These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Personally speaking’ Category

“Now You See Me, Now You … Errr … See Me”

Wednesday, August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:


This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )


Trojan ( 0049882d1 )


The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: (Part 1)

Tuesday, July 22nd, 2014

This is the first part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

The Internet landscape is about to witness profound changes with the mass adoption of Internet Protocol Version 6 (IPv6) and Internationalised Domain Names (IDNs) in the near future. While these developments have the potential to be immensely beneficial, they also present certain challenges to the security industry which need to be addressed. These changes not only increase the attack surface for malware authors and spammers, but also render traditional methods of URL and spam blocking obsolete.

The exhaustion of the 32 bit IPv4 addresses assigned by the Internet Assigned Numbers Authority (IANA) has led to the roll-out of its 128 bit successor, IPv6. This provides a significant increase in the address pool available to assign unique IP addresses, not only to computers, but also to other Internet-connected devices. Spammers and malware authors would now have a larger address space to infect and cycle through, vitiating existing methods of detecting spam/malware URLs.

The Internet Corporation for Assigned Names and Numbers (ICANN) has expanded domain names to include non-ASCII based IDNs in a user’s native language script. While these transitions have the potential to localise the global Internet, they also provide cyber criminals (spammers/phishers/malware distributors) enhanced opportunities for exploitation, especially via social engineering.

These cyber criminals will now have the ability to redirect a user to a URL with a character set unfamiliar to him/her. Given the exponential increase in the number of URLs shared among users in our socially inter-networked world, validation of these URLs by the user prima facie now becomes much more complicated, leading to a higher compromise success rate for cyber criminals.

This paper describes the imminent major changes to the Internet networking infrastructure. It attempts to explore the security challenges involved in these milestone developments and presents potential solutions to address them.

The IPv4 Clock is Ticking

The expansion of the Internet from an esoteric academic project to a publicly accessible resource, coupled with the surge of Internet enabled devices over the last decade have contributed to the shrinking pool of available IPv4 addresses.

Fig.1 depicts the number of expected Internet enabled devices and Internet users by 2016, and how they measure up with the number of IPv4 addresses available.

Fig.1: Number of connected devices & Internet users by 2016 [1]

Conservation efforts like Network Address Translation (NAT), Classless Inter Domain Routing (CIDR), reclaiming unused addresses etc., only prolonged what was unavoidable – the depletion, and eventual exhaustion, of IPv4 addresses.

Given that ICANN, which is responsible for distributing IP addresses, gave away the last block of IPv4 addresses to the five Regional Internet Registries (RIR) in early 2011 [2], the need for change is rather pressing.

IPv6 to the Rescue

This IPv4 address crunch has been anticipated for many years, and the Internet Engineering Task Force (IETF) has been working on refining IPv6, the successor to IPv4, since the early 1990s [3]. This version of the Internet Protocol can support up to 300 undecillion addresses compared to the relatively miniscule 4 billion, a number smaller than the current world population, offered by its predecessor. Apart from this massive increase in the address space, the IETF also embedded other features to IPv6 such as support for IPSec, auto-configuration of devices, etc. [4]

These benefits, along with the availability of IPv6 from ISPs, increased end-user device support & IPv6 content, will ensure the adoption of IPv6 in the years to come, eventually making it the dominant Internet Protocol.

Fig.2 shows that, as expected, the percentage of users accessing Google over a native IPv6 connection has seen a steep rise over recent times.

Fig.2: Percentage of IPv6 users accessing Google [5]

What’s in a Domain Name

The demand for Internationalised Domain Names (IDNs) has always existed in view of the fact that 60% of the countries around the world have an official language other than English [6]. ICANN, which has domain names within its remit, has recently started allowing IDNs to satisfy this unmet demand.

The introduction of IDNs allows non-ASCII character sets like Arabic, Cyrillic, Tamil, Hindi, Chinese, etc, to be included in a domain name, potentially paving the way for a truly globalised Internet.

These IDNs are converted into ASCII using Puny Code, an encoding syntax invisible to the user, which allows for standard domain name resolutions.

Fig.3 shows a domain name in English, its nonexistent IDN equivalent in the Tamil script, and the Puny Code representation of the IDN which is used for a domain name resolution.

Fig3: Domain Name, IDN, Puny Code representation

The current demand for IDNs, combined with registrars throwing them away at a price cheaper than the regular domains, could see a surge in the number of non-English sites registering domain names in their local language.

To be continued…

[4] Information on

Images courtesy of &

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Don’t Let Heartbleed Give You Nosebleed

Thursday, April 24th, 2014

Much has already been written about the infamous Heartbleed vulnerability (CVE-2014-0160), the best technical piece being on Cloudflare’s blog. Unfortunately, as always in such cases, there has also been a lot of junk spewed out causing undue panic amongst the masses. A glaring example of this was a recent article in a well-known Indian daily newspaper reprehensibly titled the “Heartbleed Virus”, at which point one ought to stop reading the article.

Heartbleed is NOT a virus! It cannot spread from machine to machine, from device to device, and it cannot directly damage your computer. That is not to say that Heartbleed is not a serious issue. It is! Rather, the gravity of the situation very much depends on who you are. If you are an average individual surfing the internet on your home computer, one could argue that Heartbleed is unlikely to affect you very much. We must perforce qualify this opinion.

Heartbleed is a vulnerability in the OpenSSL library, which is used to encrypt vast amounts of internet traffic to protect it from being snooped upon, unless the NSA is involved that is. The SSL/TLS protocols use Public Key Infrastructure (PKI) which is a proven technology for achieving Pretty Good Privacy, and hence is ubiquitous on the internet. Heartbleed, by potentially allowing the exposure of private keys on a secure webserver to a remote attacker, threatens the integrity of PKI-protected communication over a network. One could picture a heavily-reinforced steel vault, with the master key visible under the door mat outside.

It would be entities such as corporates, governments, etc, that have webservers using a vulnerable version of OpenSSL that are most at risk of potentially revealing critical confidential data, especially private keys. If you are such an entity we urge you to upgrade your version of OpenSSL immediately, and make a call on revoking and reissuing your private keys. Unfortunately attempted exploitation of Heartbleed does not necessarily leave evidence behind, and the nature of the vulnerability is such that it may be virtually impossible to tell what, if any, data has been leaked. Note, the vulnerability itself has been around for a couple of years before its discovery.

Let us now address the risk posed to the individual surfer. Although there is indeed some risk of your password and other data being leaked from some website you have logged into if the server hosting the site was being targeted, the chances are rather slim. This is because successful Heartbleed exploitation tends to reveal only ephemeral data, and on a webserver hosting a popular site with several concurrent logged-in sessions, especially one where the average individual logs out after visiting the page (assuming this frees up the session resources on the server for the next user), the probability of leaking confidential data, and that too data specifically pertaining to you, is low. Notwithstanding, to be on the safe side, you may yet wish to change your passwords if the site in question has admitted to being vulnerable earlier and has since patched the flaw. After all, based on GitHub’s advice, we in the Taggant Library Maintenance Committee (part of the IEEE Anti-Malware Support Service) did change our passwords for the following repository:

In addition client-side devices, including those running certain versions of Android (reportedly 4.1.0 and 4.1.1), could also be vulnerable to Heartbleed-based data leakage, and ought to be patched ASAP, even though exploitation on the client side is an even more remote possibility.

Images courtesy of:

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

VAIN Vote for Industrial Action

Tuesday, April 1st, 2014

Virus Authors’ International Network (VAIN), the body looking after the interests of malware authors around the world, has unanimously voted for strike action with immediate effect. The number of malware written today, the 1st of April 2014, could be badly affected.

Otto Runn Würm, General Secretary of and spokesperson for VAIN, said

“It’s about job security, pensions, … and, of course, about better conditions in jail. Our members seek comfort at all times.”

Unfortunately malware writing services are expected to return to normal by tomorrow, if they haven’t done so already.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Click Without a Trace

Friday, March 2nd, 2012

The recent outbreak of the Xpaj virus in India due to the mass distribution of certain infected software provided me with an incentive to look at the virus code in a bit more detail.

Xpaj is not a new virus. It is at least a couple of years old and it has already been written about by my security industry colleagues. However there may be some space for me to provide my views on some of the technical aspects of this virus.

Xpaj is a midinfecting, polymorphic virus with a difference. Most viruses, including the common ones like Virut and Sality, leave behind clear, tell-tale signs, sometimes infection markers, in the infected host to indicate that there is something amiss. For example the entrypoint being modified to point to the last section which has rwx attributes smells somewhat rotten. Xpaj, however, is very clever in making all the modifications in the host whilst remaining extremely well camouflaged.

Changes to the code and data sections have been managed so that all looks normal:

  1. The original EP remains unchanged. Xpaj is a midinfector which patches certain relative calls in the host file’s code.
  2. There are no changes made to the attributes of any section. The required page permission changes are invoked dynamically via a call to ZwVirtualProtectMemory.
  3. Sections after the one containing the bulk of the virus are shifted down with ease, and corrections are made in the metadata areas, including relocating the resources, if any.
  4. Xpaj has no problems infecting DLLs with relocations, and can infect SYS files which run in kernel mode.
  5. Even the clusters of polymorphic virus code in the host file’s code section looks like bona fide High-Level Language (HLL) code.

Here is an example of some of the Xpaj code pointed to after judicious host-call-patching:

The above snippet conforms to HLL patterns in certain files compiled with Microsoft Visual C++ 8.

The virus code goes on to execute a mini virtual machine which does the decryption and makes the call to ZwVirtualProtectMemory before transferring control to the bulk of the virus code.

The Xpaj virus authors went through a lot of trouble, including a fair amount of QA, to develop their “product”. Xpaj is indeed a sophisticated virus. Of that there is no doubt. It demonstrates the lengths to which malware authors are prepared to go to spread obfuscated malicious code. Interestingly, a denuded Xpaj, divested of its obfuscatory vestments, is nothing more than a clicker.

Well before the outbreak, K7 customers who had their real-time scanner active would, of course, have already been protected. K7 products detect and clean Xpaj-infected files as “Virus ( 700000051 )”.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Malware Authors and Multiple Scanners

Friday, January 27th, 2012

One of the items on a malware authors checklist while distributing malicious code is to make sure that their malware remains undetected, for as long as possible. Scanning their creation using a multiple Anti-Virus scanning system is one among the many techniques in their arsenal which ensures just that.

Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.

For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:

Then there are tools which incorporate multiple scanners & are distributed for free. Given below is a screen shot of one such tool:

If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors are quick to change their binary.

While traditional checksum based detections alone might be ineffective against such files, a combination of several detection methods, which include a behaviour based approach will prove far more effective.

R.V Shyam Charan

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

MalwAsia: In Operation Since 1986 (Part 3)

Friday, December 9th, 2011

This is the final instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

Continuing from the second instalment on last week’s blog…

In the Name of Mammon

The volume of malware samples up to 2006 and the 20 years prior to that could not have totalled more than a quarter of a million. Post 2006, however, the number of malware samples discovered year-on-year has multiplied manifold, with the current number of daily samples being in the order of tens of thousands. An estimate of the gross volume of malware samples since 2007 stands at well over 52.6 million.

The modern threat landscape is heavily dominated by malware written for financial gain, and since 2007 much of this malware is believed to originate in China and Russia (and the erstwhile republics of the Soviet Union), with those in South Korea and Brazil being smaller but significant players. It must be borne in mind that tracing malware back to its true origins is a difficult exercise since it is extremely straightforward for malware to pretend to come from another country, whether based on malware hosting URL or locales within the binary samples, etc.  However, a crude analysis of recent malware samples suggests that 20% come from China, 10% come from Russia, 3% may be attributed to Brazil, and 2% are Korean. These numbers are almost certainly gross underestimates. Suffice to state that the perception that the bulk of malware, much of it with a financial motive, comes from a handful of countries is a reasonable one. However, one ought to go further in an attempt to understand the potential reasons for this geographical bias in malware origin. Let us first digress briefly to explore the nature of some of the modern threats that have emanated from Asia.

Lineage of Modern Asian Malware

The spate of Autorun worms has already been described earlier. Many of these Autorun worm families did not have an obvious link to financial gain. The motive was to morph soon enough.

During the mid-to-late 2000s Asian malware was dominated by families of High Level Language Prepender file infectors and password stealers (PWS/PSW Trojans) which are believed to originate primarily in China. These PWS Trojans targeted online games such as Lineage and World of Warcraft, supposedly popular amongst Chinese gamers. Stolen game passwords and artefacts appear to have been sufficiently in demand to warrant a black market involving the exchange of hard currency.

In more recent years the Asian malware focus has expanded to encompass mundane Distributed Denial of Service and other hacker tools, Browser Helper Objects and browser hijackers, botnets with remote Command & Control, and rootkits. Interestingly, the increase in mobile threats, e.g. for the Android platform, is believed to be fuelled by authors in Russia and China.

Dave the Malware Author

Despite the Terminator series and other sci-fi films from Hollywood, code which control machines, whether it is good or nasty, is well and truly written by humans rather than automatons or some abstract force of evil. This fact raises interesting and important questions about malware authorship and the reasons for it. There is general agreement and plenty of statistics about the volume and sources of burgeoning malware, but perhaps an insufficiently clear understanding of and explanation for the phenomenon. Of course much of the malware is written for monetary gain, however, why then are the contributions to the threat landscape so heavily influenced by geography?

Dotcom Boom

Since 2007 the number of internet users in China and Russia has more than doubled to over 420 million (>31% of the population) and 59 million (>42% of the population) users respectively. This dramatic increase in a short timeframe implies a massive investment in internet infrastructure, both network connectivity and PC hardware, and a phenomenal increase in computer literacy.

Of course, these infrastructure improvements provide the means and viability for malware production since it is now increasingly possible to create and distribute malware globally, and reap the profits. Importantly, the increasing number of internet users also provides a growing local “market” for malware, i.e. there are now many more potential victims to exploit.

Internet penetration is increasing in other parts of Asia such as India and the “Tiger Cub” nations of Indonesia, Malaysia, Philippines and Thailand. It remains to be seen if the increase in the number of internet users in these countries leads to a concomitant rise in the number of malware emanating from them.

Legal Aid

Writing and distributing malware, essentially a form of common thievery in the modern day and potentially very damaging, is or ought to be against the law. Therefore there are likely to be legal aspects, with local flavours, to the geographical trend in malware.

The cyber crime laws in the so-called “malware hubs” are considered relatively lax or poorly enforced, due to various technical and administrative reasons . The process of strengthening cyber crime laws is certainly progressing, albeit at a viscous pace according to some. It is indeed surprising that even Japan, with its government departments dedicated to monitoring and fighting cyber crime [e.g. Office of IT Security Policy, Ministry of Economy, Trade and Industry], has supposedly only just recently made malware writing illegal.

It is possible that many of the victims of modern malware have been in countries other than the alleged malware hubs. This leads to issues of international jurisdiction. Local law enforcement agencies in victim countries would struggle to prosecute overseas perpetrators, and the law enforcement agencies in possible malware hub countries may not have sufficient incentive to investigate cyber crime and prosecute offenders when the victims are outside their remit.

Reports on the arrests of cyber criminals in China and elsewhere in Asia have made the press and blogs. There have also been coordinated international law enforcement efforts to arrest and prosecute cyber criminals which have shown positive, albeit probably ephemeral, results . No doubt, there are still too many loopholes for malware writers to function with impunity, and a course correction, replete with international treaties, is warranted.

SOD’s Law?

Iniquitous growth, inadequate job and education opportunities and denial of basic human freedoms are leading to growing radicalization of the youth, intolerance and extremism.

We have no choice but to meet these challenges head-on.
-    Shree Manmohan Singh, Honourable Prime Minister of India, in his address to the UN General Assembly, 24th September 2011

Human greed has no nationality. However, the sheer scale of the migration towards following a dubious path in the malware hubs suggests possible institutional concerns. Inadequate overall legislation notwithstanding, one would assume there are other core reasons to forsake Confucian values. These core reasons constitute a “Seeds of Discontent” hypothesis.

Money, the universal means of exchange in economics, forms the rationale for malware creation and distribution, and, perforce, economics deals with the fundamentals of social welfare. Deficiencies in social welfare sow the seeds of discontent, sometimes tending to result in undesirable activities, including malware authorship, as there is a scramble to satisfy Maslow’s hierarchy of needs when resources are scarce. If indeed the core issues derive from economic indicators, then we ought to spend some time investigating them in laymen’s terms.

A few of the global malware hubs went through periods of extreme economic restructuring based on Freidmanesque rather than Keynesian principles throughout the 1990s [Naomi Klein, “The Shock Doctrine”]. The extent of the economic volte-face in a couple of cases was from chalk to cheese, or vice-versa depending on one’s perspective. It is alleged that one of the eventual key consequences of these economic restructuring programmes was the loss of jobs and livelihoods for large swathes of people.

Since the 1990s several instances of downturns in the globalised economy, including the “credit crunch” which began in 2008, could have piqued the general sense of consternation and despair. A marked increase in criminal activity, including the establishment of mafia gangs, may well have been a reaction to these unfortunate scenarios. High-tech criminal activity, in the form of cyber crime, comes to the fore when the perpetrators happen to be adept university graduates who are unable to find suitable employment in the legitimate IT sector.

Let us consider Russia, a Eurasian country, as a simple case study since candid information is freely available. Russia’s unemployment rate has averaged around 8.4% with a high of 14.6% in February, 1999. Unemployment, and possibly other social welfare, benefits are reportedly far better on paper than they are in reality, and Russia’s inflation rate, double-digit on average over recent years, can be considered high. Mr. Putin, Russia’s former president and a firm candidate to return to the Kremlin, envisages an increase of average wages and salaries by 50% to US $1,000 by 2014. An ambitious $1,000 in 3 years time fades, nay wilts, in comparison to a guaranteed monthly salary of $5,000 currently offered to write custom packers to wrap malware. Therefore the incentive for many young Russian graduates, especially those with an IT background, to contribute to the “malware industry” appears particularly strong.

It is a reasonable assumption that most people who are able to comfortably satisfy Maslow’s pyramid through legitimate means are unlikely to be tempted by malware writing, given the moral and legal implications. The corollary of this, however, would be that once a person has been “turned”, he/she might have crossed “the point of no return”, i.e. succumbed to the malaise. Nevertheless the emphasis ought to be on dissuading the next generations of youth from partaking in the malware industry. This will be no easy task given the economic policy changes that might be required under difficult globalised economic conditions.

One would wager an educated guess, indeed a lot more, that the current trend of financially motivated malware, in increasing numbers, out of Asia and elsewhere will continue unabated. The role of the IT security industry is to continue to protect customers against malware attacks, and the law enforcement agencies are expected to prosecute the perpetrators. However, for the longer term, it could be the global policy-makers who hold the key to attempt to resolve the underlying issues to stem the gushing flow of malware.

The End

Images courtesy of:

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

MalwAsia: In Operation Since 1986 (Part 2)

Friday, December 2nd, 2011

This is the second instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

Continuing from the first instalment on last week’s blog…

The Art of Cyber War

Nation-specific Attacks

Stuxnet, a worm with a particularly venomous, damaging payload, was almost certainly targeting the Iranian nuclear establishment. Given the means and the end, if one were to consider the motive, one would have no alternative but to attribute the creation of Stuxnet to powerful nations inimical to Iran’s nuclear programme, a couple of which are in West Asia.

The use of malware as an instrument of state policy may have already been in effect for a couple decades[Rainer Fahs, keynote address, EICAR2011]. In modern times nation-to-nation attacks, alleged or otherwise, have been given considerable publicity with much finger wagging and pointing. Many of these instances of cyber warfare appear to originate in Asia, which is hardly surprising given the frosty relationships that exist between several neighbourhood countries in Asia, e.g. North Korea-South Korea, India-Pakistan, etc. Indeed, avoiding the mention of China’s alleged contribution to cyber warfare would be like ignoring the elephant in the room, and the apparent involvement of Israeli personnel most certainly deserves an explicit mention.

There have been several documented cases of nation-specific cyber attacks, some of which are potentially ongoing. These cases may be summarised as follows:

The strategic advantage offered to powerful and resourceful nations via targeted cyber attacking is highly significant. As described in Table 2, the scope of these attacks could be anything from the stealing of state secrets to the targeted damage of both government hardware and software. Critical modern infrastructure is controlled by computer systems which presents an irresistible target for cyber attacks.

The stakes and incentives involved in cyber warfare are high, and cyber attacks are unlikely to diminish in the years to come. On the contrary, cyber warfare is likely to increase manifold with an eastward shift in the balance of power in the global hegemony suggesting an increasing involvement of Asian states.

There can be little doubt that the military and intelligence establishments of various nations have wings dedicated to cyber warfare. Sun Tzu would have been proud. Given the enormous resources involved and the high-profile, targeted nature of cyber attacks, it is difficult to predict the security responses of commercial Anti-Virus companies and the general public at large. It is likely that standard civilian bodies would be largely bystanders in these events. Indeed, for every attack that is reported and documented in the public domain, there may well be several others which are kept very firmly under wraps.

However, perhaps there are some mitigating circumstances:

  1. As a diplomatic preventative measure, it is possible that there could be an international convention, perhaps UN-brokered, on cyber warfare. The US government has already been contemplating diplomatic talks with certain countries. The main issue herein could well be the difficulty in proving state versus non-state actors, a challenge even in conventional warfare where proxy militant groups have been used with impunity to perpetrate attacks across international boundaries.
  2. Standard technical measures to secure systems, including instituting prescribed system configurations and policies, may be sufficient to prevent “80 percent of commonly known cyber attacks”.

Notwithstanding, it will be interesting to track how events transpire in the future. The average citizen of the world may well have to wait for the future offerings from Hollywood or Bollywood, with their vivid imaginations, to gauge the extent of the issues dealt with by sedentary agents code named ‘0000 0000 0111’, ‘JS0N B0URN3’, etc.

Corporate Insecurities

The attacks on large, well-known corporate entities over the recent past have been much publicised. The alleged origin of some of these high-profile, ongoing, attacks lie in Asia. It is worth summarising some of these attacks, described as “Advanced Persistent Threats”, as follows:

The origin of some of the attacks mentioned in Table 3 is up for heated debate as the parties concerned accuse each other of skulduggery and conspiratorial activity. In many cases, hard evidence pointing the finger at a specific culprit is rather difficult to gather which provides a level of immunity from risk for the perpetrators.

Targeted attacks on large corporate entities could, no doubt, yield valuable information which can eventually be used for significant financial gain, whether through a transfer of intellectual property, sabotage of competitor infrastructure, or a straightforward theft of classified financial data. The perceived or real benefits from such attacks for the perpetrators provide a clear incentive to invest resources.

Under these circumstances of high reward versus relatively low risk, and given the recent record of security breaches, the trend of targeted cyber attacks against corporations looks set to continue, and probably at an increasing rate.

Malware in Societal Conflicts

Terrorism may be defined as the systematic use of coercive tactics to instil fear in a targeted group as a means to the end of a perceived political gain.

Conflicts between different groups, whether within the bounds of the same sovereign territory or across international frontiers, have existed since the dawn of mankind. Some of the high-profile modern day conflicts involve actors, “state” or “non-state”, based in Asia who resort to forms of terrorism, whose definition and application to any given scenario is highly subjective, in an attempt to seek political mileage or redress against perceived grievances.

Given the advance of technology and the ubiquity of computer systems, many in critical infrastructure, acts of terror have included or are likely to include, at an increasing rate, attacks via binary media, i.e. code, software, etc. These attacks may be described as “Cyber Terrorism”.

Groups involved in international terrorist activities, many based in Pakistan and Afghanistan, include individuals familiar with modern computer systems and communication channels. Groups such as “al-Qaeda” allegedly have a dedicated R&D wing with ‘digital specialists’ successfully exploiting smartphone platforms for the theft of sensitive data. Given the impact it would likely have in spreading anxiety, there is a possibility, nay probability, that attempts will be made to cause the targeted destruction of systems in the future, via the mass deployment of malware, in addition to data theft.

Sometimes civilian bodies have been targeted by groups which are unlikely to be described as “militant”. Rather, it is possible that the civilian bodies themselves may conform to the definition of “militant”, yet another subjective and emotive term. For example, there have been numerous, but intermittent, malware attacks on pro-Tibet groups in recent years, the ones in 2008 just before the Beijing Olympics being widely reported by the media and in various IT security blogs. Many of these attacks involve the use of documents such as PPT and PDF containing crafted exploit code (some attacks have involved browser exploits), mailed to known individuals or posted to various fora. Attacks such as these have been alleged to originate in China , but some or all of them could have involved a social engineering angle, financially motivated, to exploit the media attention attributed to societal conflicts in areas such as Palestine or Tibet . Once again, it is difficult to garner specific evidence to arraign any one party. It remains to be seen how malware might be used in the future against such groups as the number of documented incidents appears to be waning.

The security industry has played, and will continue to play, a role in mitigating and remediating many of these attacks since the victims tend to be ordinary civilians, even if specifically targeted on occasion, and visibility of such attacks is relatively high.

To final instalment…

Images courtesy of:

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

MalwAsia: In Operation Since 1986 (Part 1)

Thursday, November 24th, 2011

This is the first instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

In a Nutshell

Conventionally, the very first known PC virus, Brain, was created in Asia (Pakistan) in 1986. No doubt this fact would come as a surprise to the vast majority of the general public of computer users worldwide. Asia has a certain history of malware-creation, however, over the years, the profile of malware emanating from Asia has changed considerably in terms of, inter alia, the volume, scope, purpose and geographic hub.

It is now common knowledge that most modern malware in general are written with a financial motive, whilst older malware were written primarily for kudos. The history of Asian malware follows a similar trend. There were a few high-profile global malware epidemics which originated in Asia, and there were several examples of script-kiddy autorun worms from South-East Asia and the Indian sub-continent which contain attention-seeking messages. These have not died away completely, however, nowadays much of the malware is professionally written for revenue generation or increasingly for cyber warfare, and the geographic location has shifted to major nations in East-Asia.

The evolution of malware originating in Asia is worth investigating in order to attempt to predict its future course, whilst perhaps also beginning to find solutions to the issues to stem the flow. Let us explore the history of Asian malware, focussing on the recent past, with a look at the core issues at hand. Note, many of the sentiments expressed in this piece are my own.

The Year was 1986

A fateful year, 1986 was a watershed in the field of computer security, the very concept of which was perhaps merely embryonic at the time. Computers were not globally ubiquitous and interconnected as they are today, and negative thoughts about the ability to compromise systems were unlikely to be at the forefront of people’s minds.

However, the Brain virus, oft-quoted as the earliest PC virus, must perforce have somewhat changed the mindset about computer security. This virus, incidentally of the boot sector variety, was created in Pakistan by brothers Basit and Amjad Farooq Alvi . The creators of the virus asseverate that their intent was to protect their own medical software from piracy rather than to cause any damage. Notwithstanding, the Brain virus did spread to several computers around the world, and reportedly was the cause of more than a little irritation.

There are a couple of salient points which ought to be highlighted explicitly. Firstly, the incipient PC malware trend had its roots in Asia, and second, the misguided raison d’etre for the first known virus was the protection of intellectual property. The vital characteristics of the global malware trend were to change markedly over the next quarter of a century.

From Asia … With (Some) Love

The specifically Asian slice of the malware creation pie over the course of the ‘90s and the early 2000s may not be substantial in terms of raw volumes, however, there have been a few high-profile examples of malware which appear to have originated in Asia which are worthy of note:

The examples of malware in Table 1 were likely to have been written for kudos more than anything else.

The Autorun Worm Factory

Microsoft released the first version of Windows XP in August, 2001, and a couple of years thereafter events conspired to create a scourge of “Autorun worms”. Autorun worms, a modern ersatz avatar of the retro boot sector viruses in terms of basic intent, tend to spread from computer to computer via removable devices such as USB memory sticks. The global spread of Autorun worms has been aided greatly by the following:

  • Introduction of the AutoPlay feature in Windows XP
  • Windows XP being the most common operating system for PCs between 2005 and 2010
  • The ubiquity of removable devices and nonchalant sharing of the same
  • Increasing popularity and support for Visual Basic (VB) and Visual Basic Script (VBS)
  • A proliferation of Narcissistic Asian script-kiddies seeking attention

Many of the samples of Autorun worms released during the mid-2000s originated in Asia, e.g. Indonesia, Malaysia, Philippines, and the Indian sub-continent. The main motive for writing these worms could only have been kudos since many of them had references to alleged love interests or other juvenile string content, some of it in the vernacular, embedded in the files. One family of Autorun worms from India even had resource strings calling themselves “Khatra” which means “danger” in Hindi.

Examples of Autorun worms still abound, however the origin, scope and intent of these worms are different in the more recent context. Many families of recent malware, including the notorious Conficker (aka Downadup or Kido) and Sality, do use removable device as part of their spreading mechanisms, however, the point of note is that these recent malware are written with a financial motive rather than for kudos. The infamous Stuxnet worm from 2010, which also used the Autorun feature, had a sinister, albeit non-financial, motive. Interestingly, Stuxnet almost certainly originated in Asia.

To Second instalment …

Images courtesy of:

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: shutdown

Saturday, October 22nd, 2011

Readers of this blog may recall an earlier post regarding the abuse of the free file hosting service – by malware authors to host their malicious code. Given below is a list of the number of files our web crawler managed to download from this file host over the last 5 months: was probably well on its way to becoming the preferred free file hosting service for the malware authors. However, the site’s ISP “Hurrican Electric, Inc.” finally decided to shutdown this site and its associated

We can breath a temporary sigh of relief, for its only a matter of time before the malware authors find a new site to host their parasite.

Lokesh Kumar

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: