These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Security news’ Category

Shell Team Six:Zero Day After-Party (Part III)

Monday, February 23rd, 2015

This is the third part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the second part of our paper…

Exploiting Popular Applications

Popular applications such as web browsers, word processors, etc. in an attempt to provide rich functionality, at times fail to handle untrusted data properly. The attackers probe these applications with a variety of mechanisms such as fuzzing, reverse-engineering, study of any stolen code, etc. in order to discover bugs that allow them to execute malicious code without any user interaction.

Lack of buffer boundary checks in the application’s code is exploited, critical memory area is over written to hijack the control flow of the program and  execute the attacker’s shell code.

Likewise, bugs in handling multiple references to the same object have lead to Use-After-Free class of vulnerabilities which after seeding memory areas with malicious code can be exploited to execute the attacker’s shell code.

Data Execution Prevention (DEP) Bypass

DEP is a security feature provided by the operating system to thwart buffer overflow attacks that store and execute malicious code from a non-executable memory location. The OS leverages the No-eXecute technology in modern day CPUs to enforce hardware assisted DEP that prevents memory areas without explicit execute-privilege from executing. Attempts to transfer control to an instruction in a memory page without execute-privilege will generate an access fault, thereby rendering the attack ineffective.

Bypassing the DEP feature in a process involves locating already existing pieces of executable code from process memory space and manipulating them to use attacker controlled data to achieve arbitrary code execution. This is accomplished using one of the following techniques:

  •  Return-to-libc
  •  Branch Oriented Programming (BOP)
    •  Return Oriented Programming (ROP)
    •  Jump Oriented Programming (JOP)


This evasion technique involves replacing the return address on the call stack with that of an existing routine in a loaded binary. The parameters/arguments that are passed to such routines are controlled by the exploit data strategically placed on the stack.  A system function like WinExec() can be invoked to load and run a malicious component without running non-executable exploit data.

Fig.6: The stack layout when using return-to-libc attack to invoke system() in GNU Linux (32-bit).

Branch Oriented Programming

This bypassing method involves an attacker gaining control of the call stack and executing carefully stitched pieces of executable code called “gadgets”. These gadgets contain one or two instructions which typically end in a return instruction (ROP) or a jump instruction (JOP) and are located in a subroutine within an existing program or a shared library. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine.

Fig.7: ROP gadget execution sequence based on exploit controlled stack layout

Address Space Layout Randomization (ASLR) Bypass

In order to thwart BOP attacks, the concept of randomizing executable code locations, by randomizing the base address of the loaded binary, on every system reboot was introduced. This security measure known as ASLR made it difficult for the attacker to predict where the required gadget sequence resides in memory. However, APTs have been observed bypassing this protection using the following techniques:

Loading Non-ASLR modules

Dynamic-Link Libraries compiled without the dynamic-base option cannot take advantage of the protection offered by ASLR and as a result, are usually loaded at a fixed memory space. For example, Microsoft’s MSVCR71.DLL shipped with Java Runtime Environment 1.6 is usually loaded at a fixed address in the context of Internet Explorer making it easy to construct the required gadget chain in memory.

 Fig.8: An ASLR incompatible version of MSVCR71.dll

DLL Base Address calculation via Memory Address Leakage

This technique involves determining the base address of any loaded ASLR-compatible DLL based on any leaked address of a memory variable or API within that DLL. Based on the address of this known entity, the relative addresses of all the required gadgets can be calculated and a ROP attack constructed.

Attack techniques such as modifying the BSTR length or null termination allows access to memory areas outside the original boundaries, leading to the memory address of known items being revealed to the exploit code. This can then be used to pinpoint the DLL’s location to use ROP gadgets within it. Array() object also has a length component that can be overwritten to leak memory addresses beyond its bounds.

Browser Security Bypass

Leveraging the operating system’s security, popular web browsers run certain parts of their code, JavaScript execution and HTML rendering for example, as a sandboxed background process. This process runs with limited privileges and has restricted access to the file system, network, etc.  A master controller acting as an intermediary interacts with the user and manages these sandboxed processes. By using this master-slave architecture and providing a controlled environment, users are protected from exploit attempts by limiting a shell code’s capability to access host system resources and confining its damage to within the sandbox.

Since these browsers rely on the operating system’s security model, exploiting unpatched kernel vulnerabilities will result in the malicious code escaping its confined environment. The infamous Duqu malware relied on vulnerability (CVE-2011-3402) in the Win32k.sys driver that improperly handles specially crafted True Type Font (TTF) files. This allowed the malware to escape a user-mode sandboxed environment implemented by the Microsoft Word process and compromise the host.


Fig.9: Vulnerable code snippet from win32k.sys that lead to the Duqu TTF exploit

Enhanced Mitigation Experience Toolkit (EMET) Bypass

EMET is a Microsoft tool that provides additional security to commonly-exploited third-party applications such as web browsers, word processors, etc. It extends the operating system’s protection mechanisms to these vulnerable applications and makes exploitation attempts extremely difficult.

The following table lists the protections offered by EMET and known bypassing techniques [4]:


Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Ladies, Savor Social Networking Safely

Tuesday, February 17th, 2015

As women, we believe it is important to share a blog series, focusing specifically on women’s cyber safety while they use the internet for social and commercial activities, highlighting the dangers of using this medium and providing tips to ensure online safety. This is the first part of the three-part blog series guiding women on social networking and the possible risks associated, providing a few precautionary steps to follow, though not exhaustive.

The internet to the modern women is akin to the purse she carries, indispensable. She uses the internet to interact with friends and family, shop and bank, in that order. A recent survey by comScore revealed that women dominate the usage of social networking sites and wield the social networking portals as an empowering tool to connect across boundaries and to successfully build e-commerce businesses.

Unfortunately the freedom of the internet also helps cyber criminals and online miscreants to connect with you quite easily. Social networking users should be vigilant about the kind of information they share online and the crowd with which they interact. Often women overlook the potential dangers of social networking sites. A simple socially engineered chat message with a malicious URL or a wall post of a “video link” especially of a cute baby/shopping offer could attract many victims to silently seed malware into their computer, as witnessed in the case of the Microsoft Windows worm Koobface.  This allows hackers to either gather the user’s personal information or infect the computer.

With the stolen valuable information, miscreants can potentially cause distress to a user, especially to women and children.

One should also be keenly aware that photos shared on these social networking portals are viewable by even unintended audiences and can be morphed and redistributed without one’s consent. Young women tend to be the most likely targets of online harassment such as cyberbullying, trolling, stalking and death threats. This harassment gets even more dangerous if it manifests itself in real life. Even in the virtual world, targeted online harassment has the potential to cause severe mental trauma.

In order to curb such online threat issues, the Computer Emergency Response Team (CERT) educates internet users about safe surfing, helps the public report online abuse, and offers recovery procedures.

Here are some simple tips to make women more social networking wise:

  • Never disclose sensitive information such as date of birth, location, phone number, address, etc.,
  • Incorporate privacy and security settings offered on social networking sites
  • Beware of clicking on links and opening messages from unknown sources
  • Think twice about accepting requests to connect from strangers
  • Secure your computer with a good antivirus solution

to be continued…

Image courtesy of:

Archana Sangili, Content Writer
V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Shell Team Six:Zero Day After-Party (Part II)

Wednesday, February 11th, 2015

This is the second part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the first part of our paper

Initial Compromise

Armed with information obtained from the previous stage, the perpetrators may adopt several techniques to sneak into the organization. Traditional attacks involve actively targeting vulnerable applications and exploiting Internet facing resources like webservers, SQL servers, FTP servers, etc. As log analysis and security around these external resources have caught on, the attackers have had to evolve their tactics in order to be successful.

Infiltration Methodology

The attackers now target the most vulnerable element of any organization – the human. Social engineering tactics are used to entice an individual or a group of users into running code, which will allow the attackers to introduce their malware into the organization’s network. The most commonly used attack techniques are:

  • Spear Phishing
  • Watering Hole

Spear Phishing

Spear phishing involves the attacker compromising a machine by sending a well-crafted email to a targeted user and convincing him/her to:

  • Open an embedded link that points to a website loaded with zero-day exploits, or
  • Open a malicious attachment (EXE, PDF, DOCX etc.)

both of which exploit the rendering application to drop or download, and execute a payload with backdoor capabilities

Watering Hole


Watering hole attack involves the attacker placing exploits, possibly zero-day in nature, on a trusted website which is frequented by the users of the organization.  When a targeted user visits the site, the exploit code is automatically invoked and the malware installed on his/her machine.

Case Study

The U.S. Veterans of Foreign Wars’ website was recently compromised to serve a zero-day exploit (CVE-2014-0322). A similar watering hole attack exploiting zero-day vulnerabilities has occurred in the past targeting a specific group of people by compromising the website of the Council for Foreign Relations.

Fig.2 shows publicly available website access logs of users along with their non-routable IP addresses. This information can be used to evaluate the browsing habits of individuals in the company and eventually to execute a watering hole attack.

Fig.2: Publicly available map of internal IP addresses and their website logs

Security Bypassing

Email attachments, file downloads, HTTP requests, etc. originating from users undergo rigorous checks at various layers that include:

  • Network/Gateway layer scanners
    • Email/File/URL scanners
    • Sandboxed file analysis
  • Endpoint/Desktop layer scanner
    • Anti-Virus/HIPS/firewall
    • Application security features
    • Operating system security features

Once the human element falls prey to social engineering, and is coaxed into downloading a file/email or visiting an exploit site, the attackers are faced with challenge of defeating a series of network and end point security solutions before conquering the victim’s machine. Listed below are some of the tactics used by the perpetrators to bypass these layers of security.

Attachment Archive File Format Abuse

Discrepancies in the way in which a security product handles a compressed file versus that of an un-archiving application has led to abuse of the popular ZIP file format.  Un-archiving apps identify ZIP file types by scanning the last 64KB of the file for a special magic marker. Security scanners on the other hand, with a need for speed, identify the file type by inspecting only the first few bytes from the beginning of the file.

An attacker abuses this disparity by creating a malicious ZIP file and manipulating its headers by adding junk data at the beginning of the ZIP file. This specially crafted file deceives security scanners into thinking that it is of an unknown type and escapes detection, but un-archiving applications are able to successfully extract the malicious code at the end point.

Fig.3 shows a Proof-of-Concept [2] archive file that is capable of evading security scanners

Fig.3: Crafted ZIP file with NULL data prefixed.

Gateway Sandboxing Bypass

Suspicious files that match certain criteria are typically executed within a sandboxed environment for a short period of time. Depending on their behavior, the files are either blocked from the user or released to him/her.

Attackers can craft malicious files which detect such controlled settings by looking for specific registry keys, in-memory code changes, mouse pointer movement, etc.

For example if the malicious file identifies that it is being executed in a sandboxed environment, it stays idle without performing any activity thereby bypassing this check. The Up-Clicker Trojan [3] attempts to evade sandbox analysis by staying idle and waiting for a mouse click before activating itself.

Fig.4: Code showing Up-Clicker Trojan set to activate on mouse click

Browser Multi-Purpose Internet Mail Extensions (MIME) Sniffing

This attack exploits differences in the way in which security scanners and web browsers identify the content returned by an HTTP server.

Security scanners parse the magic headers available at the beginning of a file returned by the web server, to identify the file type. This means that a specially crafted malicious HTML file containing the magic marker commonly found in a GIF image will be identified by the scanner as an image file, exempted from scanning and let through into the network.

Web browsers on the other hand, depend on the MIME type in the HTTP response header returned by the web server to identify the file type. When this information is absent as is the case of a response from an attacker controlled web server, the web browser resorts to content sniffing to determine the MIME type. So, the same malicious HTML containing the GIF magic marker will now be identified as HTML content by the user’s browser and rendered accurately to execute the exploit code.

Fig.5: Malicious script containing bogus RAR and GIF magic markers.

Click here to read the third part of this blog


Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Exorcising CTB Locker from your Computer: What you Need to Know

Friday, January 30th, 2015

Ransomware, a type of malware which holds your files to ransom by encrypting them and then demanding a ransom for their “release”, i.e. by decryption, is nothing new. Cyber criminals make a lot of money by extorting funds from victims all over the world.

The latest family of widely distributed ransomware is called CTB Locker. In this blog we have decided to provide information about CTB Locker in the form of an FAQ so that our customers and the general public globally may be well-informed about the dangers of this malware family, learn how to avoid it, and be reassured about our robust response to it.


  • How do you prevent your computer from becoming infected by CTB Locker?

Let’s begin with this question as it is the most important one to keep your computer safe. Prevention is always better than cure.

The initial spreading vector for CTB Locker is a spam email with enticing content which uses social engineering techniques to convince the potential victim to unzip a ZIP archive attachment (extension ‘.zip’) and execute its embedded file.

This embedded file, which is currently around 40KB in size, may have misleading extensions such as ‘.scr’ in order to masquerade as a screensaver application. This file is the downloader component for CTB Locker’s main payload, which then does the actual file encryption and makes ransom demands. We urge you to be vigilant against such spam emails as it is very first line of defence against CTB Locker as well as a host of other malware families which also use the same old time-tested technique to spread.

If an email comes from an unknown or unexpected source containing an attachment or a website link requesting you to open the attachment or click on the link, please exercise extreme caution. We would suggest simply deleting such emails if they are not already quarantined by your spam filter.

The spam emails tend to be targeted at English-speaking countries and at least 3 European countries given that the malware payload provides its ransom messages in German, Dutch and Italian.

This ransomware is not targeted at Indian users per se but given the ubiquitous nature of spam there will be “collateral damage” resulting in not just Indian victims but also many other hapless victims in other non-target countries.

  • What should you do when you discover your computer is infected with CTB Locker?

If you have seen messages demanding a ransom as shown above, it is likely that many, if not all, of your personal files such as Microsoft Office documents, PDF, TXT, ZIP and even ‘C’ source code files will be in an encrypted state, i.e. appear to contain random binary junk. Files encrypted by CTB Locker will have filenames such as yourfile.ext.<7 random lowercase letters>, e.g. 253667.PDF.iryrzpi

Executable files, e.g. EXE, DLL, OCX, etc, and files with extensions unknown to the malware will not be touched.

First and foremost, we would request that you do not attempt to pay the ransom to get your files back. Even if the cyber criminals do actually decrypt your files, the money they get from you will only serve to encourage them to continue their nefarious practices, investing R&D in enhancing their capabilities and global reach. Cyber criminals must be stripped of their Return on Investment incentive to create malware.

Once you have decided not to pay the ransom we would recommend removing the malware immediately. This can be done most easily by:

  1. updating your product
  2. rebooting into Safemode
  3. performing an on-demand scan on your computer
  4. removing the detected components. Note, the main CTB Locker payload is detected as ‘Trojan ( 0049d83b1 )’ and its downloader component is detected as ‘Trojan-Downloader ( 00499db21 )’

  • Is it possible to decrypt files encrypted by CTB Locker?

The malware itself demonstrates that files can be decrypted by randomly choosing 5 samples to decrypt.

However, the malware uses a high-grade encryption algorithm with a key which is unique to your computer, rendering it effectively impossible to force a decryption en masse.

  • How to restore files encrypted by CTB Locker?

It may not be possible to restore all files encrypted by CTB Locker. However, if your Windows operating system supports System Restore it is possible to recover the contents of many of your folders to a recent restore point before the infection took place.

The most reliable solution, though, is to restore your critical files from regular backups. If you don’t backup your important files regularly then we urge you to start doing so ASAP. Apart from a CTB Locker infection, there are numerous other factors which could render your files irrecoverable in the future, including a hard disk failure. Note, it may also be possible to use deep forensics tools to recover some critical files if they still exist on sectors on the hard disk, but this is not an alternative to regular backups.

  • Will paying the ransom actually decrypt your files?

We refuse to pay any ransom so we are unable to confirm whether payment will actually result in your files being released. Once again, we would request you to not attempt to pay the ransom for the reasons mentioned earlier.

  • Why did K7 not detect and remove CTB Locker?

At K7 Threat Control Lab we are constantly monitoring and acting against CTB Locker infections, including coding robust generic detection for all components of CTB Locker. However, the cyber criminals behind the CTB Locker family have been investing considerable resources in morphing, i.e. changing the appearance of, all their components and spam emails such that they may sometimes be able to get past security scanners, not just K7’s, albeit for a very short period of time. We at K7, and our colleagues at other security companies, are working hard to stay ahead of CTB Locker in order to protect all our customers across the planet.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Hacked Websites: Consequences and Mitigation

Wednesday, January 28th, 2015

This is the final chapter of my blog series on “Hacked Websites” describing the consequences faced by users of visiting a hacked website, along with a few mitigation guidelines for the developers and webmasters, following on from the previous chapter covering the vulnerabilities and exploits involved in a website compromise.

Back in the old days, hackers used to hack to try to solve problems, to improve internet security and experience, and to boost their own self-esteem. Over time, hackers’ intentions changed and they began to hack for many more troublesome reasons such as to deface a website and convey a specific message, to steal confidential data or services, to host illicit material, for malicious redirects, to utilize a server’s resources for malicious intent, DDos, etc; by and large for money, theft of intellectual property, curiosity, prestige and as a publicity stunt.

Consequences for a user in visiting such a compromised website are that a user may

  • become a victim of a socially engineered phishing attack and give away his/her banking credentials, personal information and credit/debit card data on fraudulent sites.
  • become a victim of unintentional malicious downloads and installs (aka ‘drive-by download’), including becoming part of zombie botnet armies.
  • To ensure a safe and secure visit for a user to their website, webmasters must periodically verify their websites’ integrity. Below are a few of the mitigation guidelines for both developers and webmasters.

    For developers :

    ●     Implementation of effective input/output validation and sanitization approach.
    ●     Implementation of effective account management, authentication and authorization practices.
    ●     Encrypting users’ secret session values and sensitive data.
    ●     Securely handling exceptions, errors and logs.
    ●     Following the standards described in OWASP, CERT guidelines.

    For webmasters :

    ● Do not entertain cloaking, link farming, content autogeneration and other SEO tactics that may welcome SEO Poisoning attacks.
    ● Carefully deliver content from open, restricted and forbidden areas.
    ● Serve sensitive content over secure pipelines such as HTTPS.
    ● Encrypt data (using industry grade encryption algorithms) before storing into database.
    ● Update and patch servers within regular scheduled time intervals.
    ● Perform web application security audits and penetration testing on a regular basis.

    As one would expect, in the event of any compromise of their website, webmasters should carry out the process of clean up and recovery of the hacked website at the earliest with a custom recovery process or by following the guidelines available online.

    I hope this blog series helps people, both laymen as well as webmasters and web developers, in understanding what a hacked website is, the vulnerabilities and exploits involved, and the consequences to a user of visiting a hacked website, and finally the mitigation guidelines for developers and webmasters to reduce the risk of their websites getting hacked.

    Image courtesy of:

    Priyal Viroja, Vulnerability Researcher, K7TCL

    If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

    Are Offline Devices Vulnerable to Spying?

    Tuesday, January 20th, 2015

    Cyber criminals can spy on your PC or mobile phone even when there is no internet connectivity on your device, claim researchers from Georgia Institute of Technology. Apparently, low-power electronic signal emissions, called “side-channel” signals, from laptops and mobile phones can allow hackers to intercept user activities and Android smart phones are particularly prone to these kinds of attacks. Through these signals, hackers may be able to tell when you edit a document, look at photos and when you enter a password, with the help of an antenna and a microphone.

    The difference in the signal emission by the processors is said to help deduce the operation that is being performed on the device. The GIT researchers asseverate that there exists a design flaw in devices that makes them vulnerable to hackers, who are able to eavesdrop on user activities from a few feet away. The victim on the other hand, will be denied even the benefit of doubt since there is no way to tell that signals from your devices are being tapped. Despite speculation about this kind of exploitation there is no evidence of any attack so far.

    Cyber criminals are always on the lookout for ways to infiltrate the user’s device to steal information. Even if it were possible to gather information through side-channel emissions, we believe that cyber criminals would not opt for this route on a large scale. The nature of professional cybercrime is such that the distance between victim and attacker is generally several thousand kilometers, i.e. over a network of interconnected devices. It is hardly likely that a cybercriminal would tune into emissions from the user’s device from just a few feet away. The probability that a hacker can match a password to the corresponding website when you type in a password on your device or decide which emission comes from which particular individual’s device seems pretty low. In any case let us await independent verification of the alleged design flaw.

    Image courtesy of:

    Archana Sangili, Content Writer

    If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

    Hacked Websites: Vulnerabilities and Exploits

    Monday, January 12th, 2015

    This is the second chapter of my blog series focusing on the vulnerabilities and exploits involved in a website compromise following on from the previous chapter covering the reasons for which website access can be blocked.

    New age Internet, a web of images, videos and user-friendly interactive content, is delivered by tools like image/video gallery, sliders, gadgets, CMS, etc., for quick design and implementation.

    Because of the complexity of these evolving web technologies, there is a high possibility that security vulnerabilities in web applications might be overlooked by both the developers and the quality assurance process. Such vulnerable web applications are susceptible to hackers and bots to break into a victim’s computer and to infect websites to spread malicious files or send spam messages.

    The most common web application vulnerabilities are described below.

    Code Injection

    A huge number of data breaches happen via code injection attacks, i.e. the injection of malicious code specific to a vulnerable application either on the victim’s computer or on the website host server into a web application in order to carry out silent execution of the injected malicious code. This kind of attack includes Cross-Site Scripting (XSS), SQL Injection, XML injection, RCI, Header Injection, Log Injection and Full Path Disclosure. To have a clearer picture of code injection, let us look at the XML injection example shown below.

    Let us consider the following form and actual inputs:

    Name: test
    Password: test123

    Data is sent to the web host as follows:

    Expected XML result at the server side is:



    A valid user id 101 is created for the user “test”.

    Now, let us suppose a hacker submits an XML code as input in one of the aforesaid form fields to control a user account.

    Name: test
    Password: test123</password><id>0</id><!–
    Mail: –><mail>

    Now, the data sent would be in the format,</password><id>0</id><!–&mail=–></mail>

    Modified XML result is:



    In the above example, as the hacker has entered the XML code “</password><id>0</id><!–” along with the password “test123” in the password field and “–><mail>” along with the mail “”, the website server generated id “101” is commented out and a possibly pre-existing id “0” is assigned to the user “test” via password and mail parameters provided by the attacker. Now the hacker can avail the privileges or the functionality associated with the id “0”, thus severely violating the security objective of access control.

    Broken Authentication and Session Management

    Many developers prefer relying on their own, custom authentication and session management schemes than using the standard authentication and session management methods. As seen in cases earlier, custom schemes regularly fail in functionalities such as password management, sign in, logout, timeouts, secret question, account update, etc.

    Some common flaws attributed to the failure cases are listed below:

    ●     Storing credentials in plain text, i.e. without hashing or encrypting them.

    ●     Weak account management modules (e.g. account creation, account deletion, change/update password, recover password, etc)

    ●     Session IDs

    1. exposed in a URL
    2. that do not properly timeout or are not validated during logout
    3. that are not updated after a specific time period once logged in.

    ●     Confidential data transfer over unencrypted connections.

    In the example below, a movie-booking application exposes the session ID in the final URL as shown below,,6,9 &sessionid=2QZABDJ3NDXYXK5CJ8N290

    Now, if an authenticated user shares the above link with others, the allotted sessionid will also be visible to the receiver. When the receiver accesses the shared link, he/she will have the privileges associate with that session ID and can therefore hijack the session. These scenarios can cause adverse effects in case of gift vouchers, saved credit card details, etc associated with the authenticated user.

    Security Misconfiguration

    Secure configuration of an application stack including operating system platform, web server, application server, database, framework and code is one of the primary goals for  developers and system administrators. Security misconfiguration can occur at any level of an application stack. Exploiting such misconfigurations, ranging from failure to apply appropriate patches, use of default accounts, failure to set useful security headers on a web server, use of unnecessary services and disabling platform functionality could grant unauthorised access to an attacker.

    For example, consider the scenario where the server XYZ has a few java class files (compiled Java source code files) hosted, but unfortunately has directory listing is enabled, unknown to the administrator. If an attacker manages to discover that the server XYZ’s directory listing is enabled, the attacker would be able to collect the compiled code and reverse engineer it to get source code.

    Format String

    Exploitation of Format String occurs when the submitted input string is misinterpreted as a command by which the attacker can trick the concerned application to read values off the stack, induce a segmentation fault, or execute a user supplied string as a code, to cause an unexpected behavior that could compromise the stability and security of an application, thus potentially allowing execution of malicious code by a remote attacker.

    Intelligent fuzzers are used to automate fuzzy input supply to the application, with the intention of crashing the application and generating errors that can disclose sensitive information. The most common C runtime functions printf(), fprintf(), sprintf(), snprintf(), scanf(), etc., process data based on a format string and %x, %s, %n, %%, %p, %d, %c, %u  are some of the most common parameters used in this attack.

    For example,

    Let us discuss the following C code,

    int main(int argc, char** argv)
    char buffer[100];
    strncpy(buffer, argv[1], 100);

    return 0;

    In the above C code, the printf() function takes one argument “buffer” instead of the usual two arguments, format specifier and the associated variables. An attacker can trick the printf() function in the above code by passing an input string “%p %p %p %p %p”  to the buffer where %p is the format specifier of a pointer. During execution, printf() will look at the argument as  “%p %p %p %p %p”, consider that it has 5 arguments and will print the next 5 addresses on the stack (for 32-bit architecture) from the current position. Possible output could be:

    => ./output.out “%p %p %p %p %p”
    0xffffdddd 0xf7ec 0×1279 0xffffdbdf 0xffffdbde

    Thus, a format string vulnerability gives the attacker the ability to read an arbitrary value from an arbitrary address and potentially perform malicious activity.

    Apart from exploiting web application vulnerabilities, hackers may also avail of weak password policies, insecure FTP/HTTP connections, outdated third party add-ons and server vulnerabilities to compromise access to a website host. To accomplish an attack successfully, attackers may combine two or more vulnerabilities together on the target webserver.

    In the next chapter of my blog series, I will describe the consequences faced by users  visiting a hacked website, along with a few mitigation guidelines for the webmaster.

    Images Courtesy:

    Priyal Viroja, Vulnerability Researcher, K7TCL

    If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

    Cyber Crime in India Rises by 40%

    Wednesday, December 31st, 2014

    India is rapidly becoming internet-enabled, thereby increasing her exposure to cyber-attacks. Every day new users are getting introduced to the internet, susceptible to the danger of becoming victims of cyber abuse.

    Recently, the Indian home ministry disclosed that India had experienced a 40% rise in cyber crimes over the past two years. Data theft, credit card fraud, unauthorized wiring of money, exposure of confidential information and illegal hacking topped the list of reported crimes.

    The picture below shows the Indian regions that are affected with different malware types in December 2014 (courtesy of our own instrumentation data plotted on our internal Google maps interface).

    Microsoft’s last survey also reveals that India was the most hit region by malware over the last quarter. Malware categories like worms, Trojans, adware and other malicious exploits had predominantly affected India compared to most other developed and developing parts of the world. This unpleasant fact is alarming as India had started employing the Internet increasingly in her e-Governance infrastructure to aid the citizenry in education, health and consumer services, etc.

    The mass spread of most of these threats can be attributed to the facts that much of the population is ignorant of such types of assault and inattentive to protect their computers and smart devices that connect to the internet.

    Malware engages diversified ways to creep in and cause havoc, most commonly:

    1. Pirated Software – There are a lot of users who install unlicensed versions of the Windows operating system to avoid payment. Cracked versions of the OS, games or other software are readily available online for “free” download. However, pirated versions do not receive critical security updates making them impotent to fight back against malware threats.

    2. USB Devices – Liberally sharing USB devices, of which a high proportion are infected, among friends and colleagues easily spreads worms. Incidentally 28% of malware encountered in India were autorun worms that spread through removable devices.

    3. Free Downloads – Games, screen savers, tools and any “free” software download may travel bundled with Trojans or adware that may lead to user’s personal information leaking out, cause computer slowdown or cause a change to computer settings.

    A notable number of laptops and smart phones are believed to be infected by malware on a daily basis. Moreover, Microsoft claims that the computers and devices that have no anti-virus installed or expired anti-virus are four times more likely to encounter malware attacks. To defend against security threats and to cope with the growing social networking habits, users (especially from India) must gradually start understanding the importance of cyber security, good internet practices and install a reliable anti-virus product to stay secure.

    Wish you all a Happy New Year and Safe Computing in 2015 … and what’s left of 2014 too!!

    Archana Sangili, Content Writer
    If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

    Hacked Websites: When Access is Denied

    Tuesday, December 23rd, 2014

    Are you excited about the new social networking platforms, games, mobile apps and the Internet of Things? Yes? Great, but BEWARE, hackers too are excited! With the K7 product installed, while visiting a website have you ever hit upon the message, “Access denied! The access to this page has been denied by K7Total Security Safe Search”? If you have, good, you’re safe.

    We at K7TCL process a huge number of suspicious website URLs everyday and identify many  malicious ones, some of which are hosted at compromised or hacked websites (websites which are owned by legitimate entities but have been forcibly taken over by hackers without the owners’ knowledge). To provide better protection to the user, URLs identified as malicious, including phishing, fraudulent and malware-payload links are blacklisted and the product denies access to them. We have stringent quality assurance processes to ensure that we don’t block access to clean websites.

    As we blogged earlier, we occasionally receive URL false positive reports from our clients for the websites that are indeed compromised. So we thought it would be a good idea to educate the public with a blog series covering:

    1. How a website is typically hacked
    2. Factors to identify a hacked website
    3. Role of software vulnerabilities (defects in software that can be exploited by hackers) involved
    4. Consequences to the user in visiting a hacked website, along with a few mitigation guidelines for the webmaster

    This is the first chapter of my blog series that briefly describes hacked websites and the reasons for a website to be blacklisted.

    Usually hackers and their automated bots, which are malware designed to infect a user’s computer and connect back to a central command and control (C&C) server, break into targeted website hosting by exploiting a web application vulnerability on the target. Targeting a massive user base, hackers often prefer to hack renowned legitimate sites that own heavy network traffic to propagate the hosted malware and infect a large number of users, or fraudulently suck information from them, even before it is identified that the website is hacked, as in the case of the recent Ebay hack. Compromised websites are either injected with a malicious script that downloads another malware on to a user’s computer or ends up redirecting to another malicious site. Such a hacked website remains infected until the webmaster identifies, assesses, and remediates threats to his/her systems.

    In response to the aforesaid incidents, we duly inform the concerned authority, i.e. the webmasters, of such infected websites about the scenario and the recommended course of action. Therefore we recommend that webmasters provide accurate, up-to-date contact details on their domain registrations and DNS records so that we know whom to contact when the need arises.

    To an end user visiting a compromised website with a vulnerable browser or browser plug-in may leave the user’s computer infected with a malware without his/her knowledge. So, it is advisable that users regularly apply update patches for their operating system and the other software they use.

    A blacklisted website/URL satisfies one or more of the following criteria:

    1) It redirects to a malicious link or points to a malicious payload
    2) It is used in spam or phishing campaigns
    3) It is hosted on a compromised web server
    4) It contains malicious JavaScript code

    Alexa, a well-known provider of web traffic information, ranks 1 million domains and sub-domains on a daily basis according to their popularity. To get an idea of the number of compromised and popular websites used in malicious attacks, we looked at how many malicious URLs are hosted on websites listed on Alexa’s top 1 million. From our latest lab data and instrumentation, we observe that currently approximately 7500 popular domains are compromised and 10791 exploit-related URLs are blocked by our product’s site blocker. Furthermore, out of these,16 sub-domains and 16 blocked URLs have domains ranked within Alexa’s top 100.

    In the next chapter of my blog series, I will describe how websites get hacked in the first place, focussing on the vulnerabilities and exploits involved.

    Priyal Viroja, Vulnerability Researcher, K7TCL

    If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

    “I’m not a robot”, Google to reCAPTCHA the Flag

    Friday, December 12th, 2014

    Over the years, online users have had to identify obscure images, typically worn-out text from old newspapers or street addresses, and type the contents into a box to prove their humanness. CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”), as this process is called, helped prevent robots gain illegal access to websites, in order to propagate spam (unsolicited messages), for example.

    However, these days advanced Artificial Intelligence technology with image recognition can solve CAPTCHA puzzles with astonishing accuracy, a whopping 99.8% according to Google. In an attempt to beat these more advanced bots, Google has recently launched a new API (Application Program Interface) called CAPTCHA reCAPTCHA.

    With CAPTCHA reCAPTCHA , users are now directly asked to check a box as shown above. If this step is still insufficient to confirm the user’s humanness, a CAPTCHA is thrown. This CAPTCHA asks the users to match a given image with a set of images, usually animals or birds. Though this approach appears simple, Google claims that advanced risk analysis runs on the backend which monitors the user’s interaction with the CAPTCHA till the very end. This is a welcome change, especially for mobile users who face mild inconvenience in resolving the distorted images.

    We hope CAPTCHA reCAPTCHA will be more effective in the fight against the bots created by cyber criminals.

    Images courtesy of:

    Archana, Content Writer

    If you wish to subscribe to our blog, please add the URL provided below to your blog reader: