Here at K7TCL, we noticed a spike in the number of samples arriving with the file name “porno-rolik[2 digit number].avi.exe”. Closer inspection of the files revealed that it was yet another variant of a Ransomware. On execution, this ransomware displays a fake error message like the one shown below:

The ransomware then reboots the computer and a sexually explicit image is displayed to the user demanding him/her to dial a premium rate number and enter a code which would then unlock the machine. This particular ransomware even goes to the extent of displaying a countdown message and threatening to delete the files on the computer if the unlock code is not provided within a period of 24 hours.

Given below is a list of the URLs which were found distributing this ransomware last week:

• http://pornovirtualxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://veryhotxxxporno.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://bestvideopornoxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://lolkorussiangirlsporno.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://megabytespornovideo.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://pornovirtualxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://smotripornomnogoxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe

Our blog readers might recall an earlier blog post where we had discussed about how malware authors have gotten better at manipulating peoples behaviour to execute their code & this ransomware campaign is another example of such a scenario. Looking at the file name, the URLs which distribute them and the error message that is displayed on the malware execution suggests that this ransomware arrives as a part of a fake codec scam, possibly when a user attempts to download a video promising to deliver explicit content.

Our usual sentiments about keeping one’s security solution up-to-date & avoiding downloads from unknown sites apply.

Lokesh Kumar
K7TCL

The malware economy is always evolving and always looking out for better ways to make maximum utilization of minimal resources. Storing malicious files for retrieval at a later period, for example, was done on already infected web servers. But that meant that the malware authors were at the mercy of the system administrator monitoring that server. The moment the infected files were identified, the server hosting the malicious files would go down and the malware life cycle would thus come to an end.

The successful businessmen that they are during these harsh economic times, the malware authors then decided to include file hosting services in their arsenal. A file hosting service, as you might know, provides online storage of files. Radpishare, Megaupload, Filesonic etc. are all examples of such a service. This shift enabled the malware authors to pass on the bandwidth and disk storage cost to these sites. In addition, the reputation associated with these sites not only meant that the chances of the malicious files now being identified & reported became low, but also that the naive users were more likely to execute these malicious files, thereby increasing the malware’s time to live.

The file hosting services then brought in some checks, whereby, premium users of these sites could download files instantly at unrestricted download speeds, but regular users experienced delayed starts of downloads and restricted downloads speeds. Although unintentional, this served as a security feature in that the users were forced to look at the website before he/she could download the file. Given below is a screenshot of the countdown timer that is displayed to a regular user while downloading a file for free:

However, the opportunistic malware authors have managed to circumvent this check. This allows them to fetch the malicious files onto their victim’s machine without any user interaction whatsoever. Given below is an example of such malicious URLs which when clicked will download the file without displaying the initial countdown screen:

• http://dl.dropbox.com/u/12138956/java[Removed].exe
• https://rs533l33.rapidshare.com/files/3874050200/facebook_[Removed]jpeg.exe
• http://uppit.com/p19geeksdu4c/Premium[Removed].exe
• http://filesonic.com/file/65464647/Profesor[Removed].exe

While most of these hosting services have a system in place where unlawful contents can be reported, design flaws such as these might go unnoticed. At K7TCL, we strongly urge these file hosting services to identify and fix such design flaws in their site as soon as possible. We also suggest that they run an anti-virus solution to detect such malicious files, since their apparent laxness in this regard is helping the bad guys deliver their malware.

‘It has been said that arguing against globalization is like arguing against the Laws of Gravity’ – Kofi Annan (former UN Secretary General).

It appears malware writers have begun to take globalization to heart. You might recall an earlier blog post which highlighted the fact that malware authors were failing to tailor their malware to the OS locale. They seem to be learning and correcting their errors.

Here at K7TCL we came across a malware sample that upon execution seems like yet another example of ransom-ware (Winlocker to be specific). The malware displays a fake system crash message as shown below:

It is unlikely to matter to a layman but FYI the memory address 0x3BC3 is in the range generally reserved for MS-DOS features rather than modern system process code so, from a technical viewpoint, the message is clearly bogus.

In the above case access to the computer is denied until the victim enters a ‘deactivation key’, which needs to be requested from the attacker, by dialing telephone numbers that seem to originate from the African continent.

Interestingly, examining the strings inside the malware reveals that the above fake message is available in several languages. Playing around with the ‘Regional and Language Options’ in control panel and then executing the malware resulted in the following:

French:

German:

Indonesian:

From the above screen shots it is clear that malware authors are investing significant resources in creating the world’s local malware. By covering a few more languages, the malware authors have now managed to expand their potential targets across multiple continents, thereby probably increasing their revenue by several folds.

One can only speculate about the stage at which the victim loses his/her money, whether on entering the ‘deactivation key’ the malware would actually release the system, and whether the malware would return at a later stage to trouble the user some more.

This threat is detected as Password-Stealer (0028ee481) by K7 Total Security.

Kaarthik R.M
K7TCL

Social engineering is the art of manipulating people’s behaviour. Some malware authors rely on social engineering to disguise their code and get it executed on a user’s machine. A key element of a successful malware campaign, which relies on social engineering to lure its victims, is the visual appeal of the attack. Under the right circumstances, a malware which is strikingly similar to a file it is trying to impersonate, is more likely to get executed by a naive user.

Fake Anti-Virus malware authors, for example, are known to put in considerable effort to make their scare ware messages look more authentic. We had blogged about one such sample, which even goes to the lengths of copying malware descriptions from security vendors’ websites, in order to get the user into executing it.

Recently, we came across a website which takes this visual aspect of social engineering quite seriously. The site under discussion, www.vista.[Removed] claims to provide a number of [already freely available] applications for download. Here’s a brief list of the files that were distributed from this site over the last week:

• Divx.exe
• MySQL.exe
• VideoLAN.exe
• WinPcap.exe

To boost the chances of having the files downloaded and executed, each software listed in the site has a brief description of itself, screen shots, user reviews, comments etc. It appears that the author of the site has spared no expense, at least in terms of effort, in plagiarizing the content from other genuine software distribution sites, making the site appear as legitimate as possible, to lure people into downloading and executing the files.

Not all that glitters is gold though. Closer inspection reveals that all files downloaded from this site are around 2.5 MB in size and on execution, the files prompt the user to send an SMS to a premium rate number, from which a reply is sent back with a code to unlock and install the applications. While the files don’t do any damage to the user’s computer, the innocent user still ends up getting charged for the premium rate SMS that was probably sent. One can only assume that this site could be a landing page for a broader attack scheme.

Social engineering (not to be confused with social networking!) based on PEBCAK (Problem Exists Between Chair And Keyboard) is a very potent weapon for effecting malware execution on various operating systems, including those on mobile devices such as Android. It thrives on temptation, ignorance, and fear on the part of the victim. Even though descriptions of social engineering are ubiquitous and some may consider the topic to be mundane, we at K7TCL feel it our duty to keep the general public at large informed about the use and abuse of social engineering so that users are less likely to be seduced by malware authors. Do not invite the thief through your front door.

Image Courtesy of www.publicdomainpictures.net

Lokesh Kumar
K7TCL

In the modern, professional threat landscape there is still room, albeit tiny, for malware which is written by the proverbial ‘script-kiddy’. As a case in point we do continue to very occasionally see autorun worms written in Visual Basic Script, and of course we ensure that they are detected.

The issue is that the allowance for malware written by novices can lead to consternation when a judgement call needs to be made on the status of a file. Recently we at K7TCL encountered a VBS file which removes a particular Anti-Virus vendor’s security product without requesting prior confirmation. This harked back to the old days of DOS BAT file Trojans which ran commands such as ‘DELTREE /Y’, ‘DEL *.* /Y’ and ‘FORMAT /Q’, to the, presumably, eternal amusement of the script-kiddy who arrogates kudos. However, the VBS file in question could also very well have been written quite legitimately by Technical Support personnel of a competing security company to avoid conflicts between Anti-Virus products, i.e. one product may need to be uninstalled before another can be installed. The decision-making process on the file was further complicated by the fact that several other security products classified it as a ‘kill AV’ Trojan. “Malware or not malware?”, that was the question.

Take it from us, proving that a clean file is actually clean is not always an easy task. On the contrary, it is generally far from straightforward. Many a time it depends on skill, wit and judgement. In the case of our candidate VBS file we decided against detecting it. This was primarily because we recognised that its functionality could not be considered inherently malicious. In addition, quite importantly, the coding style with variable names, etc, seemed to suggest that the script was not written by a trouble-maker, but rather by somebody who perhaps ought to have been a little more careful about requesting user interaction before deleting things. An additional comment explicitly stating the origin of the file and the purpose of the code would have been ideal. The concept of ‘perceived intent’ was the ultimate arbiter in the decision-making process.

Image courtesy of www.clker.com

Samir Mody
Senior Manager, K7TCL

Miscreants are always geared up to start a new wave of spam and malware campaign. When a sensational event occurs, users tend to go searching for news on the event, making it easy for the criminals  to do what they do best.

Case in point, last week saw the Internet abuzz with news regarding Osama Bin Laden’s death.  Some research into the user’s search behavior from Google trends revealed that the maximum number of searches were for the keyword “Osama” and the maximum number of searches arrived from the United States.

The second to top the list was India, with Tamil Nadu leading the way, closely followed by Karnataka.

The bad guys tried to capitalize on this news by poisoning search results, spreading malware & spam. They setup fake videos, facebook wall posts, websites, all claiming to reveal “exclusive” information on the death of Al-Qaeda’s top man, thus enabling them to invite potential victims to their trap.

Out of approximately 1,00,000 videos uploaded to date on You-tube with the keyword “Osama”, around 23,000 were uploaded just in the past week.

Also, there were around 1,300 websites registered, in the first 3 days since the news emerged, relating to Osama’s death.

Out of these newly registered websites, the maximum number of registrations was made with the registrar “1 & 1 Internet AG”, followed by namecheap.com.

Queries in domain reputations sites like www.malwareurl.com indicate that both registrars had hosted sites that have spread exploits & spam before.

Lokesh Kumar
K7 TCL

A belated happy new year to you all.

From this year, we within the K7 Threat Control Lab (usually abbreviated to K7TCL), have resolved to up the ante in sharing our views and advice on the security front.

We shall endeavour to cater to different palates in terms of technical and non-technical content, thereby ensuring that there is something interesting and relevant for all.

So please tune in for the latest information, opinions and advice from our anti-malware experts. Enjoy!

Samir Mody
Senior Manager TCL

Dear readers,

As you may have noticed, there have been many changes around here in terms of the new K7 website and even some new products in the shape of K7SecureWeb.

All this activity and a few internal changes have meant that this blog has been a bit underused in recent weeks. The good news is that we’re now re-launching the blog, and while I’ll be the main writer here; keeping you updated with the goings on here at K7, and on Security issues in general; we will also be having contributions from other team members. This will include contributions from our Virus Lab experts, our development and technical teams and our cloud computing division.

Just to introduce myself, I’m the Chief Technology Officer here at K7 – and you can see a bit more about me here http://corp.k7computing.com/About-Us/K7-Management-Team.php. I can also be found blogging over at http://avien.net/blog and I’ll be speaking at various events including Virus Bulletin 2010 in Vancouver, Virus Bulletin’s new Seminar series in London, and the AVAR conference in Bali.

I hope to be posting regular and interesting content here, and would love to hear your feedback, which you can leave on the comments section. I’ll try to answer all genuine comments as I can, but please be aware that I won’t be answering any support questions here, so please direct those to our wonderful support staff, who will be only too happy to help out.

Andrew Lee
CTO K7 Computing

Over the past few years, malware and hacking have evolved from kids play to serious business on the web. Today these are focused on stealing the Identities of innocuous victims and thereby gain access to their financial resources. (more…)

K7 Computing founder Jayaraman Kesavardhanan talks about how the setting up of secure passwords is still not quite as straight forward as it perhaps should be. (more…)