These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Ransomware’ Category

Stop Lamenting About “WannaCry”

Tuesday, May 16th, 2017

WannaCry ransomware, a security disaster has already infected thousands of computers all over the world, especially in Russia, India and China, and has hit emergency services in various countries, e.g. the UK. There have been images of infected ATMs, gigantic billboards, etc., making this attack a high-profile event.

This attack is a macabre reminder of the ill effects of

  • exploiting a critical vulnerability in the Windows OS
  • using a pirated version of an operating system
  • leaving computer unpatched and connected to the internet, in other words highly vulnerable

In most of the attack scenarios tracked, WannaCry ransomware infects a computer by using the “EternalBlue” exploit (developed by the NSA and released to the public by Shadowbrokers in April 2017), which exploits a critical vulnerability in Microsoft SMBv1 server (CVE-2017-0143 to CVE-2017-0148) by sending a specially-crafted packet. There was a Microsoft patch MS17-010 available to fix this vulnerability released in March 2017. It is also alleged, although without any concrete evidence, that this malware may enter a computer by the common email-borne route.

Please note that K7 security products contains heuristic anti-ransomware functionality which is capable of stopping WannaCry in its tracks without any signatures updates (please read the Virus Bulletin blog which includes a video of K7’s talk from 2015 about fighting back against ransomware). However to ensure stopping all variants of the ransomware before any encryption starts, we at K7 Threat Control Lab have taken the necessary steps to block it at all of its possible execution points. Users of K7 Security products are protected against this ransomware and the detection names at the time of writing are as follows:

Trojan (0050db011)

Trojan (0050d8371)

Trojan (0050d7201)

In addition, K7 blocks this multi-component malware with the behavioral detection as

Suspicious Program ( ID21236 )

Suspicious Program ( ID21237 )

Suspicious Program ( ID21238 )

Before we look at the technical details of this malware and explore how it works we must urge users to apply the latest Windows patches which Microsoft has made available even for the unsupported Windows XP, and may be applicable on pirated versions of Windows too (note, using pirated software is an extremely bad idea). In order to better protect the computer against being exploited from an external source, blocking in-bound connections on TCP ports 139 and 445 and UDP ports 137 and 138 might be an option to carefully consider. The client firewall in K7 Security Products can be configured to restrict traffic as described on the mentioned ports.

In addition there has been some misinformation aggressively disseminated on social media and the news that using a certain password which is embedded in the code can be used to decrypt the encrypted data. This is far from the truth. WannaCry uses the embedded password to decrypt its internal embedded ZIP containing ransomware components. Users are strongly advised to ignore any mention about this password and avoid being influenced by a whole lot of scaremongering junk information being released irresponsibly. There is currently no way to retrieve all the encrypted data barring use of the cyber criminals’ own decryption service at a cost of US$300-US$600.

WannaCry involves multiple executable files to infect an end user.  The main dropper EXE accesses the URL as shown in the images below,

This URL is now known as the “kill switch” since if it is accessible the dropper stops execution. Such a “kill switch” is unprecedented in the history of ubiquitous run-of-the-mill ransomware and raises interesting questions about the true purpose of the attack. Interestingly the above domain has now been registered by researchers, thus stopping the attack at the dropper stage in many situations. There are few recent samples which ignores whether or not the URL connection is successful.

MD5: d724d8cc6420f06e8a48752f0da11c66

MD5: E8089341EE0442A2ECF82E4B70829143

Anyway, let’s assume the executable proceeds with its malicious behavior. The dropper EXE starts itself as a service with the security parameters as “-m security”, service name “mssecsvc2.0” and display name as “Microsoft Security Center (2.0) service”

Then it tries to load the payload executable which it carries within itself under the resource named “R” in the sample which we analyzed (d5dcd28612f4d6ffca0cfeaefd606bcf).

In any PE parsing tool, it shows that the resource contains an embedded PE

It extracts the file with the name “tasksche.exe” under the directory called “windows\<randomname>” as shown below. Note, we have also seen occurrences of this file being dropped under “ProgramData\<randomname>.”

After which the dropper starts the payload “tasksche.exe” using CreateProcessA. The payload tasksche.exe (84C82835A5D21BBCF75A61706D8AB549) contains the required functionality for encrypting data on the computer, and the files to display the ransom notes, etc. It carries within itself a password-protected ZIP in .resource section, as mentioned earlier. Interestingly, the password for the ZIP is plain text and not encrypted.

Upon further research we found that even though the password is in plain text, the password keeps changing. Sample 4da1f312a214c07143abeeafb695d904 uses the password “wcry@123”.

Unzipping the password-protected ZIP drops the following files in the desktop directory,

Folder “msg” contains the rtf files with extension .wnry for different languages.

Here are the details of the other files that are unzipped:

1. b.wnry – BMP image file (desktop background mentioning the decryptor tool @WanaDecryptor@.exe to receive ransom payment)

2. c.wnry – contains Tor browser download link

3. r.wnry – Text Message

4. s.wnry – ZIP file with has tor.exe along with its dependent DLLs

5. t.wnry – Encrypted data which then decrypts itself in memory (it’s a DLL file)

6. u.wnry

7. taskdl.exe

8. taskse.exe

It also unzips a batch file that writes a VBScript file m.vbs, that points to an LNK file to run “@WanaDecryptor@.exe” a shown below,

This @WanaDecryptor@.exe, once run, calls taskdl.exe and displays the below screen to the user,

It also copies itself to other locations like

C:\ProgramData\<randomfolder>\@WanaDecryptor@.exe

The following file extensions are susceptible to encryption:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Encrypted files would have extension .wncry  appended to the user file name, e.g. if the file name is user_pic.jpg, after encryption it would be user_pic.jpg.wncry.  The bytes of encrypted file at offset zero would be ‘0×57 0×41 0x4E 0×41 0×43 0×52 0×59 0×21’ (ASCII “WANACRY!”)

In all the folder locations in which encryption occurs there also two additional files dropped:
@WanaDecryptor@.exe.lnk which points to @WanaDecryptor@.exe and @Please_Read_Me@.txt, which contains the ransom note.

As with all ransomware, and to guard against data loss in general, it is important to maintain regular backups of critical data to be able to retrieve it in the case of file or disk corruption.

What is in store for the world now with respect to WannaCry? Are we going to see a different infection strategy, will the binaries be custom-packed, will strings be encrypted? Or will the attack lie low for a while? We’ll be monitoring the twists and turns in the WannaCry saga over time, and will publish new information as and when required.

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 “Ransomware Protection” is Fighting Fit and Ready

Wednesday, July 13th, 2016

Ransomware, a nasty and, unfortunately, common subclass of malware, are really bad news. The good news, however, is that K7′s heuristic, dynamic behaviour-based anti-ransomware feature, Ransomware Protection, was “productionised” and released some time ago. We strongly believe Ransomware Protection will provide users with robust safeguards against various strains of crypto ransomware, from the past (e.g. CryptoLocker), the present (e.g. Locky) and the future (???).

Ransomware Protection_cropped.png

Ransomware Protection’s blocking logic is based on recognising and arresting fundamental changes that take place in targeted files when the ransomware’s industry-grade encryption algorithms are applied to them.

At the Virus Bulletin 2015 international security conference we demonstrated a PoC of the anti-ransomware technology in our presentation “Dead and Buried in Their Crypts: Defeating Modern Ransomware”, and explained how the technology works in some detail so that all of us in the security industry could implement an effective strategy against this highly-damaging type of malware.

Elevating a PoC to a full-blown production-level feature is a time-consuming process since many factors related to stability, false positives and performance need to be considered in an end user environment. We are delighted to have been able to develop and release an anti-ransomware jab which will boost end-user resistance to any ransomware attack. Your precious documents, images and videos should now be safe. Note, we still highly recommend that you backup your important files as the spectre of bad sectors developing on your hard drive continues to loom large.

Samir Mody, Senior Manager, K7 Threat Control Lab
Gregory Panakkal, Senior Software Architect, K7 Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Scareware, Rogue AV & Ransomware

Thursday, December 31st, 2015

This is the third part of the blog series on cyber security, continuing from its second part on mobile security, focussing on the malware type that utilizes a user’s fear of data loss to extort monetary benefits, and a few precautionary steps to follow to avoid being a victim of this type of malware.

Scareware


In the modern day most malware are written for monetary gain. Scareware is a generic term to describe a category of malware which use the strong emotion of fear to force alarmed victims of an attack to pay an amount of money, typically tens to hundreds of US Dollars, to the attacker to restore normality on their computer/device.

Examples of scareware include malware which:

  1. display fake messages to the user about virus infections or system errors on the computer for which the fixing solution requires payment of a sum of money
  2. lock-down or claim to have locked-down access to some aspects of computer functionality such as use of the screen or personal documents, for which regaining access involves payment of a sum of money

Scareware typically infect users’ computers through downloading malicious attachments or clicking links in spam, or through accidentally visiting hacked websites.

As always it is important to ensure that you:

  1. Do not open emails from strangers, including fake messages from well-known companies such as FedEx or DHL
  2. Keep your operating system and third-party software, e.g. browsers and document readers, completely up-to-date with security updates. Avoid pirated software
  3. Use top-rate, genuine, up-to-date Anti-Virus software such as K7 Internet Security with strong Internet Security features such as malicious spam blocking, malicious website-blocking and browser-exploit protection

Scareware can affect both PCs (typically with a Windows operating system) as well as mobile devices (typically with an Android operating system which can be protected by K7 Mobile Security).

Rogue AV

Rogue AV or Fake AV is a subset of the scareware category of malware. Rogue AV pretends to be a legitimate Anti-Virus program which proceeds to display fake warnings of numerous virus infections on the computer.The fake warning window may steal the computer’s focus and then remain persistent with the malware preventing attempts to close it. Users are made to believe that only if they fork out a sizeable sum of money would the virus infections be cleaned up and the computer restored to a good state.

Historically Rogue AV has been associated with the use of Search Engine Optimization (SEO) poisoning which ensured that hacked websites controlled by the attackers ranked highly when trending topics were searched for in a web search engine such as Google. When the user clicked on one of these attacker-controlled links the user’s computer would get infected. Rogue AV is most commonly found on Windows PCs, but has also been known to infect MacOS computers.

Ransomware

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources until a hefty sum is paid to the criminal gang which caused the infection.

The typical resources held to ransom are as follows:

  1. Personal documents, images, and other files – In this case the files are encrypted so that they become unusable. After the files are encrypted the ransomware displays a splash screen informing the victim of this action and demanding a ransom payment to restore the files. Recovering these files requires obtaining the decryption key from the malware syndicates for a fee amounting to hundreds of US Dollars. Payment is made through guaranteed anonymous channels such as the BitCoin network. The first major ransomware family of this type was called Cryptolocker.
  2. Device screen – In this case the screen is frozen by the malware with a ransom demand visible. The user is allowed to make the payment to unlock the screen. One prevalent family of ransomware which locks the screen is called Reveton.

Users are advised to avoid paying this type of ransom demand for the following reasons:

  1. Generating income for cyber crooks would only serve to incentivise their criminal activities, and would fuel their future attacks
  2. There is absolutely no guarantee that paying up the ransom of potentially hundreds of dollars would actually restore your files or unlock your screen

In addition to the recommendations above, to guard against Scareware in general, it is also important to ensure that you back up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, this practice is highly recommended since data loss from a failed hard disk at a future date is a probable event, far likely than a ransomware infection.

Happy New Year!

…to part4: Passwords – Hashes to Ashes

Images courtesy of:

Adeevee.com
Huffingtonpost.com
Cloudave.com

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Tearing Down the Wall

Thursday, October 1st, 2015


In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed