These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security news’ Category

Invite Trouble!!

Friday, November 21st, 2014

Nowadays, major web players employ invite-only strategy, the hot trend to promote their new web services and apps. The invite-only buzz resonates exclusivity, thus making the forbidden more attractive to young users. Google Inbox, the new email app is currently channeling this fad, getting users excited about invites.

However, we observe some security concerns with this trend, as we notice suspicious campaigns doing the rounds. Few of the users, with or without invite shares, are seen to post hostile links that redirects to unsafe websites or demanding email id’s to distribute invites.

Here is an imaginary scenario that describes what could happen with an excited user who responds to an anonymous link that claims to send an invite. Consider, Sara wants an invite to the new email service “INBOX” and John tweets that he has “INBOX” invites to share as in the pictures below,

Now, Sara looks at the tweet, clicks on the link, shares her personal details with John as instructed. Possibility is that the link itself could be malicious.

Supposing the link is not malicious, it’s uncertain, if Sara would receive a link which redirects to a malicious link or would receive an invite mail from John after giving her personal information.

Wear your safety goggles; don’t share personal data on public platforms and be suspicious of links to invite-only emails and messages from unknown sources.

Priyal Viroja & Archana Sangili, K7 Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Editor of World-Renowned Security Magazine Appreciates K7 Speakers!!

Friday, November 7th, 2014

In a nice gesture, the editor of the acclaimed Virus Bulletin magazine has blogged about the presentation of our reserve speaker duo who were meant to present a paper and a short demo, in the event of an absent speaker at the 2014 Virus Bulletin International Conference held recently in Seattle, USA. VB2014 has already been discussed, highlighting the presentation by K7’s Gregory Panakkal. Nevertheless, this post is dedicated to the reserve speakers from K7 Threat Control Lab, Samir Mody, Senior Manager and V.Dhanalakshmi, Senior Threat Researcher.

Their paper, “Early launch Android malware: your phone is 0wned”, demonstrates the difficulties in
removing an active Android ransomware, “’Koler/Simple Locker”, infection that prevents a user from
uninstalling it. It also proposes a new framework which Google could induct to help mobile security vendors defeat Android malware strategies.

View the full presentation and demo at our official YouTube channel.

Archana Sangili
Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Android to Cross Lollies with Malware Authors this Diwali!

Tuesday, October 21st, 2014

The next sweet to taste after Kitkat, “Lollipop” (Android 5.0), loaded on Nexus devices, is expected to hit the market next month, as announced by Google on October 15, 2014.

The much awaited Lollipop carries many improved and new ingredients, but we’ll concentrate on the security implications of the new OS:

  • The “Factory Reset Protection” (opt-in Kill Switch) requires the user to enable and enter the Google login and a pass code to factory reset his/her device.
  • “Automatic Data Encryption” shields the user data when the device is lost or stolen.
  • Enforced SELinux” for all applications to defend against exploits and malware.
  • “Smart Lock Feature” allows only trusted devices for device pairing (user’s phone can be unlocked through the paired bluetooth device).

In addition to these “features”, we are eager to know if the experimental DM-Verity introduced in Kitkat (4.4) to protect the integrity of the device’s boot process is still imposed by default in Lollipop.

Another new feature, “Device sharing”, allows users to share the device among family members or friends under “Guest user” accounts. “Screen Pinning” restricts the guest to view only the pinned screens of the user. However, going further, Lollipop permits the user to login to another Android device remotely to access synced data contents. As one would know, Android malware utilizes every possible way to infiltrate the user’s device, and therefore the above said remote login raises eyebrows about the security implications in authenticating and controlling remote sessions.

The notable news for the corporate IT admins is that, with Lollipop, users can partition work and personal spaces within the device. However, the implications as far as the BYOD concept is concerned have yet to be spelled out.

Android Lollipop’s new security enhancements and features have raised a few questions. We are anticipating the answers!

Happy Diwali!!!

Images courtesy of:
november2013calendar.org

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

K7 Security Expert Presents at VB2014

Friday, October 17th, 2014

The annual Virus Bulletin International Conference was held this year on 24-26 September, in Seattle, USA. As usual, VB2014 featured presentations from several notable vendors in the anti-threat sphere, describing their recent research and development in the field of IT security. Anti-Malware tools and techniques, botnets, mobile security, network security, spam and hacking were some of the highlighted topics that were contemplated upon.

Every year, K7 Computing shares the knowledge and technical advances made by our R&D teams. This year, Gregory Panakkal, a Senior Software Architect at K7 Computing, who extensively develops the handling  of anti-malware components in the K7 security suite, presented on the topic, Leaving our ZIP undone: how to abuse ZIP to deliver malware apps. His paper deals with the ZIP format which is employed in Android applications and the possible crafted malformations of the ZIP format that can be used to bypass AV detection, without breaking trust for the Android OS. It discusses the challenges for AV components in handling such scenarios, as well as introducing the concept of the “Chameleon ZIP” which complicates the contextual handling of a crafted amalgamated ZIP package which can be interpreted differently based on the application which opens it.

Gregory’s presentation can be found on the VB website.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Gmail Passwords Leaked

Friday, September 12th, 2014

A list of millions of Gmail user names and passwords were recently posted in a Russian bit-coin site. While details on how exactly the passwords got leaked remain murky, the popular email service provider has confirmed that none of their servers were breached to ex-filtrate the data. Users of these compromised accounts are now being re-directed to Google’s password reset page to regain access.

To be on the safe side, users should consider implementing two factor authentication for Gmail accounts.

If history has taught us anything, sensational news like this is likely candidate for social engineering based abuse. Web sites purporting to allow people to check if their Google accounts have been compromised are already cropping up and it could be only a matter of time before we start seeing phishing campaigns on this subject. Users are advised to be vigilant and avoid such emails at all costs.

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Drive by and you’ll be taken for a ride

Tuesday, September 9th, 2014

Recently we came across a commercial website catering to cycling enthusiasts that appears to be compromised.

The site’s java-scripts are all injected with a malicious iframe strategically placed between blocks of seemingly innocent HTML content. This is an age old technique meant to trick web masters who tend to look for malicious code either at the beginning or at the end of an HTML file.

On visiting the site, your browser loads all the java-scripts for the page which then redirects you to a malicious URL displayed in the screen shot above. This redirected site has just a few lines of HTML  like below:

You’ll immediately be redirected to another URL that looks to be generated using a Domain Generation Algorithm (DGA). This third level of redirection will then lead you to the actual exploit code, which on successful exploitation will drop a malicious payload named “wiupdat.exe” thus completing the cycle of the classic drive-by download attack.

On further analysis of the executable, we realized that the malware pretends to be from K7 Computing by imitating our version strings like below:

This is done to gain the user’s trust who may choose to ignore the executable thinking that it belongs to a reputed security vendor. K7 users will be protected from this malicious file, the compromised website, and the intermediary URLs.

Imitations are flattering!!!

Melhin Ahammad
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

BackOff, from the Point of Sale – But not too much

Saturday, September 6th, 2014

BackOff – a lot has been discussed by the Anti-Virus security community and the non-AV community alike, about this malware and other families of PoS RAM scrapers. In conjunction with the mentioned article, we thought it would be nice to shed some light on this topic, however we’ll try and take a more ‘desi’ angle.

First, some insight on how this brand of malware works. Though generally targeted at PoS (Point of Sale) systems, the malware isn’t restricted only to those systems. It just requires a Windows-based operating system. Once executed it would copy itself into one of those usual Windows directories and with the usual registry entry to ensure auto-initiation between reboots. The dropped copy (mostly faking a legitimate 3rd party Windows software’s name) then goes on to scan the system processes for specific strings that would resemble your common credit and debit card details. It even goes a step further to ‘whitelist’ known processes (like csrss.exe, winlogon.exe, etc.,) and skips scanning those processes. So when an unsuspecting billing clerk at your retailer swipes your card at an infected PoS system your card details would be read by the system and processed in its memory. This data would now be easily accessible for this malware, since it just keeps scraping the memory for exactly such details. Apart from this, the malware also has functionality to log your keystrokes, i.e. whatever you type. While actively collecting all this information it also keeps posting it onto a remote C&C (Command and Control) server. Despite its ‘swiss army knife’-esque functionality this malware has little persistence; it has an injected process and an encrypted copy to achieve this. In case the malware process has been killed or has crashed, the injected process would then decrypt the encrypted copy and re-execute it. But these are techniques that are easily overcome by most Anti-Virus products today.

Getting back to the article, it says this Trojan is “spreading”, whilst in reality Trojans do not really spread themselves; only worms and viruses do. This malware family is almost a targeted type, hence it needs to be strategically ‘placed’ in a proper location to work; in short the distribution vector is of low activity, well, at least in India. A PoS system in a retailer chain would be sitting in one of the most secure network rings of the store, but as always an attacker is going to use various infiltration techniques to obtain access. This might range from a simple SQL injection to a well-crafted, target-specific, exploit-containing spam email to a vulnerable employee. The attackers in this case are targeting ‘remote desktop applications’ enabled systems and try to brute force them to obtain access. The article however describes this to be a functionality of the malware, which is not so. It cannot scan for remote desktop systems and propagate through them.

People in India might recall that the RBI made it mandatory to enter your card’s PIN for using debit cards at the PoS. Though the RBI has averted a huge risk by thwarting a fraudster who doesn’t know a stolen/lost debit card’s PIN from using it, there might now be a new risk of handing the PIN to schemers who control this PoS malware network. However the RBI has also enforced upon banks a policy to limit the scope of MagStripe cards to domestic usage only, and in case a card should have international transaction capability it must be EMV (EuroPay, MasterCard and Visa) Chip and PIN enabled, i.e. very difficult to duplicate.

As always it is advisable for individuals to keep track of their banking transactions, via SMS or email to identify any fraudulent transactions initiated from your cards ASAP.

As for K7 users, though, in case this malware does manage to find its way onto your system it would be stopped dead as we detect all its variants.

Images courtesy of:
outright.com
officeclipart.com

Kaarthik RM
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

“Now You See Me, Now You … Errr … See Me”

Wednesday, August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )

and

Trojan ( 0049882d1 )

respectively.

The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Tax Deducted @ Spam?

Tuesday, August 5th, 2014

‘tis the season for filing Income Tax Returns in India! Fa la la la la la la la!  To make the task easier, nowadays there are agencies that help people file their IT returns online. On 1st August 2014 one of the researchers in our lab received an email in his spam folder from an agency with the subject stating, Today is the last day for filing your Income Tax return, i.e. well after the deadline of 31st of July, IST, for filing returns.

The actual message received is shown in the image below:

What caught our attention is that, on hovering over the button “File your Income-tax return Today!” the website in the hyper link was different from the website address the email was claiming to come from. The resulting website when you click on this button asks for sensitive information like PAN card and bank account details.

Further investigation helped to identify the websites as clean. However, it has been constantly advised by the Government of India not to carry out these kinds of sensitive activities through any unauthorized third-party websites, to avoid any unhappy situations, as explained in the following popup image from incometaxindiaefiling.gov.in, the bona fide portal through which ITRs ought to be filed:

The websites involved in such ITR-filing activities seem to be  unaware of the future consequences of their ill-thought-out email campaigns to promote their businesses.

It’s a known issue that hackers are always in search of new ways to harvest private/critical information from users for their own gain. The strategies used here by the third-party agency to redirect to its own tax filing page might also be used by hackers in phishing activities to exploit GOOD RETURNS!

Let’s now look at other facets of the above email which increase suspicion levels:

  1. The email is not addressed to the receiver but rather to a generic “Hello [NAME]”
  2. Questions are to be emailed to an email domain name which appears, at first glance, to originate from outside India

No wonder this email, which by the way was received TWICE within a short span of time, ended up automatically in the spam folder.

Vivek Das
Automation Developer, K7Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

URL “Falls” Positive

Thursday, July 24th, 2014

Occasionally, we at K7 Threat Control Lab receive reports from our clients that the website they visited is being blocked by our product, claiming it as a URL false detection. In a lot of such cases, our investigations have proved that the reported URL turns out to be injected with malicious scripts.

Recently, we came across one such incident from a client regarding an Indian government site being blocked.

When analyzed, many of the pages on that website were found to be injected with a JavaScript pointing to a randomly named PHP file “QwYygBKV.php” as shown in the image below.

It is likely that the web server has been compromised by remote hackers via exploitation of some vulnerability. Here is the code which writes the script tag in HTML files:

Inspite of the random name, the above said PHP file was found in many other domains as well. Even though the web page to which the URL redirects is not alive and gives “404” error, the reported website is still detected because its pages hold the link to malicious content. Interestingly, the malicious PHP was hosted on the reported domain itself, usually the link is a redirection to another malicious website.

In this case, the administrator possibly would have removed the aforementioned PHP file. Unfortunately the infection is not cleaned completely -the web pages still carry the link to the currently unavailable malicious content.

We have informed the concerned authority of the reported website about the scenario and the recommended course of action.

One would hope that such incidents would remind administrators that when weeding websites of infections, identifying the vulnerabilities that were exploited and patching them in the first place and ensuring the integrity of the website content, are as important as removing the malware component itself.

As for K7 users, this website shall remain blocked since the loophole that the attacker exploited to host this file on the site might still be at large.

V.Dhanalakshmi
Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/