Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.

For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:

Then there are tools which incorporate multiple scanners & are distributed for free. Given below is a screen shot of one such tool:

If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors are quick to change their binary.

While traditional checksum based detections alone might be ineffective against such files, a combination of several detection methods, which include a behaviour based approach will prove far more effective.

R.V Shyam Charan
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

A quick look at the source code for the page shows an encoded binary file embedded in a VBScript:

Visiting this site with a poorly configured Internet Explorer browser will lead to the above script being rendered. The encoded file in turn is decoded and a malicious file named svchost.exe is dropped onto the user’s computer and is executed.

The malicious executable is an infamous file infector named Win32.Ramnet and detection for this executable has been around for more than a year now. This seems to suggest that the machine hosting the website has either little or no security solution in place.

With the holiday season in full swing, online shoppers are requested not to let their guard down. While you may be on holiday, the miscreants aren’t.

K7 Security products don’t just detect and delete the malicious file, but also prevent access to the hacked site:

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

V Dhanalakshmi will be presenting on the increasing threat of Android malware and how to protect oneself from these threats in her talk titled “Paranoid Android?” on the 10th of November at 10am. Samuel Jebamani, Saravanan Mohankumar and myself have reserve presentations prepared on the topics of MBR threats, malicious VB P-Code detection, and Asian malware respectively. All four papers will be available in the conference proceedings.

We hope to see you all there.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Fileave.com was probably well on its way to becoming the preferred free file hosting service for the malware authors. However, the site’s ISP “Hurrican Electric, Inc.” finally decided to shutdown this site and its associated ripway.com.

We can breath a temporary sigh of relief, for its only a matter of time before the malware authors find a new site to host their parasite.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

As an increasingly influential global player, India has many belligerent foes, both external and internal. At the recent Combined Commanders Conference of the Armed Forces, the Prime Minister, Dr Manmohan Singh, referred to the need for India to stand on its own two feet in formulating a robust response to threats facing the nation. The context of the PM’s reference was related to the development of indigenous defence technologies, which is considered a “national security objective”. Indeed, mention was made of the involvement of private industry in achieving these goals.

National security requirements have major implications for the IT industry, especially indigenous technological entities. The PM made the following statement:

“Cyber threats are emerging as a major source of worry. Cyber and information warfare could qualitatively change the concept of a battlefield.”

There is a recognition of the requirement for a close and productive relationship between the Ministry of Defence and private industry, the IT security industry included, in the development of the nation’s defences in all forms of warfare.

A presentation on cyber warfare at the recently concluded Virus Bulletin 2011 security conference suggests that India’s response to and defence against cyber attacks can be considered sub-optimal at this point in time. There is clearly a recognition of this vulnerability in the higher echelons of government and the Ministry of Defence. It remains to be seen how defence policy incorporates the knowledge and skills of the IT security sector in formulating strategies for combating cyber warfare. We must all, of course, do our bit to safeguard the nation’s security.

* Image courtesy of cyberlawsinindia.blogspot.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

• A fake website created by simply ripping content off the original site and pasting them on the spurious one

• A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

• Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

• Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

This file has been up in the server for almost a month now. Users must exercise caution when they happen to download an executable file from a fan site that has remotely no purpose of distributing executable files to its visitors.

The malware file upon execution has capabilities to read saved passwords from a user’s internet browser, Mozilla Firefox, to be specific. It tries to read data from ‘signons[number].txt’ file found in the Firefox directory.

This text file holds the user’s logon information for websites for which the user has set ‘Remember Password’ in Firefox. Now imagine the scale of damage this could cause if the infected machine was a public computer at an internet café.
Following simple practices whenever you use a public computer would save you from such threats:

• Never save your logon information on public computers
• Always clear the history and cache before leaving the computer, or you could use the private browsing session option available in most modern browsers
• If possible use portable applications, these are applications that run out of a pen drive
• Avoid entering any kind of sensitive information on a public computer

For our customers though, it’s just a one step process: keep your antivirus definitions up to date. K7TotalSecurity detects this file, as Trojan ( 001987931 )

The server hosting the fan site has been clearly compromised. The administrators of the compromised domain have been intimated about the impending damage they might be causing to unsuspecting fans.

Kaarthik .R.M
K7 TCL

The graph above displays the number of unique URLs hosting malicious files from fileave.com which were collected by our automated systems.

Closer inspection revealed that the sudden spike from ~100 URLs in the month of July to ~550 in the month of August was due to a mass compromise using the “Black-hole” exploit kit with the final payload hosted on fileave.com. The malware author responsible for this mass compromise had registered a total of ~400 unique URLs in just 1 month in the following format:

• “http://clickme[2 Random characters].fileave.com”

Discounting these URLs, the graph still shows a worrying trend:

The number of malware authors using fileave.com to host their malicious payload is on the rise. Our blog readers might recall that we had recently blogged about how malware authors abuse file hosting services with minimal security checks. The fact that fileave.com has none of these measures in place is bound to be exploited even more by malware authors in the days to come.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

The interesting malware functionality here is that it retrieves the icon from the original executable and embeds it within itself so as to masquerade as the original file.

Of course, if the original file has a shortcut and you happen to open the shortcut then this would initiate the malware file instead, since the target filename that has now been replaced by a malware.

Importantly, when the malware gets executed, it in turn initiates the original file in the folder, thereby camouflaging itself on the victim’s computer. It even sets the original program’s attribute as hidden so that the victim would be none the wiser.

In the above screenshot of process explorer it can be seen that malware file gets initiated first and it in turn calls the associated safe file.

The malware’s functionality is merely that of a companion virus, but in a modern context, GUI and all. In the DOS days, companion viruses used to exploit the fact that a file with a COM extension (the virus) always runs before a file with the same stub name but with an EXE extension (the original host). Thus running a filename from the command line without specifying the extension explicitly would result in the virus file running instead of the companion EXE host.

As in the DOS days, the modern companion virus described above can also spread from computer to computer. Consider the scenario where an unsuspecting victim shares his applications with another user. This malware would appear legitimate with its borrowed icon and filename. The sample that arrived at K7TCL had a legitimate program  icon and was not detected by any other AV at the time. Under these circumstances it would be the actual malware file and not the original program being shared, and the virus has the opportunity to do its business on a fresh computer.

K7Total Security detects this malware as Virus ( 002c651a1 )

Disclaimer: No safe files were harmed in the making of this blog post.

Kaarthik R.M
K7TCL

The ransomware then reboots the computer and a sexually explicit image is displayed to the user demanding him/her to dial a premium rate number and enter a code which would then unlock the machine. This particular ransomware even goes to the extent of displaying a countdown message and threatening to delete the files on the computer if the unlock code is not provided within a period of 24 hours.

Given below is a list of the URLs which were found distributing this ransomware last week:

• http://pornovirtualxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://veryhotxxxporno.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://bestvideopornoxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://lolkorussiangirlsporno.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://megabytespornovideo.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://pornovirtualxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe
• http://smotripornomnogoxxx.ru/[Blocked]porno-rolik[Blocked].avi.exe

Our blog readers might recall an earlier blog post where we had discussed about how malware authors have gotten better at manipulating peoples behaviour to execute their code & this ransomware campaign is another example of such a scenario. Looking at the file name, the URLs which distribute them and the error message that is displayed on the malware execution suggests that this ransomware arrives as a part of a fake codec scam, possibly when a user attempts to download a video promising to deliver explicit content.

Our usual sentiments about keeping one’s security solution up-to-date & avoiding downloads from unknown sites apply.

Lokesh Kumar
K7TCL