These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Personally speaking’ Category

VAIN Vote for Industrial Action

Tuesday, April 1st, 2014

Virus Authors’ International Network (VAIN), the body looking after the interests of malware authors around the world, has unanimously voted for strike action with immediate effect. The number of malware written today, the 1st of April 2014, could be badly affected.

Otto Runn Würm, General Secretary of and spokesperson for VAIN, said

“It’s about job security, pensions, … and, of course, about better conditions in jail. Our members seek comfort at all times.”

Unfortunately malware writing services are expected to return to normal by tomorrow, if they haven’t done so already.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Click Without a Trace

Friday, March 2nd, 2012

The recent outbreak of the Xpaj virus in India due to the mass distribution of certain infected software provided me with an incentive to look at the virus code in a bit more detail.

Xpaj is not a new virus. It is at least a couple of years old and it has already been written about by my security industry colleagues. However there may be some space for me to provide my views on some of the technical aspects of this virus.

Xpaj is a midinfecting, polymorphic virus with a difference. Most viruses, including the common ones like Virut and Sality, leave behind clear, tell-tale signs, sometimes infection markers, in the infected host to indicate that there is something amiss. For example the entrypoint being modified to point to the last section which has rwx attributes smells somewhat rotten. Xpaj, however, is very clever in making all the modifications in the host whilst remaining extremely well camouflaged.

Changes to the code and data sections have been managed so that all looks normal:

  1. The original EP remains unchanged. Xpaj is a midinfector which patches certain relative calls in the host file’s code.
  2. There are no changes made to the attributes of any section. The required page permission changes are invoked dynamically via a call to ZwVirtualProtectMemory.
  3. Sections after the one containing the bulk of the virus are shifted down with ease, and corrections are made in the metadata areas, including relocating the resources, if any.
  4. Xpaj has no problems infecting DLLs with relocations, and can infect SYS files which run in kernel mode.
  5. Even the clusters of polymorphic virus code in the host file’s code section looks like bona fide High-Level Language (HLL) code.

Here is an example of some of the Xpaj code pointed to after judicious host-call-patching:

The above snippet conforms to HLL patterns in certain files compiled with Microsoft Visual C++ 8.

The virus code goes on to execute a mini virtual machine which does the decryption and makes the call to ZwVirtualProtectMemory before transferring control to the bulk of the virus code.

The Xpaj virus authors went through a lot of trouble, including a fair amount of QA, to develop their “product”. Xpaj is indeed a sophisticated virus. Of that there is no doubt. It demonstrates the lengths to which malware authors are prepared to go to spread obfuscated malicious code. Interestingly, a denuded Xpaj, divested of its obfuscatory vestments, is nothing more than a clicker.

Well before the outbreak, K7 customers who had their real-time scanner active would, of course, have already been protected. K7 products detect and clean Xpaj-infected files as “Virus ( 700000051 )”.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Malware Authors and Multiple Scanners

Friday, January 27th, 2012

One of the items on a malware authors checklist while distributing malicious code is to make sure that their malware remains undetected, for as long as possible. Scanning their creation using a multiple Anti-Virus scanning system is one among the many techniques in their arsenal which ensures just that.

Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.

For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:

Then there are tools which incorporate multiple scanners & are distributed for free. Given below is a screen shot of one such tool:

If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors are quick to change their binary.

While traditional checksum based detections alone might be ineffective against such files, a combination of several detection methods, which include a behaviour based approach will prove far more effective.

R.V Shyam Charan
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

MalwAsia: In Operation Since 1986 (Part 3)

Friday, December 9th, 2011

This is the final instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

Continuing from the second instalment on last week’s blog…

In the Name of Mammon

The volume of malware samples up to 2006 and the 20 years prior to that could not have totalled more than a quarter of a million. Post 2006, however, the number of malware samples discovered year-on-year has multiplied manifold, with the current number of daily samples being in the order of tens of thousands. An estimate of the gross volume of malware samples since 2007 stands at well over 52.6 million.

The modern threat landscape is heavily dominated by malware written for financial gain, and since 2007 much of this malware is believed to originate in China and Russia (and the erstwhile republics of the Soviet Union), with those in South Korea and Brazil being smaller but significant players. It must be borne in mind that tracing malware back to its true origins is a difficult exercise since it is extremely straightforward for malware to pretend to come from another country, whether based on malware hosting URL or locales within the binary samples, etc.  However, a crude analysis of recent malware samples suggests that 20% come from China, 10% come from Russia, 3% may be attributed to Brazil, and 2% are Korean. These numbers are almost certainly gross underestimates. Suffice to state that the perception that the bulk of malware, much of it with a financial motive, comes from a handful of countries is a reasonable one. However, one ought to go further in an attempt to understand the potential reasons for this geographical bias in malware origin. Let us first digress briefly to explore the nature of some of the modern threats that have emanated from Asia.

Lineage of Modern Asian Malware

The spate of Autorun worms has already been described earlier. Many of these Autorun worm families did not have an obvious link to financial gain. The motive was to morph soon enough.

During the mid-to-late 2000s Asian malware was dominated by families of High Level Language Prepender file infectors and password stealers (PWS/PSW Trojans) which are believed to originate primarily in China. These PWS Trojans targeted online games such as Lineage and World of Warcraft, supposedly popular amongst Chinese gamers. Stolen game passwords and artefacts appear to have been sufficiently in demand to warrant a black market involving the exchange of hard currency.

In more recent years the Asian malware focus has expanded to encompass mundane Distributed Denial of Service and other hacker tools, Browser Helper Objects and browser hijackers, botnets with remote Command & Control, and rootkits. Interestingly, the increase in mobile threats, e.g. for the Android platform, is believed to be fuelled by authors in Russia and China.

Dave the Malware Author

Despite the Terminator series and other sci-fi films from Hollywood, code which control machines, whether it is good or nasty, is well and truly written by humans rather than automatons or some abstract force of evil. This fact raises interesting and important questions about malware authorship and the reasons for it. There is general agreement and plenty of statistics about the volume and sources of burgeoning malware, but perhaps an insufficiently clear understanding of and explanation for the phenomenon. Of course much of the malware is written for monetary gain, however, why then are the contributions to the threat landscape so heavily influenced by geography?

Dotcom Boom


Since 2007 the number of internet users in China and Russia has more than doubled to over 420 million (>31% of the population) and 59 million (>42% of the population) users respectively. This dramatic increase in a short timeframe implies a massive investment in internet infrastructure, both network connectivity and PC hardware, and a phenomenal increase in computer literacy.

Of course, these infrastructure improvements provide the means and viability for malware production since it is now increasingly possible to create and distribute malware globally, and reap the profits. Importantly, the increasing number of internet users also provides a growing local “market” for malware, i.e. there are now many more potential victims to exploit.

Internet penetration is increasing in other parts of Asia such as India and the “Tiger Cub” nations of Indonesia, Malaysia, Philippines and Thailand. It remains to be seen if the increase in the number of internet users in these countries leads to a concomitant rise in the number of malware emanating from them.

Legal Aid

Writing and distributing malware, essentially a form of common thievery in the modern day and potentially very damaging, is or ought to be against the law. Therefore there are likely to be legal aspects, with local flavours, to the geographical trend in malware.

The cyber crime laws in the so-called “malware hubs” are considered relatively lax or poorly enforced, due to various technical and administrative reasons . The process of strengthening cyber crime laws is certainly progressing, albeit at a viscous pace according to some. It is indeed surprising that even Japan, with its government departments dedicated to monitoring and fighting cyber crime [e.g. Office of IT Security Policy, Ministry of Economy, Trade and Industry], has supposedly only just recently made malware writing illegal.

It is possible that many of the victims of modern malware have been in countries other than the alleged malware hubs. This leads to issues of international jurisdiction. Local law enforcement agencies in victim countries would struggle to prosecute overseas perpetrators, and the law enforcement agencies in possible malware hub countries may not have sufficient incentive to investigate cyber crime and prosecute offenders when the victims are outside their remit.

Reports on the arrests of cyber criminals in China and elsewhere in Asia have made the press and blogs. There have also been coordinated international law enforcement efforts to arrest and prosecute cyber criminals which have shown positive, albeit probably ephemeral, results . No doubt, there are still too many loopholes for malware writers to function with impunity, and a course correction, replete with international treaties, is warranted.

SOD’s Law?

Iniquitous growth, inadequate job and education opportunities and denial of basic human freedoms are leading to growing radicalization of the youth, intolerance and extremism.

We have no choice but to meet these challenges head-on.
-    Shree Manmohan Singh, Honourable Prime Minister of India, in his address to the UN General Assembly, 24th September 2011

Human greed has no nationality. However, the sheer scale of the migration towards following a dubious path in the malware hubs suggests possible institutional concerns. Inadequate overall legislation notwithstanding, one would assume there are other core reasons to forsake Confucian values. These core reasons constitute a “Seeds of Discontent” hypothesis.

Money, the universal means of exchange in economics, forms the rationale for malware creation and distribution, and, perforce, economics deals with the fundamentals of social welfare. Deficiencies in social welfare sow the seeds of discontent, sometimes tending to result in undesirable activities, including malware authorship, as there is a scramble to satisfy Maslow’s hierarchy of needs when resources are scarce. If indeed the core issues derive from economic indicators, then we ought to spend some time investigating them in laymen’s terms.

A few of the global malware hubs went through periods of extreme economic restructuring based on Freidmanesque rather than Keynesian principles throughout the 1990s [Naomi Klein, “The Shock Doctrine”]. The extent of the economic volte-face in a couple of cases was from chalk to cheese, or vice-versa depending on one’s perspective. It is alleged that one of the eventual key consequences of these economic restructuring programmes was the loss of jobs and livelihoods for large swathes of people.

Since the 1990s several instances of downturns in the globalised economy, including the “credit crunch” which began in 2008, could have piqued the general sense of consternation and despair. A marked increase in criminal activity, including the establishment of mafia gangs, may well have been a reaction to these unfortunate scenarios. High-tech criminal activity, in the form of cyber crime, comes to the fore when the perpetrators happen to be adept university graduates who are unable to find suitable employment in the legitimate IT sector.

Let us consider Russia, a Eurasian country, as a simple case study since candid information is freely available. Russia’s unemployment rate has averaged around 8.4% with a high of 14.6% in February, 1999. Unemployment, and possibly other social welfare, benefits are reportedly far better on paper than they are in reality, and Russia’s inflation rate, double-digit on average over recent years, can be considered high. Mr. Putin, Russia’s former president and a firm candidate to return to the Kremlin, envisages an increase of average wages and salaries by 50% to US $1,000 by 2014. An ambitious $1,000 in 3 years time fades, nay wilts, in comparison to a guaranteed monthly salary of $5,000 currently offered to write custom packers to wrap malware. Therefore the incentive for many young Russian graduates, especially those with an IT background, to contribute to the “malware industry” appears particularly strong.

It is a reasonable assumption that most people who are able to comfortably satisfy Maslow’s pyramid through legitimate means are unlikely to be tempted by malware writing, given the moral and legal implications. The corollary of this, however, would be that once a person has been “turned”, he/she might have crossed “the point of no return”, i.e. succumbed to the malaise. Nevertheless the emphasis ought to be on dissuading the next generations of youth from partaking in the malware industry. This will be no easy task given the economic policy changes that might be required under difficult globalised economic conditions.

One would wager an educated guess, indeed a lot more, that the current trend of financially motivated malware, in increasing numbers, out of Asia and elsewhere will continue unabated. The role of the IT security industry is to continue to protect customers against malware attacks, and the law enforcement agencies are expected to prosecute the perpetrators. However, for the longer term, it could be the global policy-makers who hold the key to attempt to resolve the underlying issues to stem the gushing flow of malware.

The End

Images courtesy of:
dave-broos.blogspot.com
squidoo.com
medicmagic.net
gyanvihar.org
webend.in
tattoodonkey.com
blog.envole.net
microreviews.org
nwgasbdc.blogspot.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

MalwAsia: In Operation Since 1986 (Part 2)

Friday, December 2nd, 2011

This is the second instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

Continuing from the first instalment on last week’s blog…

The Art of Cyber War

Nation-specific Attacks

Stuxnet, a worm with a particularly venomous, damaging payload, was almost certainly targeting the Iranian nuclear establishment. Given the means and the end, if one were to consider the motive, one would have no alternative but to attribute the creation of Stuxnet to powerful nations inimical to Iran’s nuclear programme, a couple of which are in West Asia.

The use of malware as an instrument of state policy may have already been in effect for a couple decades[Rainer Fahs, keynote address, EICAR2011]. In modern times nation-to-nation attacks, alleged or otherwise, have been given considerable publicity with much finger wagging and pointing. Many of these instances of cyber warfare appear to originate in Asia, which is hardly surprising given the frosty relationships that exist between several neighbourhood countries in Asia, e.g. North Korea-South Korea, India-Pakistan, etc. Indeed, avoiding the mention of China’s alleged contribution to cyber warfare would be like ignoring the elephant in the room, and the apparent involvement of Israeli personnel most certainly deserves an explicit mention.

There have been several documented cases of nation-specific cyber attacks, some of which are potentially ongoing. These cases may be summarised as follows:

The strategic advantage offered to powerful and resourceful nations via targeted cyber attacking is highly significant. As described in Table 2, the scope of these attacks could be anything from the stealing of state secrets to the targeted damage of both government hardware and software. Critical modern infrastructure is controlled by computer systems which presents an irresistible target for cyber attacks.

The stakes and incentives involved in cyber warfare are high, and cyber attacks are unlikely to diminish in the years to come. On the contrary, cyber warfare is likely to increase manifold with an eastward shift in the balance of power in the global hegemony suggesting an increasing involvement of Asian states.

There can be little doubt that the military and intelligence establishments of various nations have wings dedicated to cyber warfare. Sun Tzu would have been proud. Given the enormous resources involved and the high-profile, targeted nature of cyber attacks, it is difficult to predict the security responses of commercial Anti-Virus companies and the general public at large. It is likely that standard civilian bodies would be largely bystanders in these events. Indeed, for every attack that is reported and documented in the public domain, there may well be several others which are kept very firmly under wraps.

However, perhaps there are some mitigating circumstances:

  1. As a diplomatic preventative measure, it is possible that there could be an international convention, perhaps UN-brokered, on cyber warfare. The US government has already been contemplating diplomatic talks with certain countries. The main issue herein could well be the difficulty in proving state versus non-state actors, a challenge even in conventional warfare where proxy militant groups have been used with impunity to perpetrate attacks across international boundaries.
  2. Standard technical measures to secure systems, including instituting prescribed system configurations and policies, may be sufficient to prevent “80 percent of commonly known cyber attacks”.

Notwithstanding, it will be interesting to track how events transpire in the future. The average citizen of the world may well have to wait for the future offerings from Hollywood or Bollywood, with their vivid imaginations, to gauge the extent of the issues dealt with by sedentary agents code named ‘0000 0000 0111’, ‘JS0N B0URN3’, etc.

Corporate Insecurities

The attacks on large, well-known corporate entities over the recent past have been much publicised. The alleged origin of some of these high-profile, ongoing, attacks lie in Asia. It is worth summarising some of these attacks, described as “Advanced Persistent Threats”, as follows:

The origin of some of the attacks mentioned in Table 3 is up for heated debate as the parties concerned accuse each other of skulduggery and conspiratorial activity. In many cases, hard evidence pointing the finger at a specific culprit is rather difficult to gather which provides a level of immunity from risk for the perpetrators.

Targeted attacks on large corporate entities could, no doubt, yield valuable information which can eventually be used for significant financial gain, whether through a transfer of intellectual property, sabotage of competitor infrastructure, or a straightforward theft of classified financial data. The perceived or real benefits from such attacks for the perpetrators provide a clear incentive to invest resources.

Under these circumstances of high reward versus relatively low risk, and given the recent record of security breaches, the trend of targeted cyber attacks against corporations looks set to continue, and probably at an increasing rate.

Malware in Societal Conflicts

Terrorism may be defined as the systematic use of coercive tactics to instil fear in a targeted group as a means to the end of a perceived political gain.

Conflicts between different groups, whether within the bounds of the same sovereign territory or across international frontiers, have existed since the dawn of mankind. Some of the high-profile modern day conflicts involve actors, “state” or “non-state”, based in Asia who resort to forms of terrorism, whose definition and application to any given scenario is highly subjective, in an attempt to seek political mileage or redress against perceived grievances.

Given the advance of technology and the ubiquity of computer systems, many in critical infrastructure, acts of terror have included or are likely to include, at an increasing rate, attacks via binary media, i.e. code, software, etc. These attacks may be described as “Cyber Terrorism”.

Groups involved in international terrorist activities, many based in Pakistan and Afghanistan, include individuals familiar with modern computer systems and communication channels. Groups such as “al-Qaeda” allegedly have a dedicated R&D wing with ‘digital specialists’ successfully exploiting smartphone platforms for the theft of sensitive data. Given the impact it would likely have in spreading anxiety, there is a possibility, nay probability, that attempts will be made to cause the targeted destruction of systems in the future, via the mass deployment of malware, in addition to data theft.

Sometimes civilian bodies have been targeted by groups which are unlikely to be described as “militant”. Rather, it is possible that the civilian bodies themselves may conform to the definition of “militant”, yet another subjective and emotive term. For example, there have been numerous, but intermittent, malware attacks on pro-Tibet groups in recent years, the ones in 2008 just before the Beijing Olympics being widely reported by the media and in various IT security blogs. Many of these attacks involve the use of documents such as PPT and PDF containing crafted exploit code (some attacks have involved browser exploits), mailed to known individuals or posted to various fora. Attacks such as these have been alleged to originate in China , but some or all of them could have involved a social engineering angle, financially motivated, to exploit the media attention attributed to societal conflicts in areas such as Palestine or Tibet . Once again, it is difficult to garner specific evidence to arraign any one party. It remains to be seen how malware might be used in the future against such groups as the number of documented incidents appears to be waning.

The security industry has played, and will continue to play, a role in mitigating and remediating many of these attacks since the victims tend to be ordinary civilians, even if specifically targeted on occasion, and visibility of such attacks is relatively high.

To final instalment…

Images courtesy of:
cyberlawsinindia.blogspot.com
mumbai.olx.in
www.warchat.org

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

MalwAsia: In Operation Since 1986 (Part 1)

Thursday, November 24th, 2011


This is the first instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

In a Nutshell

Conventionally, the very first known PC virus, Brain, was created in Asia (Pakistan) in 1986. No doubt this fact would come as a surprise to the vast majority of the general public of computer users worldwide. Asia has a certain history of malware-creation, however, over the years, the profile of malware emanating from Asia has changed considerably in terms of, inter alia, the volume, scope, purpose and geographic hub.

It is now common knowledge that most modern malware in general are written with a financial motive, whilst older malware were written primarily for kudos. The history of Asian malware follows a similar trend. There were a few high-profile global malware epidemics which originated in Asia, and there were several examples of script-kiddy autorun worms from South-East Asia and the Indian sub-continent which contain attention-seeking messages. These have not died away completely, however, nowadays much of the malware is professionally written for revenue generation or increasingly for cyber warfare, and the geographic location has shifted to major nations in East-Asia.

The evolution of malware originating in Asia is worth investigating in order to attempt to predict its future course, whilst perhaps also beginning to find solutions to the issues to stem the flow. Let us explore the history of Asian malware, focussing on the recent past, with a look at the core issues at hand. Note, many of the sentiments expressed in this piece are my own.

The Year was 1986

A fateful year, 1986 was a watershed in the field of computer security, the very concept of which was perhaps merely embryonic at the time. Computers were not globally ubiquitous and interconnected as they are today, and negative thoughts about the ability to compromise systems were unlikely to be at the forefront of people’s minds.

However, the Brain virus, oft-quoted as the earliest PC virus, must perforce have somewhat changed the mindset about computer security. This virus, incidentally of the boot sector variety, was created in Pakistan by brothers Basit and Amjad Farooq Alvi . The creators of the virus asseverate that their intent was to protect their own medical software from piracy rather than to cause any damage. Notwithstanding, the Brain virus did spread to several computers around the world, and reportedly was the cause of more than a little irritation.

There are a couple of salient points which ought to be highlighted explicitly. Firstly, the incipient PC malware trend had its roots in Asia, and second, the misguided raison d’etre for the first known virus was the protection of intellectual property. The vital characteristics of the global malware trend were to change markedly over the next quarter of a century.

From Asia … With (Some) Love

The specifically Asian slice of the malware creation pie over the course of the ‘90s and the early 2000s may not be substantial in terms of raw volumes, however, there have been a few high-profile examples of malware which appear to have originated in Asia which are worthy of note:

The examples of malware in Table 1 were likely to have been written for kudos more than anything else.

The Autorun Worm Factory

Microsoft released the first version of Windows XP in August, 2001, and a couple of years thereafter events conspired to create a scourge of “Autorun worms”. Autorun worms, a modern ersatz avatar of the retro boot sector viruses in terms of basic intent, tend to spread from computer to computer via removable devices such as USB memory sticks. The global spread of Autorun worms has been aided greatly by the following:

  • Introduction of the AutoPlay feature in Windows XP
  • Windows XP being the most common operating system for PCs between 2005 and 2010
  • The ubiquity of removable devices and nonchalant sharing of the same
  • Increasing popularity and support for Visual Basic (VB) and Visual Basic Script (VBS)
  • A proliferation of Narcissistic Asian script-kiddies seeking attention

Many of the samples of Autorun worms released during the mid-2000s originated in Asia, e.g. Indonesia, Malaysia, Philippines, and the Indian sub-continent. The main motive for writing these worms could only have been kudos since many of them had references to alleged love interests or other juvenile string content, some of it in the vernacular, embedded in the files. One family of Autorun worms from India even had resource strings calling themselves “Khatra” which means “danger” in Hindi.

Examples of Autorun worms still abound, however the origin, scope and intent of these worms are different in the more recent context. Many families of recent malware, including the notorious Conficker (aka Downadup or Kido) and Sality, do use removable device as part of their spreading mechanisms, however, the point of note is that these recent malware are written with a financial motive rather than for kudos. The infamous Stuxnet worm from 2010, which also used the Autorun feature, had a sinister, albeit non-financial, motive. Interestingly, Stuxnet almost certainly originated in Asia.

To Second instalment …

Images courtesy of:

geography.about.com
horizondatasys.com
180-media.com
all-free-download.com
clker.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Fileave.com shutdown

Saturday, October 22nd, 2011

Readers of this blog may recall an earlier post regarding the abuse of the free file hosting service – fileave.com by malware authors to host their malicious code. Given below is a list of the number of files our web crawler managed to download from this file host over the last 5 months:

Fileave.com was probably well on its way to becoming the preferred free file hosting service for the malware authors. However, the site’s ISP “Hurrican Electric, Inc.” finally decided to shutdown this site and its associated ripway.com.

We can breath a temporary sigh of relief, for its only a matter of time before the malware authors find a new site to host their parasite.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Depths Phishermen Go To Catch a Phish

Monday, October 3rd, 2011

It is common knowledge that phishers [Authors of a phish] attempt to steal sensitive information such as passwords, credit card details etc. by masquerading as a trustworthy entity. Some key elements of a phish are:

  • A fake website created by simply ripping content off the original site and pasting them on the spurious one

  • A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

  • Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

  • Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

A Malware Musical!

Friday, September 23rd, 2011

We at K7 TCL came across an interesting source for a malware file to be hosted on. The site hosting the malware was the official fan site of the famous Indian playback singer Sonu Nigam.

This file has been up in the server for almost a month now. Users must exercise caution when they happen to download an executable file from a fan site that has remotely no purpose of distributing executable files to its visitors.

The malware file upon execution has capabilities to read saved passwords from a user’s internet browser, Mozilla Firefox, to be specific. It tries to read data from ‘signons[number].txt’ file found in the Firefox directory.

This text file holds the user’s logon information for websites for which the user has set ‘Remember Password’ in Firefox. Now imagine the scale of damage this could cause if the infected machine was a public computer at an internet café.
Following simple practices whenever you use a public computer would save you from such threats:

  • Never save your logon information on public computers
  • Always clear the history and cache before leaving the computer, or you could use the private browsing session option available in most modern browsers
  • If possible use portable applications, these are applications that run out of a pen drive
  • Avoid entering any kind of sensitive information on a public computer

For our customers though, it’s just a one step process: keep your antivirus definitions up to date. K7TotalSecurity detects this file, as Trojan ( 001987931 )

The server hosting the fan site has been clearly compromised. The administrators of the compromised domain have been intimated about the impending damage they might be causing to unsuspecting fans.

Kaarthik .R.M
K7 TCL

File-AVE IT!

Friday, September 16th, 2011

Fileave.com is a one click hosting site which provides free file hosting for its users. When compared to other similar one click hosts, the 50MB of free disk space provided by fileave.com may sound minuscule, but the fact that there’s no “wait” restrictions or CAPTCHAs to solve before downloading a file seems to make it a favourite among malware authors to host their malicious code.

The graph above displays the number of unique URLs hosting malicious files from fileave.com which were collected by our automated systems.

Closer inspection revealed that the sudden spike from ~100 URLs in the month of July to ~550 in the month of August was due to a mass compromise using the “Black-hole” exploit kit with the final payload hosted on fileave.com. The malware author responsible for this mass compromise had registered a total of ~400 unique URLs in just 1 month in the following format:

  • “http://clickme[2 Random characters].fileave.com”

Discounting these URLs, the graph still shows a worrying trend:

The number of malware authors using fileave.com to host their malicious payload is on the rise. Our blog readers might recall that we had recently blogged about how malware authors abuse file hosting services with minimal security checks. The fact that fileave.com has none of these measures in place is bound to be exploited even more by malware authors in the days to come.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/