These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security Tips’ Category

Global Apps and Native Data

Monday, May 7th, 2018
This blog discusses the exploitation of user data as a risk to national security.

The transformation of user data into a point of contention between countries has been precipitated as apps developed in one country are being popularly used by the citizens of other countries and covert agencies becoming increasingly cognizant of the potential of using ‘foreign user’ data for strategic advantage. This has actually been an issue for many years but it is being discussed in the mainstream only now, triggered by the recent Cambridge Analytica controversy and its ramifications.

Smartphone users’ data is juicier than desktop users’ data as it contains more detail on the users’ day-to-day activity, ranging from status updates to taking a selfie to geo tagging. Everything is a point of interest for market analysis, even for entities beyond a country’s borders.

With some countries openly accusing foreign apps of espionage, and many others discreetly suspicious of them, the Indian government has asked its military personnel to uninstall a list of Chinese apps. This is not the first time the Indian government has asked its defence community to be wary of Chinese hardware and software. Some of the apps named in the recent list of blacklisted apps are:

  • Weibo
  • WeChat
  • SHAREit
  • UC Browser
  • Mi Community
  • Mi Store
  • 360 Security

A look at the geolocation of servers that many of these apps connect to showed the following:

SHAREit (com.lenovo.anyshare.gps) ( MD5: CB2C0A445B571035CE38CEAB91E01EBC )

WeChat (com.tencent.mm) ( MD5: CF237D05AB4782081AC70CBD2210EE3E )

UC Browser (com.UCMobile.intl) ( MD5: CA56AB59D7E6CE87A0B690DBF083487B )

The advantage of having an App’s server in one’s own country is that the data storage and protection is subject to the regulations and policies of the land. Looking at the permissions requested by these apps during installation, some are questionable:
  • android.permission.USE_CREDENTIALS
  • android.permission.MANAGE_ACCOUNTS
  • android.permission.AUTHENTICATE_ACCOUNTS
  • android.permission.READ_CONTACTS
  • android.permission.GET_ACCOUNTS
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_COARSE_LOCATION

When installing an app, users should always carefully go through the list of access permissions requested by the app and should not just mechanically tap the “Accept” button.

We examined a few of the apps blacklisted by the Indian government to check the kind of information being sent to the parent server. We did not find anything malicious but as seen in the two screenshots below, potentially sensitive information like device-id, build model, android version, etc. are being sent to parent servers located in China. Device-Id, also popularly known as IMEI number, is a common artefact collected by many apps for legitimate purposes. But from a privacy point of view, device-id is a unique and better artefact than IP address to identify an individual device and thereby allowing the tracking an individual user’s habits on the device. This helps marketing agencies to target the individual with tailored ads and certainly helps nations in (psychological) cyberwarfare against each other.

The screenshots presented below show an instance of various data collected by one of the apps we analysed.
Figure1: Snapshot of data enumerated by an app

Figure 2: Snapshot of data enumerated by another app

The image below shows one of the apps sending the data to its server.

Figure3: Data being sent to the parent server in china

Today, as users are already getting used to the intrusion on their privacy and beginning to consider it as  part of normal modern life, it’s getting difficult to come up with a clear demarcation of what’s good app behaviour and what’s not vis-à-vis PII (i.e. “Personally Identifiable Information”).

However the onus of gauging and enforcing data privacy standards and security should not be placed on the user, buried deep inside some EULA (i.e. “End User License Agreement”) full of legalese in small print which most people wouldn’t understand even if they read it. Instead it must be a moral and legal requisite of the app owners to maintain certain minimum standards enforced by regulatory government bodies. This is one of the prominent issues addressed by the European Union’s GDPR whose imminent implementation should be beneficial to users both in the European Union, and elsewhere by proxy.

Users are advised to always install apps only from the official Google Playstore. But given the scenario today that for any popular app on the Google Playstore there are many fake apps and malicious clones on the Playstore itself, an average user has to be all the more careful in selecting the correct app.

Baran Kumar.S & Sunil
Threat Research Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

EXtOrtion Banking bOT – EXOBOT!

Friday, February 23rd, 2018

This blog intends to describe a few new techniques used by the latest versions of Exobot, an Android Banking Trojan. These new techniques have been introduced to complicate the process of reversing engineering and to evade detection by security products.

It is only natural that, with huge increase in the number of Android smartphones users and availability of mobile banking services, cybercriminals have focused on malware targeting banking apps and other apps that enable financial transactions to embezzle funds from victims’ accounts. Devices infected with such malware would subject the users to be victims of the following (non-exhaustive):

• Financial loss
• Loss of Personally Identifiable Information (PII)
• Loss of privacy

Typically, banking Trojans await instructions from remote Command-and-Control (C&C) servers, thus allowing the attacker(s) to potentially turn compromised devices into involuntary but blissful bots. Also, the bad guys tend to keep changing their distribution mechanisms and infection routines (without compromising the severity of intended damage) to evade detection by security products. Unsurprisingly, Android banking Trojans are no exceptions in these aspects.

Exobot is an Android banking Trojan like any other. As described in our previous blog it steals users’ banking credentials from infected devices to enable the attacker(s) to siphon off their funds.

But here’s how this piece of malware is different. Our analysis revealed some interesting implementation techniques employed in recent versions for detection evasion which we have depicted in the following picture:

In case you find the above picture to be not-so-self-explanatory, please read on for a more detailed explanation on the differences between the older (Exobot V1) and newer (Exobot V2) versions.

Technique 1:

Exobot V1’s AndroidManifest.xml file contains all broadcast receivers, permissions and other privileges registered to perform malicious activities. All its eggs in one basket.

Exobot V1 Permissions

Exobot V2, on the other hand, has its requirements spread out. Basic installation and device admin registration are requested in the primary component (earlier available on the Google Play Store, but thankfully not anymore), which then downloads a secondary bot component, the requirements of which are handled within its own AndroidManifest.xml.

Exobot V2 Permissions split between parent and dropped components

The secondary component, downloaded from the URL shown in the following picture, then tries to connect to different C&C servers to receive commands from remote attacker(s).

It is noteworthy that the primary component retries downloading the secondary component multiple times (up to 5 times in the variant we analyzed) at regular intervals in case of failures when connecting to the URL specified. If all attempts to connect to this URL fail, it then tries to connect to other C&C servers from a predefined list.
Technique 2:

Exobot V1 is very trusting. It starts its malicious activities without checking the configuration of the device on which it is running. Exobot V2 is more cautious. It deploys multiple verification mechanisms before behaving badly. Here are the most interesting of such checks it carries out before proceeding with its infection routine.

Checks if device is connected to debugger



where,
n.df + n.fv + n.eF – android.os.Debug
n.es + n.eG + n.fu – isDebuggerConnected

Verifies if device configuration does not match any of the below criteria

  • Is the malware running within a test environment, say an emulator? Does any one of the below default values of an emulator match with the extracted values from the device?
    • Build.MODEL is “google_sdk or Emulator or Android SDK built for x86″
    • Build.MANUFACTURER is “Genymotion” (“GenyMotion” is an emulator frequently  used for QA or tests)
    • Build.PRODUCT is “google_sdk or sdk or sdk_x86 or vbox86p”
    • DeviceId is like “000000000000000” or “012345678912345” or “004999010640000″
    • VERSION.RELEASE is “0”
  • Is the compromised device connected to a test network?
    • SIM operator is “android” or “emergency calls only” or “fake carrier”
If any of the above match, execution stops



Checks and sets the malicious app as the default SMSPackage



The Android OS has the flexibility to programmatically set a user app as the default app to handle SMS. Exobot V2 leverages this option to be the first to access incoming SMS, as well as to suppress the messages from other installed apps by aborting the “SMS_Received” broadcast.
Verifies if “MAIN_VERSION_REQUIRED” is less than a specific threshold value to ensure that the bot can run on the device, i.e. on that particular version of Android OS


Where n.aT maps to “Bot is not able to run that command” and n.aU maps to “Command execution system error”.

Technique 3:

Exobot V2 also mimics an anti-reversing technique from its Windows-based counterparts. All the strings in the malware’s code are obfuscated, though with a very simple logic of inserting junk characters in between. For example:

a(“start”) may be converted to something like a(“s**EJz**t**EJz**a**EJz**r**EJz**t**EJz**”)

In the above example, “**EJz**” are the junk characters.

Our lab researchers regularly track Android banking Trojans, especially for their behavioral and technical differences, in order to ensure we are able to block the malware at the earliest with new and updated detection methodologies. K7 Mobile Security users are protected against both the older and newer versions of this malware.

Exobot V1 (example sample hash: b4064f4bca2ac0780a5e557b551a3755) is detected as “Spyware ( 004fdfc01 )”.

Exobot V2: The primary component (example sample hash: 6924d51242386e3c20c84f017f1838b9) is detected as “Trojan-Downloader ( 004f07451 )”, and the secondary component (example sample hash: f66e30974435e5ef092aeb7c9e5cad7a) is detected as “Trojan ( 005243d11 )”.

As always K7 Threat Control Lab makes the following recommendations:
  • Use a highly-reputable mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store, as immediate & regular security actions are taken in emergency situations
  • Do not enable “Download from Unknown Sources”

V.Dhanalakshmi
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

How Safe is Android Mobile Banking?

Monday, January 8th, 2018
There has been some recent media interest in one variant of Android Banking Trojans, also known as ‘Bankbots’. Bankbots have been around for a pretty long time now, i.e. nothing new, and the variant of unusual interest was already blocked by K7 Mobile Security as Trojan ( 0051c57a1 ).

As the name suggests Banking Trojans help hackers to steal money from a user’s account without his/her knowledge. This particular Android Banking Trojan scans the list of running apps for package names related to popular banking apps from all over the world in order to intercept incoming bank-related SMS messages, suppressing them from the user and redirecting them to a remote hacker. It can accept commands from a C&C server.

This Banking Trojan disguises itself as a Flash Player app hosted on third party markets. In order to carry out its malicious behavior silently the Trojan requests the user to provide device administrator privileges.

For this Trojan to start its malicious behavior it registers many receivers for various actions on the device as listed below:

  • android.provider.Telephony.SMS_DELIVER
  • android.provider.Telephony.WAP_PUSH_DELIVER
  • android.intent.action.BOOT_COMPLETED
  • android.intent.action.QUICKBOOT_POWERON
  • android.intent.action.USER_PRESENT
  • android.intent.action.PACKAGE_ADDED
  • android.intent.action.PACKAGE_REMOVED
  • android.provider.Telephony.SMS_RECEIVED
  • android.intent.action.SCREEN_ON
  • android.intent.action.EXTERNAL_APPLICATIONS_AVAILABLE
  • android.intent.category.HOME
  • android.net.conn.CONNECTIVITY_CHANGE
  • android.net.wifi.WIFI_STATE_CHANGED
  • android.intent.action.DREAMING_STOPPED
  • android.app.action.DEVICE_ADMIN_DISABLED
  • android.app.action.ACTION_DEVICE_ADMIN_DISABLE_REQUESTED
  • android.app.action.DEVICE_ADMIN_ENABLED

One of the receivers “yqyJqWdtdf.UOaOrquyRDgLFgGueha.resiverboot” that is registered for the SMS_Received broadcast is shown below:

The Trojan also requests for the following permissions:

  • android.permission.READ_CONTACTS
  • android.permission.INTERNET
  • android.permission.WAKE_LOCK
  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.CALL_PHONE
  • android.permission.SEND_SMS
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.PACKAGE_USAGE_STATS
  • android.permission.SYSTEM_ALERT_WINDOW

Interestingly upon launching this malware, i.e. upon clicking on the Flash Player icon in the app list, the Flash Player icon hides itself so that the user may not be aware of the malicious activity happening in the background.

The main activity class decodes a base64-encoded dex file, budda2.dex which is contained within the class as follows:

The decoded dex file contains the code responsible for incoming SMS interception, sending SMS and other malicious behavior.

Upon following one of the receivers, resiverboot for android.provider.Telephony.SMS_RECEIVED, budda2.dex is called internally as shown in the image below:

RiciverSMS from Budda2.dex file has the code to intercept incoming SMS messages as shown below:

As highlighted above the StopSound function changes the ringer mode to ‘0’ to avoid the user being notified of incoming messages.

DelIndox and DelSent deletes the messages from a particular originating address from the Inbox and sends the items respectively as shown below:

And it sends these to the hacker as per the command shown below:

This malware turns the compromised device into a bot, and the installed malware keeps listening for a command from the C&C server to carry out orders. The C&C can issue commands to the malware to even kill itself as well as shown below:

All the collected information is sent to the hacker including whether the bot is active or not. The hacker’s infection status dashboard is maintained as shown below:

This malware verifies if any one of the below mentioned banking apps or those dealing with financial transactions in the installed on the device. Few of the popular banking apps across the world are listed below:

International:
com.amazon.mShop.android.shopping
com.ebay.mobile
com.westernunion.android.mtapp
com.htsu.hsbcpersonalbanking
io.coinmarketapp.app

India:
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
com.axis.mobile
sbi.SBIFreedomPlus
snapwork.IDBI
idbibank.abhay_card
co.bankofbaroda.mpassbook
unionbank.ecommerce.mobile.android

USA:
com.wf.wellsfargomobile
com.westernunion.android.mtapp
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.unionbank.ecommerce.mobile.android
com.thunkable.android.avenue_mitm.Polonix

Germany:
de.schildbach.wallet
de.postbank.finanzassistent
de.leowandersleb.bitcoinsw
de.langerhans.wallet
de.fiducia.smartphone.android.banking.vr
de.dkb.portalapp
de.consorsbank
de.commerzbanking.mobil
de.comdirect.android
mobile.santander.de

Australia:
org.stgeorge.bank
org.bom.bank
org.banksa.bank

Russia:
ru.yandex.money
ru.vtb24.mobilebanking.android
ru.simpls.mbrd.ui
ru.simpls.brs2.mobbank
ru.sberbankmobile
ru.rosbank.android
ru.raiffeisennews
ru.mw
ru.alfabank.mobile.android
com.webmoney.my

UK:
uk.co.bankofscotland.businessbank
com.barclays.android.barclaysmobilebanking
com.rbs.mobile.investisir
com.rbs.mobile.android.ubr
com.rbs.mobile.android.natwestoffshore

France:
net.bnpparibas.mescomptes
mobi.societegenerale.mobile.lappli
fr.lcl.android.customerarea
fr.laposte.lapostemobile
fr.creditagricole.androidapp
fr.banquepopulaire.cyberplus
fr.axa.monaxa

Turkey:
dk.ozgur.btcprice
com.vakifbank.mobile
com.pozitron.iscep
com.ziraat.ziraatmobil
com.ykb.android

Please note that apps such as document readers and Flash Players:

  1. Do NOT require device administrator privileges.
  2. Should not typically request for permissions to “SEND, WRITE OR RECEIVE SMS

Please avoid installing such applications.

As always we at K7 Threat Control lab make the following recommendations:
  • Use a top-rated mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security applications installed to be free of mobile malware
  • Carefully analyze the messages or alerts which apps display before taking any action
  • Refrain from installing apps recommended by strangers
  • Review the reputation of any app before downloading and installing it
  • Choose to download and install apps only from the official Google Play store
  • Do not enable “Download from Unknown Sources”

C&C server Image courtesy:
github.com/jacobsoo/J-Hunter/tree/master/Android

Dhanalakshmi.V & Baran Kumar.S

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Virus Alert!

Thursday, April 6th, 2017

We at K7 Threat Control Lab recently encountered an incident reiterating the power of social engineering to trick smartphone users to install bad stuff.

The picture above is self-explanatory. It is clearly a fake message, but it is more convincing since it displays the device make and the current WiFi SSID of the victim, and even uses Google colours and identifiers.

This scareware message attempts to coerce the user to “download the latest Antivirus App”. It is likely from the message “0 minutes and 00 seconds” that upon clicking on the link “REMOVE VIRUS NOW”  user will be redirected to download some dangerous app either from a third party market or even from Google Play Store. The download was never attempted but the app may well have been a deceptor which would claim to have discovered all manner of issues with the device, the fixing of which would require payment.

This fake message may well be generated from the Mi4i device itself (place of manufacture also plays a role in the device’s integrity) or from the WiFi router to which the device was connected at the time.

These kinds of specially crafted user-specific messages exploit the user’s fear factor to force them to download the app recommended in the message, thus compromising their devices themselves.

To avoid any such unwanted circumstances we recommend the smartphone users to:

  • Carefully analyse the messages or alerts which they receive before taking any action. Ignore irrelevant messages
  • Not install apps recommended by strangers
  • Use a top-rated mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security application installed to be free from mobile malware

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Private Data Potentially Made Public Voluntarily

Friday, July 8th, 2016

It is possible for even an unintended person to view the personal information you post online, whether from a PC or from a mobile device. Sadly there is a high possibility of ladies being targeted, bullied or harassed. A recent shameful incident reported in the news where a man in Delhi has been arrested for harassing ladies in the region with unsavoury messages or phone calls after viewing their WhatsApp profile pictures.

Enhancements in social networking sites and their applications have attracted a huge user base especially amongst youngsters. As we recommended in our previous blog, online users, ladies  in particular, should be vigilant while posting their personal information like photos, contact details, address, etc., in all social networking forums, even applications that simply connect people around.

Women should also be aware that the information shared online stays forever and is free for public viewing. Reiterating, here are few tips to avoid falling prey to such incidents.

  • Tweak privacy settings in applications carefully to prevent strangers from contacting you
    • WhatsApp > Menu Button > Settings > Account > Privacy
  • Avoid posting your personal pictures online such that anybody can view them
  • Never accept strangers to your contact list
  • Avoid sharing your personal information especially photos, phone numbers, address,etc. online

Image courtesy:
stonehousedesigns.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 @ CARO 2016

Thursday, May 26th, 2016

The CARO Workshop 2016, held in Bucharest, Romania, between May 19-20 featured presentations from notable security vendors and researchers, with a focus on the application of machine learning to security. The keynote speech was by Dr. Ashkan Fardost, who, among other things, talked about connecting reindeer to the internet.

K7’s Gregory Panakkal  and Georgelin Manuel participated in the CARO workshop with their presentation titled “A High-Performance, Low-Cost Approach to Large-Scale Malware Clustering”. Their popular talk suggested a technique to cluster huge numbers of malware files on commodity hardware. This presentation demonstrated clustering 2 million files on a machine with a modest configuration in under 3 minutes. The ideas exhibited were well-received, and attracted considerable attention from researchers who are thirsting for alternatives to distributed computing, which is currently the standard solution for handling large numbers of files.

Image courtesy of 2016.caro.org

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

The Pen is Deadlier than … You Might Think

Thursday, May 19th, 2016

This blog intends to educate the general public about the security risks pertaining to pen drives (aka USB sticks/drives, thumb/removable drives), data storage devices that can store text, images, music, videos, etc., and ways of mitigating the risks.

These devices come in handy when the user wants to transfer data between computers. They’re small in size but can hold large amounts of data. However, the utility and ubiquity of pen drives introduce significant security risks.

Pen drives pose a major security challenge to IT administrators. Some surveys indicate that 70% of businesses have reported loss of data through USB. Being small, pen drives can easily be misplaced or stolen and, if data is not backed up, it can mean loss of hours of hard work.  An even bigger challenge is to prevent infection through already infected USB drives.

The Autoplay feature in Windows is the key route to automatically infect PCs as soon as the infected pen drives are plugged-in. This autoplay feature causes removable media such as pen drives, CDs, etc. to open automatically when they are inserted into a computer.

Hackers and autorun worms use the autoplay feature to run malicious executables from removable drives. USB as an infection vector is not new; many older but infamous families of malware, notably Conficker, Sality and Gamarue use USB as part of their infection vector.

It is to be noted that many computers still have Windows XP, for which Microsoft withdrew support in April 2014, installed. Windows XP is popular among PC users especially in India, and has the autoplay feature enabled by default. Thus they are at greater risk of an autorun infection on their system than users who have updated their computer’s OS to recent versions of the Windows Operating System such as Windows 7. It is interesting to mention that most of these autorun worms originated in Asia.

Pen drives also provide an opportunity for malware to spread to stand-alone computers that are not connected to any network. The person carrying the infected pen drive, knowingly or unknowingly, bridges the air gap between the stand-alone computer and the network. It is of high probability that a pen drive used on one infected system (provided the infection on the system is capable of spreading itself) gets itself infected, thus spreading the infection to healthy computers when simply inserted into them.

Hence we advise users to practice one or more of the following recommendations to overcome the risks associated with using pen drives:

  1. Scan the pen drives for malware after sharing with your friends or family as a precaution against infections. Even if you have an up-to-date, reputable Anti-Virus Security product installed on your computer, your friends and family might not on theirs.
  2. Avoid using pen drives on public computers, e.g. at Internet cafes.
  3. If you have not already done so, install a world-class, up-to-date antivirus product like K7 Total Security.
  4. Use the autoscan feature, if any, in your Anti-Virus product to automatically scan all USB drives as they are connected to the system. Also schedule frequent, automatic scans on your PC to keep it infection-free.
  5. To prevent loss or theft of data, you may block USB devices from being used on your system. K7 Total Security has features to block pen drives and restrict read-write access to USB drives.
  6. Vaccinate your pen drive to ensure that it does not get infected by an Autorun worm even if it is used on an infected machine.

Images courtesy of:
Com.net
Technologymess.com

Rathna Kamakshi
Manager – K7 Support

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Caution: Free WiFi Ahead

Thursday, May 12th, 2016

Continuing our series on cyber security following the two-part blog on digital signing, this is the eighth post which hopes to enlighten users on how to safely tread the open WiFi zones in public areas.

Free WiFi hotspots, which were a luxury some time ago in India, have become the norm nowadays. With the Indian government aiming to take the Internet to last tier cities, towns and villages it is only a matter of time before we are encapsulated in WiFi zones everywhere. This is aimed at bringing the wealth of information available on the internet to the masses. However, the omnipresence of WiFi could attract a great deal of sniffing and eavesdropping.

Open WiFi hotspots, though meant for the greater good, could become the medium for information security mishaps. Any data sent to an unprotected network could easily be monitored using packet or network sniffing applications by a hacker with malintent.

When using an open WiFi hotspot the network traffic between your device and the router is not encrypted, as opposed to using a home WiFi connection which should usually be secured by a passphrase which encrypts the traffic and shields it from eavesdroppers. Hence in an open WiFi connection, any data you send to the router is sent in a visible form and can be snooped upon by using packet or network sniffers. Imagine someone filling out details to an online form; the data submitted could fly across as plain text and can be easily grabbed off the air.

It is advisable to avoid using internet banking and online shopping portals, and communication apps when connected to an open WiFi. Also, it is advisable to turn off network sharing, in the case of laptops, since they could be accessible to people who are connected on the same network, and if the shared resource has no authentication then it would become an easy target for intruders.

A user needn’t explicitly open an app (with a potential security loophole) on his or her mobile device to expose its security hole. Most apps today keep looking for an active internet connection either to push or retrieve notifications thereby exposing its security lapse on an open WiFi connection. It is therefore advisable to restrict background data when on an open WiFi network.

Of course one cannot totally dismiss an open WiFi connection as inherently unsafe. It would be user-practices that make it safe or unsafe. For those who are totally dependant on an open WiFi network, they could choose to use a VPN application thereby securing their communication with the network within a secure channel, and decide to post content only to websites that are signed and secure.

Images were courtesy of:
muraldecal.com
toonclips.com

K7 Threat Control Lab
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

IoT: What the Future Holds

Thursday, March 17th, 2016

Here is part six of the the blog series on the Internet of Things following on from IoT: How are We Going to Protect Ourselves? that concludes the blog series with a brief idea on how we, as a security company, foresee the future of IoT security.

The problems that an IoT consumer user might face is applicable to enterprises as well, on a large scale. The risks could be even higher in the case of enterprises because the devices in industry, e.g. in a nuclear power facility or water plant, cameras in data centres, medical devices in hospitals, etc., could very well also be part of IoT.

Data from millions of credit cards stolen…, hackers stealing passwords from billions of customers…, cyber-criminals stealing intellectual property from world famous XYZ company… these are the subjects of breaking security news over the last couple of years.

In the future it would be awful to hear news like  “Hackers stole billions of IoT data records”, “Cyber-criminals got access to trillion IoT devices”,  “Almost all the household appliances from XYZ country stopped working after a reported attack from ABC group”, etc. As a security company, we would consider such scenarios as possibilities but we would hate to see them manifest themselves.

The next generation of spam messages are not going to be based on assumption but will be purely and precisely based on the user’s IoT device usage and data, as it is now happening with web search items.

There could be a possibility of a new era of cyber war and cyber terrorism, but at the same time, we would like to welcome you all to the new world of cyber security protection!

http://devicebar.com/wp-content/uploads/2015/05/What-Is-Internet-of-Things-IoT-e1432593113423.png

Remember, the objective of this blog series was not to make users paranoid about IoT or to spread panic. Rather, it was to create and spread awareness on being secure in a more challenging world of IoT! So, by following simple, but important, protection steps, we should be able to protect ourselves better from IoT security dangers.

Here at K7 we have been protecting our customers and their information systems for more than two decades, and we intend to protect even their IoT devices, at home and elsewhere! We would like to witness the ‘Internet of Things’ turning into the ‘Internet of Secure Things’.

Image credits:
devicebar.com

Senthil Velan
Manager,Vulnerability Research

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed