineering Anti-Virus products, there have even been allegations of infiltration within Anti-Virus companies’ internal networks to siphon out sensitive data.

We stand shoulder-to-shoulder with our colleagues in security companies all over the world in our pledge to protect users in any event against formidable opposition and an increasingly complex threat potential.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Why You Should Not Pay That Ransom Demand

Wednesday, June 10th, 2015

Ransomware attacks appear to be ubiquitous. Ransomware is a type of malware which denies access to your computer resources, say by encrypting your personal documents, until a hefty sum is paid to the criminal gang which caused the infection. We recently blogged about two examples of ransomware, namely CTB Locker and TeslaCrypt.

We constantly advise against paying anything to the malware syndicates for two primary reasons:

  1. Generating income for these cyber crooks would only serve to incentivise their criminal activities, and would fuel their future attacks.
  2. There is absolutely no guarantee that paying up the ransom of potentially hundreds of dollars would actually restore your files.

In this blog we will focus on the latter point, drawing on a real-life case study involving a friend of mine.

A few weeks ago my friend (not a K7 user at the time) was, unfortunately, struck hard by a ransomware pretending to be the mother of modern ransomware, the infamous CryptoLocker. The above image is a screenshot of the ransom demand which was splashed on his screen. The ransomware was not, of course, CryptoLocker, but yet it was lethal enough, encrypting my friend’s personal files with advanced algorithms. The sample was packed with a custom NSIS SFX wrapper which has been used by CTB Locker in the recent past, suggesting a potential link between the two strains of ransomware.

My friend did not care too much about his local files which were hit. However, as (mis)fortune would have it, his plugged-in external drive containing the early photos of his kids was ravaged. Ransomware tend to enumerate and modify as many target files on as many drives as possible. By targeting personal or confidential files such as images, Microsoft Office documents, etc., the criminal elements increase the pressure to pay up. Even police departments have occasionally felt compelled to part with funds.

Given the importance of the images on his external drive, my friend was prepared to satisfy the ransom demand to the tune of US$ 237; no piddling amount. I had urged him against paying up, arguing the case based on the points made above. However he felt that if there were any chance of getting his kids’ pictures back he would have to give it a try.

A couple of days later, after having secured the requisite bitcoin, the ransomware kicked into action displaying a status bar and claiming it was in the process of decrypting all the files it had encrypted earlier. Many hours later, having left the “decryption tool” to do its business overnight, my friend assumed his files had been restored. However he was unable to open most of the images and the documents he attempted to view. I offered to look at the files at the binary level to determine whether any data could be recovered.

He sent me several example files which were failing to open. My analysis showed that for many files absolutely no attempt had been made to decrypt them since they had no visible headers. In other cases some headers were visible but large chunks of the files remained garbled junk. Such was the extent of the damage to the image files that even clever image-fixing-software was not able to recover anything.

To cut a long story short, despite coughing up more than US$ 237, my friend was yet unable to recover his kids’ photos. The moral of the story is: refrain from paying these nasty criminals in any way, shape or form. They are hardened thieves without any sense of compunction or honour, so please do not be fooled by apparent largesse.

As always we highly recommend taking regular backups of your important files on media which are not constantly connected to your computer (external media and/or on online repositories), thus, in the event of a ransomware attack, you could still have your files without paying the bad guys a single paisa.

Samir Mody

Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

ACTing for National Security: Provisions in IT (Amendment) Act 2008

Tuesday, May 26th, 2015

In our previous blog, we mentioned that it might be beneficial for Indian netizens to have a high-level understanding of existing cyber laws that are articulated to protect them. We did write about certain activities deemed to be illegal and the punishments for them.

Today, we provide a bird’s eye view of how the Information Technology (Amendment) Act 2008 aims to safeguard national security. The following provisions, illustrated with an image and its associated description, are the highlights of the Act vis-à-vis national security:

The Act also deals with cybercrimes deemed to be perpetrated by foreign actors, i.e. beyond the “Cyber Line of Control”

  • Section 75(1 and 2) applies to foreign nationals if contravention of the Act involves Indian computer resources.
  • Intermediaries providing computing services are also liable.
  • Part III includes amendments to the IPC specifically related to attacks beyond Indian borders.

Policing cybercrime is an extremely difficult task even within India’s bounds, leave alone beyond them. It is critical for Indian cyber sleuths to establish mutually cooperative relationships with law enforcement agencies in other countries to fight cybercriminals and bring them to justice.

Once again, we hope this blog helps netizens to understand the provisions in the IT (Amendment) Act 2008.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: