These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Scams’ Category

Depths Phishermen Go To Catch a Phish

Monday, October 3rd, 2011

It is common knowledge that phishers [Authors of a phish] attempt to steal sensitive information such as passwords, credit card details etc. by masquerading as a trustworthy entity. Some key elements of a phish are:

  • A fake website created by simply ripping content off the original site and pasting them on the spurious one

  • A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

  • Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

  • Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

A Malware Musical!

Friday, September 23rd, 2011

We at K7 TCL came across an interesting source for a malware file to be hosted on. The site hosting the malware was the official fan site of the famous Indian playback singer Sonu Nigam.

This file has been up in the server for almost a month now. Users must exercise caution when they happen to download an executable file from a fan site that has remotely no purpose of distributing executable files to its visitors.

The malware file upon execution has capabilities to read saved passwords from a user’s internet browser, Mozilla Firefox, to be specific. It tries to read data from ‘signons[number].txt’ file found in the Firefox directory.

This text file holds the user’s logon information for websites for which the user has set ‘Remember Password’ in Firefox. Now imagine the scale of damage this could cause if the infected machine was a public computer at an internet café.
Following simple practices whenever you use a public computer would save you from such threats:

  • Never save your logon information on public computers
  • Always clear the history and cache before leaving the computer, or you could use the private browsing session option available in most modern browsers
  • If possible use portable applications, these are applications that run out of a pen drive
  • Avoid entering any kind of sensitive information on a public computer

For our customers though, it’s just a one step process: keep your antivirus definitions up to date. K7TotalSecurity detects this file, as Trojan ( 001987931 )

The server hosting the fan site has been clearly compromised. The administrators of the compromised domain have been intimated about the impending damage they might be causing to unsuspecting fans.

Kaarthik .R.M

File-AVE IT!

Friday, September 16th, 2011 is a one click hosting site which provides free file hosting for its users. When compared to other similar one click hosts, the 50MB of free disk space provided by may sound minuscule, but the fact that there’s no “wait” restrictions or CAPTCHAs to solve before downloading a file seems to make it a favourite among malware authors to host their malicious code.

The graph above displays the number of unique URLs hosting malicious files from which were collected by our automated systems.

Closer inspection revealed that the sudden spike from ~100 URLs in the month of July to ~550 in the month of August was due to a mass compromise using the “Black-hole” exploit kit with the final payload hosted on The malware author responsible for this mass compromise had registered a total of ~400 unique URLs in just 1 month in the following format:

  • “http://clickme[2 Random characters]”

Discounting these URLs, the graph still shows a worrying trend:

The number of malware authors using to host their malicious payload is on the rise. Our blog readers might recall that we had recently blogged about how malware authors abuse file hosting services with minimal security checks. The fact that has none of these measures in place is bound to be exploited even more by malware authors in the days to come.

Lokesh Kumar

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Return of the Prodigal Companion (Virus)!

Wednesday, September 7th, 2011

Last week at K7TCL we received a malware sample that had an interesting infection mechanism, harking back to the days of DOS companion viruses. Apart from the regular modern behaviour of dropping a self-copy and a registry entry that would initiate it on every reboot, the malware targets every program in the system that was not part of the Windows installation. It creates a copy of the respective program’s main executable and prefixes its filename with a ‘v’. So ‘abc.exe’ would become ‘vabc.exe’. Once this is done the malware then overwrites the original program executable.

The interesting malware functionality here is that it retrieves the icon from the original executable and embeds it within itself so as to masquerade as the original file.

Of course, if the original file has a shortcut and you happen to open the shortcut then this would initiate the malware file instead, since the target filename that has now been replaced by a malware.

Importantly, when the malware gets executed, it in turn initiates the original file in the folder, thereby camouflaging itself on the victim’s computer. It even sets the original program’s attribute as hidden so that the victim would be none the wiser.

In the above screenshot of process explorer it can be seen that malware file gets initiated first and it in turn calls the associated safe file.

The malware’s functionality is merely that of a companion virus, but in a modern context, GUI and all. In the DOS days, companion viruses used to exploit the fact that a file with a COM extension (the virus) always runs before a file with the same stub name but with an EXE extension (the original host). Thus running a filename from the command line without specifying the extension explicitly would result in the virus file running instead of the companion EXE host.

As in the DOS days, the modern companion virus described above can also spread from computer to computer. Consider the scenario where an unsuspecting victim shares his applications with another user. This malware would appear legitimate with its borrowed icon and filename. The sample that arrived at K7TCL had a legitimate program  icon and was not detected by any other AV at the time. Under these circumstances it would be the actual malware file and not the original program being shared, and the virus has the opportunity to do its business on a fresh computer.

K7Total Security detects this malware as Virus ( 002c651a1 )

Disclaimer: No safe files were harmed in the making of this blog post.

Kaarthik R.M

Holding you to ransom for fun and (f)rolik

Thursday, August 25th, 2011

Here at K7TCL, we noticed a spike in the number of samples arriving with the file name “porno-rolik[2 digit number].avi.exe”. Closer inspection of the files revealed that it was yet another variant of a Ransomware. On execution, this ransomware displays a fake error message like the one shown below:

The ransomware then reboots the computer and a sexually explicit image is displayed to the user demanding him/her to dial a premium rate number and enter a code which would then unlock the machine. This particular ransomware even goes to the extent of displaying a countdown message and threatening to delete the files on the computer if the unlock code is not provided within a period of 24 hours.

Given below is a list of the URLs which were found distributing this ransomware last week:


Our blog readers might recall an earlier blog post where we had discussed about how malware authors have gotten better at manipulating peoples behaviour to execute their code & this ransomware campaign is another example of such a scenario. Looking at the file name, the URLs which distribute them and the error message that is displayed on the malware execution suggests that this ransomware arrives as a part of a fake codec scam, possibly when a user attempts to download a video promising to deliver explicit content.

Our usual sentiments about keeping one’s security solution up-to-date & avoiding downloads from unknown sites apply.

Lokesh Kumar

Personal (In)Security Pro

Friday, August 12th, 2011

Over the past week we came across several client submissions of ‘Personal Security Pro’, one of those highly ambitious FakeAV families that are currently prevalent.

This FakeAV, upon installation and execution, terminates almost every executable running in your system, which includes even security products. The FakeAV copies itself to a randomly named folder as “%AppData%\<randomnamefolder>\<randomnamefile>.exe” and drops a RunOnce registry trace that has a value that is equally random as the filename and folder name.

This FakeAV has an unusual behavior insofar as it drops a RunOnce entry rather than the standard Run flavour. A registry RunOnce entry is a method provided by Windows to initiate any executable for one time only upon system reboot, the RunOnce entry being deleted thereafter. Hence the life of this registry entry is just one reboot. Thus when you boot back the system and search for any malicious traces in the registry you wouldn’t find any, however the FakeAV would have got initiated. This FakeAV, on getting executed, terminates most processes that are not core system processes. One of the executables it allows us to run is ‘Explorer.exe’. After terminating the processes it drops the RunOnce registry entry again. The cycle is repeated on the next reboot.

The functionality to terminate running processes and prevent new ones from starting up is done in an attempt to circumvent the clutches of security software. In fact, the RunOnce key is added in a strategically temporal manner to avoid it being flagged by HIPS (Host Intrusion Prevention System) rules, ubiquitous in Anti-Virus products these days. HIPS is a method of blocking dynamic malware activity. In the case of the K7 TS11 product, with its robust self-protection, the FakeAV’s attempts at termination are futile, and the malware file gets flagged and quarantined without a problem.

Kaarthik R.M

The Host that Overlooked the Parasite

Saturday, July 30th, 2011

The malware economy is always evolving and always looking out for better ways to make maximum utilization of minimal resources. Storing malicious files for retrieval at a later period, for example, was done on already infected web servers. But that meant that the malware authors were at the mercy of the system administrator monitoring that server. The moment the infected files were identified, the server hosting the malicious files would go down and the malware life cycle would thus come to an end.

The successful businessmen that they are during these harsh economic times, the malware authors then decided to include file hosting services in their arsenal. A file hosting service, as you might know, provides online storage of files. Radpishare, Megaupload, Filesonic etc. are all examples of such a service. This shift enabled the malware authors to pass on the bandwidth and disk storage cost to these sites. In addition, the reputation associated with these sites not only meant that the chances of the malicious files now being identified & reported became low, but also that the naive users were more likely to execute these malicious files, thereby increasing the malware’s time to live.

The file hosting services then brought in some checks, whereby, premium users of these sites could download files instantly at unrestricted download speeds, but regular users experienced delayed starts of downloads and restricted downloads speeds. Although unintentional, this served as a security feature in that the users were forced to look at the website before he/she could download the file. Given below is a screenshot of the countdown timer that is displayed to a regular user while downloading a file for free:

However, the opportunistic malware authors have managed to circumvent this check. This allows them to fetch the malicious files onto their victim’s machine without any user interaction whatsoever. Given below is an example of such malicious URLs which when clicked will download the file without displaying the initial countdown screen:


While most of these hosting services have a system in place where unlawful contents can be reported, design flaws such as these might go unnoticed. At K7TCL, we strongly urge these file hosting services to identify and fix such design flaws in their site as soon as possible. We also suggest that they run an anti-virus solution to detect such malicious files, since their apparent laxness in this regard is helping the bad guys deliver their malware.

Don’t Take Candy from Strangers …

Friday, July 22nd, 2011

… they are used to stealing candy from a baby!

Security Alert: Calls announcing lottery/other prizes & demanding processing fees via TV recharge coupons/other modes are fraudulent. Please ignore such calls.

The above warning was issued recently by my mobile phone service provider. It came a few days after I received a couple of text messages related to winning a gigantic monetary prize in the UK similar to the ones described several months ago.

Given that the mobile service provider felt the need to send out a mass warning suggests that several people have already been duped into parting with financial resources (err … “TV recharge coupons” … wow .. I think!?), and have complained bitterly to the powers that be.

If people, especially those in India, have been duped it is a cause for concern since the level of social engineering involved in these fraudulent campaigns is far from sophisticated. As mentioned in the previous blog, the reference to all things British in a message sent to an Indian mobile ought to raise more than a few eyebrows, rather than raise funds for the bad guys.

As the mobile service provider suggests, these types of messages purporting to provide prize money without any effort on your part, ought to be treated with the scorn they deserve, and simply ignored. Please remember, if something sounds too good to be true, it usually is.

    Image courtesy of

Samir Mody

Senior Manager, K7TCL

When in Rome Do as the Romans Do

Friday, July 15th, 2011

‘It has been said that arguing against globalization is like arguing against the Laws of Gravity’ – Kofi Annan (former UN Secretary General).

It appears malware writers have begun to take globalization to heart. You might recall an earlier blog post which highlighted the fact that malware authors were failing to tailor their malware to the OS locale. They seem to be learning and correcting their errors.

Here at K7TCL we came across a malware sample that upon execution seems like yet another example of ransom-ware (Winlocker to be specific). The malware displays a fake system crash message as shown below:

It is unlikely to matter to a layman but FYI the memory address 0x3BC3 is in the range generally reserved for MS-DOS features rather than modern system process code so, from a technical viewpoint, the message is clearly bogus.

In the above case access to the computer is denied until the victim enters a ‘deactivation key’, which needs to be requested from the attacker, by dialing telephone numbers that seem to originate from the African continent.

Interestingly, examining the strings inside the malware reveals that the above fake message is available in several languages. Playing around with the ‘Regional and Language Options’ in control panel and then executing the malware resulted in the following:




From the above screen shots it is clear that malware authors are investing significant resources in creating the world’s local malware. By covering a few more languages, the malware authors have now managed to expand their potential targets across multiple continents, thereby probably increasing their revenue by several folds.

One can only speculate about the stage at which the victim loses his/her money, whether on entering the ‘deactivation key’ the malware would actually release the system, and whether the malware would return at a later stage to trouble the user some more.

This threat is detected as Password-Stealer (0028ee481) by K7 Total Security.

Kaarthik R.M

Disingenuous Ingenuity

Thursday, July 7th, 2011

Social engineering is the art of manipulating people’s behaviour. Some malware authors rely on social engineering to disguise their code and get it executed on a user’s machine. A key element of a successful malware campaign, which relies on social engineering to lure its victims, is the visual appeal of the attack. Under the right circumstances, a malware which is strikingly similar to a file it is trying to impersonate, is more likely to get executed by a naive user.

Fake Anti-Virus malware authors, for example, are known to put in considerable effort to make their scare ware messages look more authentic. We had blogged about one such sample, which even goes to the lengths of copying malware descriptions from security vendors’ websites, in order to get the user into executing it.

Recently, we came across a website which takes this visual aspect of social engineering quite seriously. The site under discussion,[Removed] claims to provide a number of [already freely available] applications for download. Here’s a brief list of the files that were distributed from this site over the last week:

  • Divx.exe
  • MySQL.exe
  • VideoLAN.exe
  • WinPcap.exe

To boost the chances of having the files downloaded and executed, each software listed in the site has a brief description of itself, screen shots, user reviews, comments etc. It appears that the author of the site has spared no expense, at least in terms of effort, in plagiarizing the content from other genuine software distribution sites, making the site appear as legitimate as possible, to lure people into downloading and executing the files.

Not all that glitters is gold though. Closer inspection reveals that all files downloaded from this site are around 2.5 MB in size and on execution, the files prompt the user to send an SMS to a premium rate number, from which a reply is sent back with a code to unlock and install the applications. While the files don’t do any damage to the user’s computer, the innocent user still ends up getting charged for the premium rate SMS that was probably sent. One can only assume that this site could be a landing page for a broader attack scheme.

Social engineering (not to be confused with social networking!) based on PEBCAK (Problem Exists Between Chair And Keyboard) is a very potent weapon for effecting malware execution on various operating systems, including those on mobile devices such as Android. It thrives on temptation, ignorance, and fear on the part of the victim. Even though descriptions of social engineering are ubiquitous and some may consider the topic to be mundane, we at K7TCL feel it our duty to keep the general public at large informed about the use and abuse of social engineering so that users are less likely to be seduced by malware authors. Do not invite the thief through your front door.

Image Courtesy of

Lokesh Kumar