These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Scams’ Category

Why You Should Not Pay That Ransom Demand

Wednesday, June 10th, 2015

Ransomware attacks appear to be ubiquitous. Ransomware is a type of malware which denies access to your computer resources, say by encrypting your personal documents, until a hefty sum is paid to the criminal gang which caused the infection. We recently blogged about two examples of ransomware, namely CTB Locker and TeslaCrypt.

We constantly advise against paying anything to the malware syndicates for two primary reasons:

  1. Generating income for these cyber crooks would only serve to incentivise their criminal activities, and would fuel their future attacks.
  2. There is absolutely no guarantee that paying up the ransom of potentially hundreds of dollars would actually restore your files.

In this blog we will focus on the latter point, drawing on a real-life case study involving a friend of mine.

A few weeks ago my friend (not a K7 user at the time) was, unfortunately, struck hard by a ransomware pretending to be the mother of modern ransomware, the infamous CryptoLocker. The above image is a screenshot of the ransom demand which was splashed on his screen. The ransomware was not, of course, CryptoLocker, but yet it was lethal enough, encrypting my friend’s personal files with advanced algorithms. The sample was packed with a custom NSIS SFX wrapper which has been used by CTB Locker in the recent past, suggesting a potential link between the two strains of ransomware.

My friend did not care too much about his local files which were hit. However, as (mis)fortune would have it, his plugged-in external drive containing the early photos of his kids was ravaged. Ransomware tend to enumerate and modify as many target files on as many drives as possible. By targeting personal or confidential files such as images, Microsoft Office documents, etc., the criminal elements increase the pressure to pay up. Even police departments have occasionally felt compelled to part with funds.

Given the importance of the images on his external drive, my friend was prepared to satisfy the ransom demand to the tune of US$ 237; no piddling amount. I had urged him against paying up, arguing the case based on the points made above. However he felt that if there were any chance of getting his kids’ pictures back he would have to give it a try.

A couple of days later, after having secured the requisite bitcoin, the ransomware kicked into action displaying a status bar and claiming it was in the process of decrypting all the files it had encrypted earlier. Many hours later, having left the “decryption tool” to do its business overnight, my friend assumed his files had been restored. However he was unable to open most of the images and the documents he attempted to view. I offered to look at the files at the binary level to determine whether any data could be recovered.

He sent me several example files which were failing to open. My analysis showed that for many files absolutely no attempt had been made to decrypt them since they had no visible headers. In other cases some headers were visible but large chunks of the files remained garbled junk. Such was the extent of the damage to the image files that even clever image-fixing-software was not able to recover anything.

To cut a long story short, despite coughing up more than US$ 237, my friend was yet unable to recover his kids’ photos. The moral of the story is: refrain from paying these nasty criminals in any way, shape or form. They are hardened thieves without any sense of compunction or honour, so please do not be fooled by apparent largesse.

As always we highly recommend taking regular backups of your important files on media which are not constantly connected to your computer (external media and/or on online repositories), thus, in the event of a ransomware attack, you could still have your files without paying the bad guys a single paisa.

Samir Mody

Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Shell Team Six:Zero Day After-Party (Part I)

Wednesday, January 21st, 2015

This is the first part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. This first part introduces the reader to the different phases of an APT and discusses the methodology, prevention and detection techniques of the initial phase of an attack in detail.

The IT security industry is faced with the challenge of dealing with old invasion tactics that have been reborn in new avatars as Advanced Persistent Threats (APTs). APT attacks are tenacious at pursuing their targets and are played out in stages, possibly over a long period of time. With financial backing from state actors and criminal rings, APTs tend to be compound, sophisticated and difficult to detect. Each facet of the intrusion, in an idealist scenario, may be refined to such an extent that the end goal is achieved without a trace before, during or after the event.

Despite the complexity of these types of attacks, certain parameters always need to be satisfied to deliver the payload and retrieve the expected results, leading to the emergence of an attack pattern which may be placed under the microscope and flagged. These parameters include executing arbitrary code by invoking zero-day exploits for popular software, defeating security measures such as DEP & ASLR, e.g. via heap spray and ROP/JOP chains, exploiting EoP vulnerabilities, establishing remote C&C communication channels to issue commands or to exfiltrate stolen data in encrypted form, etc.

Drawing on evidence from documented real-world case studies, this paper details techniques that assist an assailant during the different phases of an APT, bypassing protection mechanisms like application-sandboxing, EMET, IDS, etc. thus attempting to fly under the defense radar at all times. Equipped with this information, we hope to explore methods of discovering each part of the life-cycle of a targeted attack as it is in progress or in the post mortem, thus reducing their efficacy and impact.


“If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle.” Sun Tzu

As technologies implemented in organizations are becoming advanced, the threats are rapidly evolving too. Through tenacious and coordinated attacks on one’s infrastructure, APTs are able to infiltrate and overwhelm the organization.

The threat landscape has changed. But the general principles of war remain the same.  Knowing the modus-operandi of your faceless attackers helps one evaluate, and harden one’s security measures, and gear up towards facing the attackers head on.  This paper aims to help you do just that.

APT Life-Cycle

The stages of an APT can broadly be classified as follows:

•   Target reconnaissance
•   Initial compromise
•   Expanding access and strengthening foothold
•   Data exfiltration and cleanup


 Target Reconnaissance

The reconnaissance phase of a targeted attack sets the stage for the rest of the threat campaign and therefore involves a high degree of planning. The perpetrators spend significant amounts of time learning about their target, collecting as much information as possible about the human, physical and virtual resources of the organization. The intelligence garnered during this stage not only helps the assailants determine key points of entry into the target network but also empowers them to navigate the victim’s network once inside more effectively & efficiently.

Reconnaissance Methodology

The target’s virtual network is plotted using publicly available resources. These resources include:

•   DNS records
•   WHOIS information
•   Email messages
•   Inadequately protected network logs
•   Misconfigured servers, etc.

The organizational structure is also studied to determine employees and their organizational access levels, using social media, search engines and the target’s own website. Profile intelligence gathered could include potential passwords, personal and official email addresses, whether the user is a regular employee, a SOHO user, or a contractor.

Based on this harvested intelligence the infrastructure needed for the attack will be acquired, the course of action to successfully execute the campaign will be determined & evasion techniques that could be followed during the attack will be planned. New domains may be registered, command and control servers set up, exploits crafted, vulnerable employees identified, custom social engineering schemes plotted for these target employees, malicious files created, etc.
Recently, US airport workers from over 75 airports were targeted via malicious emails based on information such as their names, titles, and email addresses that were harvested via publicly-available documents [1].

Fig.1 shows how a simple search engine query can divulge information like emails exchanged between personnel in public forums which may seem innocuous, but can be used to launch a spear phishing attack. Popular mailing lists mask this sensitive information to avoid it from being scraped and abused by bots. Valid users on the other hand are allowed access after solving a simple CAPTCHA.

Fig.1: Search result revealing email addresses and other information about employees of an organization.


Most of the intelligence collected by the assailants during this stage is publicly available and in general doesn’t involve the attackers touching any of the internal systems. Information that was gathered from previous APT campaigns but applicable to the current one could also be reused. This makes detecting an APT during these early stages of the attack challenging.

Usual best security practices such as conducting periodic penetration tests, hardening the applications & the operating systems, etc. are still relevant, but these measures by themselves don’t stand a chance against this adversary.

Organizations should take care to both restrict the amount of information that is flowing outside and be aware of publicly available sensitive information which could potentially be used against them.

Profile Scraper

Automated bots can be used to collect publicly available information on the company, the employees, etc. from popular social networking sites and search engines, etc. The data collected can automatically be analyzed for potential sensitive leaks.

Honey Profiles

Fake profiles at different organizational levels meant to be trip wires can be set up on popular social networking sites and connection attempts and profile hits can be analyzed. This could allow organizations to both recognize if they are being targeted and predict which individual or group of individuals are being targeted.

Click here to read the second part of this blog.


Images courtesy of

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Keep e-Phishing at Bay

Friday, September 19th, 2014

A thus far undisclosed, potentially serious security flaw has been discovered on eBay according to BBC News. Hackers were apparently successful in exploiting a weakness on eBay’s website that enabled them to multi-redirect customers, via a landing page listing iPhones, to phishing pages purporting to be those of eBay so as to steal their login credentials.

Unfortunately is it likely that several users would have been duped into surrendering their credentials, thus handing over control of their accounts to the bad guys. However, K7 users would have been protected since one of the redirector URLs was blocked by the malicious URL-blocking feature which has the overall effect of nullifying the multi-step redirector chain and protecting users.

From the user’s side it’s difficult to differentiate between legit redirection and non-legit redirection so this is best left to the site blockers in internet security products such as K7 Total Security.

In addition to that we also found directory listing and outdated plugins (such as JWplayer) on the destination website to which users were being redirected. Based on website fingerprinting, it seems websites hosting the phishing pages were almost certainly compromised by the attackers to hide their tracks.

The phishing pages have now been removed, but the domains are still live and we aren’t sure whether the core vulnerability which allowed the hackers in in the first place has been patched. In other words the webserver may be vulnerable to being hacked once more.

At the time of writing this blog we are unsure whether the cross-site scripting (XSS) flaw exists in other eBay item listings which may or may not be currently in the process of being maliciously exploited. Given the popularity of a site such as eBay, the impact of such an attack can be far reaching and varied; it is possible to leverage redirections to deliver malware via drive-by-download attacks.

The question which pops up is, “Was this just a phishing attack ??” It could have been much much more damaging.

Image courtesy of

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Gmail Passwords Leaked

Friday, September 12th, 2014

A list of millions of Gmail user names and passwords were recently posted in a Russian bit-coin site. While details on how exactly the passwords got leaked remain murky, the popular email service provider has confirmed that none of their servers were breached to ex-filtrate the data. Users of these compromised accounts are now being re-directed to Google’s password reset page to regain access.

To be on the safe side, users should consider implementing two factor authentication for Gmail accounts.

If history has taught us anything, sensational news like this is likely candidate for social engineering based abuse. Web sites purporting to allow people to check if their Google accounts have been compromised are already cropping up and it could be only a matter of time before we start seeing phishing campaigns on this subject. Users are advised to be vigilant and avoid such emails at all costs.

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Drive by and you’ll be taken for a ride

Tuesday, September 9th, 2014

Recently we came across a commercial website catering to cycling enthusiasts that appears to be compromised.

The site’s java-scripts are all injected with a malicious iframe strategically placed between blocks of seemingly innocent HTML content. This is an age old technique meant to trick web masters who tend to look for malicious code either at the beginning or at the end of an HTML file.

On visiting the site, your browser loads all the java-scripts for the page which then redirects you to a malicious URL displayed in the screen shot above. This redirected site has just a few lines of HTML  like below:

You’ll immediately be redirected to another URL that looks to be generated using a Domain Generation Algorithm (DGA). This third level of redirection will then lead you to the actual exploit code, which on successful exploitation will drop a malicious payload named “wiupdat.exe” thus completing the cycle of the classic drive-by download attack.

On further analysis of the executable, we realized that the malware pretends to be from K7 Computing by imitating our version strings like below:

This is done to gain the user’s trust who may choose to ignore the executable thinking that it belongs to a reputed security vendor. K7 users will be protected from this malicious file, the compromised website, and the intermediary URLs.

Imitations are flattering!!!

Melhin Ahammad
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Cryptolocker – A New Wave of Ransomware

Wednesday, October 16th, 2013

The infamous ransomware malware works by restricting access to the computer or files that it infects. The malware on behalf of the malware author then demands a ransom to be paid by the victim, in order for the restriction to be removed.

At K7′s Threat Control Lab, we recently noticed a new wave of this ransomware malware. This notorious variant called CryptoLocker, by most security vendors, installs itself into the victims “Documents and Settings” folder. The malware then adds itself to the Windows auto start location in the registry to ensure that it loads automatically every time the user logs on.

Cryptolocker then makes an HTTP POST request to a pre-determined set of domain names to download a unique password file, using which it then encrypts the victim’s documents. The documents targetted include images, spreadsheets, presentations, text files among others.

Once encrypted, the ransomware then pops up a ransom page like the one displayed below:

The malware gives the victim a limited amount of time, to buy the password file to unlock the user’s data.

Protection for this threat is provided at multiple layers by K7′s Threat Control Lab. We proactively detect both the spam emails and malicious URLs, used to spread this ransomware, which seem to be the current infection vector. In case the malicious content does get through this layer of protection, we detect the malicious files themselves by our on-access-scanner as Trojan ( 0000c3521 ) and Trojan ( 0040f66a1 ). We have also provided detection for the this ransomware based on its run time malicious behaviour.

Our usual sentiments about keeping one’s security solutions & Windows patches up-to-date and being vary of downloading files from unknown sites apply.

Lokesh Kumar
Malware Collections Manager, K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

-… .-.. .- -.-. -.- …. — .-.. .

Wednesday, May 2nd, 2012

“Dhina Thanthi”, “Daily Telegraph” in English, is a popular Tamil newspaper that has its online service on the domain This site has been compromised.

A page hosting model/practice question papers, to aid the students who are to take up their board examinations in the state of Tamil Nadu, has been infected with a JavaScript that in turn loads a BlackHole Exploit. This exploits a cocktail of vulnerabilities across Windows, Java and some Adobe products, etc.

The page contains a JavaScript that in turn contacts the exploit server.

Above are network captures of dailythanthi site connecting to exploit server.

The script was unpacked, thanks to JSUnpack, and we are able to see the iframe that leads to the exploit server.

These servers haven’t been updated as of late, hence there wasn’t any infection to be acquired. But the daily thanthi site still remains compromised.

There are several such domain names hosted on a single IP.

Note the “robots.txt” in the above screenshot of the exploit server’s domain directory. This is to bypass any search bots that might stumble upon this domain from indexing it.

As for K7 users keeping your site blocker up to date would keep you at bay from threats such as this.

When the administrator of the domain from the WhoIs records was contacted we received a mailer-daemon. We then contacted the administrators of the company ( that maintains the site, again it was a mailer-daemon.

As a foot note, if you were wondering what the blog title meant, it is BlackHole written in Morse code.


If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

These Are Not The DOIDs You Are Looking For

Saturday, March 10th, 2012

In tales of yore, circa 2007, DNSChanger malware, which modify certain network settings to point to a rogue server, were as prevalent as the Stegosaurus. Fast forward almost four years, to the present day, their legacy still remains. They say the FBI, having discovered the rogue DNS servers, decided to clean them up and allow them to serve the public good. That is, only until the 8th of March, 2012.

According to much hyped reports in recent weeks, the 8th of March was to be the day the internet died, as the FBI would have been forced to lay to rest those servants of the public weal. If you are still reading this post then your computer didn’t fall victim to the supposed blackout. There are at least two possible reasons for this:

  • The FBI has an extension on the deadline. Apparently the dreaded Death Of Internet Day (DOID) has been postponed to the 9th of July, 2012
  • Lo and behold, you are not infected with DNSChanger malware and never have been

If you have been a K7 customer for a while, point 2 applies to you. Just to be on the safe side, K7 Security products sniffs for the erstwhile rogue DNS entries and snuffs them out if found, thereby ensuring that our brand new customers too are free from DOID.

Samir Mody/Lokesh Kumar

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Sumptus tabularii de india scriptor website infecta

Friday, February 10th, 2012

For the Latin challenged, the title reads “Cost Accountants of India‘s website is Infected”. Users of a site which belongs to the “Institute of Cost Accountants of India” need to be on the lookout. The site appears to be injected with a malicious script, which may redirect the users to other potentially malicious sites. Here’s a snippet of the malicious source code:

The malware authors have commented their part of the code in Latin. The malicious code uses a twitter API to get the trending topics of the day, and generates malicious domain names on the fly to which users will be finally redirected.

K7 Computing has informed the party in charge about the attack. K7 security products prevent access to this malicious URL.

Lokesh Kumar

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Beware Who Hosts Your Holiday

Friday, December 23rd, 2011

We recently came across an Indian holiday booking site which appears to be serving up a copy of an old malware. Shown below is the screen shot of the site in discussion:

A quick look at the source code for the page shows an encoded binary file embedded in a VBScript:

Visiting this site with a poorly configured Internet Explorer browser will lead to the above script being rendered. The encoded file in turn is decoded and a malicious file named svchost.exe is dropped onto the user’s computer and is executed.

The malicious executable is an infamous file infector named Win32.Ramnet and detection for this executable has been around for more than a year now. This seems to suggest that the machine hosting the website has either little or no security solution in place.

With the holiday season in full swing, online shoppers are requested not to let their guard down. While you may be on holiday, the miscreants aren’t.

K7 Security products don’t just detect and delete the malicious file, but also prevent access to the hacked site:

Lokesh Kumar

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: