These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security news’ Category

“Now You See Me, Now You … Errr … See Me”

Wednesday, August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )

and

Trojan ( 0049882d1 )

respectively.

The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Tax Deducted @ Spam?

Tuesday, August 5th, 2014

‘tis the season for filing Income Tax Returns in India! Fa la la la la la la la!  To make the task easier, nowadays there are agencies that help people file their IT returns online. On 1st August 2014 one of the researchers in our lab received an email in his spam folder from an agency with the subject stating, Today is the last day for filing your Income Tax return, i.e. well after the deadline of 31st of July, IST, for filing returns.

The actual message received is shown in the image below:

What caught our attention is that, on hovering over the button “File your Income-tax return Today!” the website in the hyper link was different from the website address the email was claiming to come from. The resulting website when you click on this button asks for sensitive information like PAN card and bank account details.

Further investigation helped to identify the websites as clean. However, it has been constantly advised by the Government of India not to carry out these kinds of sensitive activities through any unauthorized third-party websites, to avoid any unhappy situations, as explained in the following popup image from incometaxindiaefiling.gov.in, the bona fide portal through which ITRs ought to be filed:

The websites involved in such ITR-filing activities seem to be  unaware of the future consequences of their ill-thought-out email campaigns to promote their businesses.

It’s a known issue that hackers are always in search of new ways to harvest private/critical information from users for their own gain. The strategies used here by the third-party agency to redirect to its own tax filing page might also be used by hackers in phishing activities to exploit GOOD RETURNS!

Let’s now look at other facets of the above email which increase suspicion levels:

  1. The email is not addressed to the receiver but rather to a generic “Hello [NAME]”
  2. Questions are to be emailed to an email domain name which appears, at first glance, to originate from outside India

No wonder this email, which by the way was received TWICE within a short span of time, ended up automatically in the spam folder.

Vivek Das
Automation Developer, K7Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

URL “Falls” Positive

Thursday, July 24th, 2014

Occasionally, we at K7 Threat Control Lab receive reports from our clients that the website they visited is being blocked by our product, claiming it as a URL false detection. In a lot of such cases, our investigations have proved that the reported URL turns out to be injected with malicious scripts.

Recently, we came across one such incident from a client regarding an Indian government site being blocked.

When analyzed, many of the pages on that website were found to be injected with a JavaScript pointing to a randomly named PHP file “QwYygBKV.php” as shown in the image below.

It is likely that the web server has been compromised by remote hackers via exploitation of some vulnerability. Here is the code which writes the script tag in HTML files:

Inspite of the random name, the above said PHP file was found in many other domains as well. Even though the web page to which the URL redirects is not alive and gives “404” error, the reported website is still detected because its pages hold the link to malicious content. Interestingly, the malicious PHP was hosted on the reported domain itself, usually the link is a redirection to another malicious website.

In this case, the administrator possibly would have removed the aforementioned PHP file. Unfortunately the infection is not cleaned completely -the web pages still carry the link to the currently unavailable malicious content.

We have informed the concerned authority of the reported website about the scenario and the recommended course of action.

One would hope that such incidents would remind administrators that when weeding websites of infections, identifying the vulnerabilities that were exploited and patching them in the first place and ensuring the integrity of the website content, are as important as removing the malware component itself.

As for K7 users, this website shall remain blocked since the loophole that the attacker exploited to host this file on the site might still be at large.

V.Dhanalakshmi
Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

https://icann-deal.with.it (Part 1)

Tuesday, July 22nd, 2014

This is the first part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

The Internet landscape is about to witness profound changes with the mass adoption of Internet Protocol Version 6 (IPv6) and Internationalised Domain Names (IDNs) in the near future. While these developments have the potential to be immensely beneficial, they also present certain challenges to the security industry which need to be addressed. These changes not only increase the attack surface for malware authors and spammers, but also render traditional methods of URL and spam blocking obsolete.

The exhaustion of the 32 bit IPv4 addresses assigned by the Internet Assigned Numbers Authority (IANA) has led to the roll-out of its 128 bit successor, IPv6. This provides a significant increase in the address pool available to assign unique IP addresses, not only to computers, but also to other Internet-connected devices. Spammers and malware authors would now have a larger address space to infect and cycle through, vitiating existing methods of detecting spam/malware URLs.

The Internet Corporation for Assigned Names and Numbers (ICANN) has expanded domain names to include non-ASCII based IDNs in a user’s native language script. While these transitions have the potential to localise the global Internet, they also provide cyber criminals (spammers/phishers/malware distributors) enhanced opportunities for exploitation, especially via social engineering.

These cyber criminals will now have the ability to redirect a user to a URL with a character set unfamiliar to him/her. Given the exponential increase in the number of URLs shared among users in our socially inter-networked world, validation of these URLs by the user prima facie now becomes much more complicated, leading to a higher compromise success rate for cyber criminals.

This paper describes the imminent major changes to the Internet networking infrastructure. It attempts to explore the security challenges involved in these milestone developments and presents potential solutions to address them.

The IPv4 Clock is Ticking

The expansion of the Internet from an esoteric academic project to a publicly accessible resource, coupled with the surge of Internet enabled devices over the last decade have contributed to the shrinking pool of available IPv4 addresses.

Fig.1 depicts the number of expected Internet enabled devices and Internet users by 2016, and how they measure up with the number of IPv4 addresses available.

Fig.1: Number of connected devices & Internet users by 2016 [1]

Conservation efforts like Network Address Translation (NAT), Classless Inter Domain Routing (CIDR), reclaiming unused addresses etc., only prolonged what was unavoidable – the depletion, and eventual exhaustion, of IPv4 addresses.

Given that ICANN, which is responsible for distributing IP addresses, gave away the last block of IPv4 addresses to the five Regional Internet Registries (RIR) in early 2011 [2], the need for change is rather pressing.

IPv6 to the Rescue

This IPv4 address crunch has been anticipated for many years, and the Internet Engineering Task Force (IETF) has been working on refining IPv6, the successor to IPv4, since the early 1990s [3]. This version of the Internet Protocol can support up to 300 undecillion addresses compared to the relatively miniscule 4 billion, a number smaller than the current world population, offered by its predecessor. Apart from this massive increase in the address space, the IETF also embedded other features to IPv6 such as support for IPSec, auto-configuration of devices, etc. [4]

These benefits, along with the availability of IPv6 from ISPs, increased end-user device support & IPv6 content, will ensure the adoption of IPv6 in the years to come, eventually making it the dominant Internet Protocol.

Fig.2 shows that, as expected, the percentage of users accessing Google over a native IPv6 connection has seen a steep rise over recent times.

Fig.2: Percentage of IPv6 users accessing Google [5]

What’s in a Domain Name

The demand for Internationalised Domain Names (IDNs) has always existed in view of the fact that 60% of the countries around the world have an official language other than English [6]. ICANN, which has domain names within its remit, has recently started allowing IDNs to satisfy this unmet demand.

The introduction of IDNs allows non-ASCII character sets like Arabic, Cyrillic, Tamil, Hindi, Chinese, etc, to be included in a domain name, potentially paving the way for a truly globalised Internet.

These IDNs are converted into ASCII using Puny Code, an encoding syntax invisible to the user, which allows for standard domain name resolutions.

Fig.3 shows a domain name in English, its nonexistent IDN equivalent in the Tamil script, and the Puny Code representation of the IDN which is used for a domain name resolution.

Fig3: Domain Name, IDN, Puny Code representation

The current demand for IDNs, combined with registrars throwing them away at a price cheaper than the regular domains, could see a surge in the number of non-English sites registering domain names in their local language.

To be continued…

References:
[1] http://www.google.com/intl/en/ipv6/images/graph.png
[2] http://en.wikipedia.org/wiki/IPv6#Exhaustion_of_IPv4_addresses
[3] http://en.wikipedia.org/wiki/IPv6#Working-group_proposal
[4] Information on http://en.wikipedia.org/wiki/IPv6
[5] http://www.google.com/intl/en/ipv6/statistics.html
[6] http://en.wikipedia.org/wiki/List_of_countries_where_English_is_an_official_language

Images courtesy of icann.org & worldipv6launch.org

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Don’t Let Heartbleed Give You Nosebleed

Thursday, April 24th, 2014

Much has already been written about the infamous Heartbleed vulnerability (CVE-2014-0160), the best technical piece being on Cloudflare’s blog. Unfortunately, as always in such cases, there has also been a lot of junk spewed out causing undue panic amongst the masses. A glaring example of this was a recent article in a well-known Indian daily newspaper reprehensibly titled the “Heartbleed Virus”, at which point one ought to stop reading the article.

Heartbleed is NOT a virus! It cannot spread from machine to machine, from device to device, and it cannot directly damage your computer. That is not to say that Heartbleed is not a serious issue. It is! Rather, the gravity of the situation very much depends on who you are. If you are an average individual surfing the internet on your home computer, one could argue that Heartbleed is unlikely to affect you very much. We must perforce qualify this opinion.

Heartbleed is a vulnerability in the OpenSSL library, which is used to encrypt vast amounts of internet traffic to protect it from being snooped upon, unless the NSA is involved that is. The SSL/TLS protocols use Public Key Infrastructure (PKI) which is a proven technology for achieving Pretty Good Privacy, and hence is ubiquitous on the internet. Heartbleed, by potentially allowing the exposure of private keys on a secure webserver to a remote attacker, threatens the integrity of PKI-protected communication over a network. One could picture a heavily-reinforced steel vault, with the master key visible under the door mat outside.

It would be entities such as corporates, governments, etc, that have webservers using a vulnerable version of OpenSSL that are most at risk of potentially revealing critical confidential data, especially private keys. If you are such an entity we urge you to upgrade your version of OpenSSL immediately, and make a call on revoking and reissuing your private keys. Unfortunately attempted exploitation of Heartbleed does not necessarily leave evidence behind, and the nature of the vulnerability is such that it may be virtually impossible to tell what, if any, data has been leaked. Note, the vulnerability itself has been around for a couple of years before its discovery.

Let us now address the risk posed to the individual surfer. Although there is indeed some risk of your password and other data being leaked from some website you have logged into if the server hosting the site was being targeted, the chances are rather slim. This is because successful Heartbleed exploitation tends to reveal only ephemeral data, and on a webserver hosting a popular site with several concurrent logged-in sessions, especially one where the average individual logs out after visiting the page (assuming this frees up the session resources on the server for the next user), the probability of leaking confidential data, and that too data specifically pertaining to you, is low. Notwithstanding, to be on the safe side, you may yet wish to change your passwords if the site in question has admitted to being vulnerable earlier and has since patched the flaw. After all, based on GitHub’s advice, we in the Taggant Library Maintenance Committee (part of the IEEE Anti-Malware Support Service) did change our passwords for the following repository:

https://github.com/IEEEICSG/IEEE_Taggant_System

In addition client-side devices, including those running certain versions of Android (reportedly 4.1.0 and 4.1.1), could also be vulnerable to Heartbleed-based data leakage, and ought to be patched ASAP, even though exploitation on the client side is an even more remote possibility.

Images courtesy of:

heartbleed.com
forums.warpportal.com/index.php?/topic/131907-ragnarok-roll-cosplay

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Cryptolocker – A New Wave of Ransomware

Wednesday, October 16th, 2013

The infamous ransomware malware works by restricting access to the computer or files that it infects. The malware on behalf of the malware author then demands a ransom to be paid by the victim, in order for the restriction to be removed.

At K7′s Threat Control Lab, we recently noticed a new wave of this ransomware malware. This notorious variant called CryptoLocker, by most security vendors, installs itself into the victims “Documents and Settings” folder. The malware then adds itself to the Windows auto start location in the registry to ensure that it loads automatically every time the user logs on.

Cryptolocker then makes an HTTP POST request to a pre-determined set of domain names to download a unique password file, using which it then encrypts the victim’s documents. The documents targetted include images, spreadsheets, presentations, text files among others.

Once encrypted, the ransomware then pops up a ransom page like the one displayed below:

The malware gives the victim a limited amount of time, to buy the password file to unlock the user’s data.

Protection for this threat is provided at multiple layers by K7′s Threat Control Lab. We proactively detect both the spam emails and malicious URLs, used to spread this ransomware, which seem to be the current infection vector. In case the malicious content does get through this layer of protection, we detect the malicious files themselves by our on-access-scanner as Trojan ( 0000c3521 ) and Trojan ( 0040f66a1 ). We have also provided detection for the this ransomware based on its run time malicious behaviour.

Our usual sentiments about keeping one’s security solutions & Windows patches up-to-date and being vary of downloading files from unknown sites apply.

Lokesh Kumar
Malware Collections Manager, K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Java C00l Blend

Friday, January 11th, 2013

Over the New Year period 0-day exploits have been rampaging around. In our threat control lab we have looked into hits for the recently discovered 0-day that exploits a vulnerability (CVE-2013-0422) in the latest version of JAVA (1.7 update 10).

Our records imply that an exploit, from cool exploit kit, has been on the hunt from January 8th this year, if not before. Example filenames seen so far are 2233.jar, 2332.jar and some randomised ones, downloaded from different domains that serve the exploit and other malware.

The 0-day under discussion, on successful execution on a victim’s machine, exploits the vulnerability in the java environment and downloads a Windows executable file, which currently happens to be a Ransomware Trojan in most of the occurrences.

Fortunately, K7 users are proactively shielded from this 0-day attack by the Carnivore technology embedded in K7 security products. Here is a screenshot that depicts K7 security products blocking an attempt to exploit the vulnerability.

V.Dhanalakshmi
Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

From Domain Name Servers to Dead Name Servers

Saturday, July 7th, 2012

A few months back we had blogged about how the FBI had extended the deadline for turning off the rogue DNS servers it had taken control of. Lo and behold! that dead line has finally arrived.

Given the amount of grace period that was provided before putting these servers down, one would assume that the infected PCs would have been cleaned up by now. However, according to the DNS Changer Working Group, a worrying number of PCs still have their DNS entries pointing to the malicious servers.

Our customers need not worry though, for K7 products already have the functionality to diagnose these rogue DNS IP addresses, and replace them with known good ones.

Lokesh Kumar
K7TCL

Image Courtesy: http://www.dns-ok.us

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Z-Rated

Thursday, June 28th, 2012

Zero-Access is one of the more prevalent and sophisticated pieces of malware observed in recent times. Similar to other malware in its class, it is able to infect both 32-bit and 64-bit Windows operating systems with kernel mode root-kit components.

Recently it has become apparent that Zero-Access evolved, some would call it ‘regressed’, from a kernel mode root-kit into a user mode patcher. Closer inspection reveals that this latest version infects Microsoft’s Service Control Manager (services.exe) on 64-bit systems. Strangely, the original host bytes don’t appear to be stored in the patched executable, making disinfection non-trivial. Given the importance of the OS application affected, it is advisable to replace the infected binary with an exact copy of the original file. Please note that restoration of the file is best left to the experts.

Distribution methods for Zero-Access include both social engineering tactics & drive-by-downloads. It pretends to be software updates using file names like [Removed]_update_for_Win.exe or pornographic material using file names like animal_[Removed].avi.exe, to lure its potential victims.

K7 security products not only prevents access to the malicious URLs involved in spreading this malware, but also pro-actively detects components of this malware in real time.

Lokesh Kumar/Samir Mody
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

-… .-.. .- -.-. -.- …. — .-.. .

Wednesday, May 2nd, 2012

“Dhina Thanthi”, “Daily Telegraph” in English, is a popular Tamil newspaper that has its online service on the domain dailythanthi.com. This site has been compromised.

A page hosting model/practice question papers, to aid the students who are to take up their board examinations in the state of Tamil Nadu, has been infected with a JavaScript that in turn loads a BlackHole Exploit. This exploits a cocktail of vulnerabilities across Windows, Java and some Adobe products, etc.

The page contains a JavaScript that in turn contacts the exploit server.

Above are network captures of dailythanthi site connecting to exploit server.

The script was unpacked, thanks to JSUnpack, and we are able to see the iframe that leads to the exploit server.

These servers haven’t been updated as of late, hence there wasn’t any infection to be acquired. But the daily thanthi site still remains compromised.

There are several such domain names hosted on a single IP.

Note the “robots.txt” in the above screenshot of the exploit server’s domain directory. This is to bypass any search bots that might stumble upon this domain from indexing it.

As for K7 users keeping your site blocker up to date would keep you at bay from threats such as this.

When the administrator of the domain from the WhoIs records was contacted we received a mailer-daemon. We then contacted the administrators of the company (interpressindia.com) that maintains the dailythanthi.com site, again it was a mailer-daemon.

As a foot note, if you were wondering what the blog title meant, it is BlackHole written in Morse code.

Kaarthik
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed