These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security news’ Category

Cryptolocker – A New Wave of Ransomware

Wednesday, October 16th, 2013

The infamous ransomware malware works by restricting access to the computer or files that it infects. The malware on behalf of the malware author then demands a ransom to be paid by the victim, in order for the restriction to be removed.

At K7′s Threat Control Lab, we recently noticed a new wave of this ransomware malware. This notorious variant called CryptoLocker, by most security vendors, installs itself into the victims “Documents and Settings” folder. The malware then adds itself to the Windows auto start location in the registry to ensure that it loads automatically every time the user logs on.

Cryptolocker then makes an HTTP POST request to a pre-determined set of domain names to download a unique password file, using which it then encrypts the victim’s documents. The documents targetted include images, spreadsheets, presentations, text files among others.

Once encrypted, the ransomware then pops up a ransom page like the one displayed below:

The malware gives the victim a limited amount of time, to buy the password file to unlock the user’s data.

Protection for this threat is provided at multiple layers by K7′s Threat Control Lab. We proactively detect both the spam emails and malicious URLs, used to spread this ransomware, which seem to be the current infection vector. In case the malicious content does get through this layer of protection, we detect the malicious files themselves by our on-access-scanner as Trojan ( 0000c3521 ) and Trojan ( 0040f66a1 ). We have also provided detection for the this ransomware based on its run time malicious behaviour.

Our usual sentiments about keeping one’s security solutions & Windows patches up-to-date and being vary of downloading files from unknown sites apply.

Lokesh Kumar
Malware Collections Manager, K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

From Domain Name Servers to Dead Name Servers

Saturday, July 7th, 2012

A few months back we had blogged about how the FBI had extended the deadline for turning off the rogue DNS servers it had taken control of. Lo and behold! that dead line has finally arrived.

Given the amount of grace period that was provided before putting these servers down, one would assume that the infected PCs would have been cleaned up by now. However, according to the DNS Changer Working Group, a worrying number of PCs still have their DNS entries pointing to the malicious servers.

Our customers need not worry though, for K7 products already have the functionality to diagnose these rogue DNS IP addresses, and replace them with known good ones.

Lokesh Kumar
K7TCL

Image Courtesy: http://www.dns-ok.us

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Z-Rated

Thursday, June 28th, 2012

Zero-Access is one of the more prevalent and sophisticated pieces of malware observed in recent times. Similar to other malware in its class, it is able to infect both 32-bit and 64-bit Windows operating systems with kernel mode root-kit components.

Recently it has become apparent that Zero-Access evolved, some would call it ‘regressed’, from a kernel mode root-kit into a user mode patcher. Closer inspection reveals that this latest version infects Microsoft’s Service Control Manager (services.exe) on 64-bit systems. Strangely, the original host bytes don’t appear to be stored in the patched executable, making disinfection non-trivial. Given the importance of the OS application affected, it is advisable to replace the infected binary with an exact copy of the original file. Please note that restoration of the file is best left to the experts.

Distribution methods for Zero-Access include both social engineering tactics & drive-by-downloads. It pretends to be software updates using file names like [Removed]_update_for_Win.exe or pornographic material using file names like animal_[Removed].avi.exe, to lure its potential victims.

K7 security products not only prevents access to the malicious URLs involved in spreading this malware, but also pro-actively detects components of this malware in real time.

Lokesh Kumar/Samir Mody
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

-… .-.. .- -.-. -.- …. — .-.. .

Wednesday, May 2nd, 2012

“Dhina Thanthi”, “Daily Telegraph” in English, is a popular Tamil newspaper that has its online service on the domain dailythanthi.com. This site has been compromised.

A page hosting model/practice question papers, to aid the students who are to take up their board examinations in the state of Tamil Nadu, has been infected with a JavaScript that in turn loads a BlackHole Exploit. This exploits a cocktail of vulnerabilities across Windows, Java and some Adobe products, etc.

The page contains a JavaScript that in turn contacts the exploit server.

Above are network captures of dailythanthi site connecting to exploit server.

The script was unpacked, thanks to JSUnpack, and we are able to see the iframe that leads to the exploit server.

These servers haven’t been updated as of late, hence there wasn’t any infection to be acquired. But the daily thanthi site still remains compromised.

There are several such domain names hosted on a single IP.

Note the “robots.txt” in the above screenshot of the exploit server’s domain directory. This is to bypass any search bots that might stumble upon this domain from indexing it.

As for K7 users keeping your site blocker up to date would keep you at bay from threats such as this.

When the administrator of the domain from the WhoIs records was contacted we received a mailer-daemon. We then contacted the administrators of the company (interpressindia.com) that maintains the dailythanthi.com site, again it was a mailer-daemon.

As a foot note, if you were wondering what the blog title meant, it is BlackHole written in Morse code.

Kaarthik
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

K7 URL scanner now in VirusTotal

Friday, April 20th, 2012

K7TCL is proud to announce that our partnership with VirusTotal has just become stronger. Our file scanner has been on VT for ages, but we have just recently included our URL-scanning capabilities on the VirusTotal site.

We would like to take this opportunity to commend the guys at VT for their diligent work, and we very much look forward to continuing to foster our relationship with them.

Samir Mody/Lokesh Kumar
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

These Are Not The DOIDs You Are Looking For

Saturday, March 10th, 2012

In tales of yore, circa 2007, DNSChanger malware, which modify certain network settings to point to a rogue server, were as prevalent as the Stegosaurus. Fast forward almost four years, to the present day, their legacy still remains. They say the FBI, having discovered the rogue DNS servers, decided to clean them up and allow them to serve the public good. That is, only until the 8th of March, 2012.

According to much hyped reports in recent weeks, the 8th of March was to be the day the internet died, as the FBI would have been forced to lay to rest those servants of the public weal. If you are still reading this post then your computer didn’t fall victim to the supposed blackout. There are at least two possible reasons for this:

  • The FBI has an extension on the deadline. Apparently the dreaded Death Of Internet Day (DOID) has been postponed to the 9th of July, 2012
  • Lo and behold, you are not infected with DNSChanger malware and never have been

If you have been a K7 customer for a while, point 2 applies to you. Just to be on the safe side, K7 Security products sniffs for the erstwhile rogue DNS entries and snuffs them out if found, thereby ensuring that our brand new customers too are free from DOID.

Samir Mody/Lokesh Kumar
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Sumptus tabularii de india scriptor website infecta

Friday, February 10th, 2012

For the Latin challenged, the title reads “Cost Accountants of India‘s website is Infected”. Users of a site which belongs to the “Institute of Cost Accountants of India” need to be on the lookout. The site appears to be injected with a malicious script, which may redirect the users to other potentially malicious sites. Here’s a snippet of the malicious source code:

The malware authors have commented their part of the code in Latin. The malicious code uses a twitter API to get the trending topics of the day, and generates malicious domain names on the fly to which users will be finally redirected.

K7 Computing has informed the party in charge about the attack. K7 security products prevent access to this malicious URL.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Malware Authors and Multiple Scanners

Friday, January 27th, 2012

One of the items on a malware authors checklist while distributing malicious code is to make sure that their malware remains undetected, for as long as possible. Scanning their creation using a multiple Anti-Virus scanning system is one among the many techniques in their arsenal which ensures just that.

Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.

For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:

Then there are tools which incorporate multiple scanners & are distributed for free. Given below is a screen shot of one such tool:

If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors are quick to change their binary.

While traditional checksum based detections alone might be ineffective against such files, a combination of several detection methods, which include a behaviour based approach will prove far more effective.

R.V Shyam Charan
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Beware Who Hosts Your Holiday

Friday, December 23rd, 2011

We recently came across an Indian holiday booking site which appears to be serving up a copy of an old malware. Shown below is the screen shot of the site in discussion:

A quick look at the source code for the page shows an encoded binary file embedded in a VBScript:

Visiting this site with a poorly configured Internet Explorer browser will lead to the above script being rendered. The encoded file in turn is decoded and a malicious file named svchost.exe is dropped onto the user’s computer and is executed.

The malicious executable is an infamous file infector named Win32.Ramnet and detection for this executable has been around for more than a year now. This seems to suggest that the machine hosting the website has either little or no security solution in place.

With the holiday season in full swing, online shoppers are requested not to let their guard down. While you may be on holiday, the miscreants aren’t.

K7 Security products don’t just detect and delete the malicious file, but also prevent access to the hacked site:

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Mmmm … AVARicious!

Thursday, November 3rd, 2011

The 14th AVAR conference is due to take place next week (9th to 11th November) in Hong Kong, and the K7TCL team will be represented in force.

V Dhanalakshmi will be presenting on the increasing threat of Android malware and how to protect oneself from these threats in her talk titled “Paranoid Android?” on the 10th of November at 10am. Samuel Jebamani, Saravanan Mohankumar and myself have reserve presentations prepared on the topics of MBR threats, malicious VB P-Code detection, and Asian malware respectively. All four papers will be available in the conference proceedings.

We hope to see you all there.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/