These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Security’ Category

“Now You See Me, Now You … Errr … See Me”

Wednesday, August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:


This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )


Trojan ( 0049882d1 )


The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Tax Deducted @ Spam?

Tuesday, August 5th, 2014

‘tis the season for filing Income Tax Returns in India! Fa la la la la la la la!  To make the task easier, nowadays there are agencies that help people file their IT returns online. On 1st August 2014 one of the researchers in our lab received an email in his spam folder from an agency with the subject stating, Today is the last day for filing your Income Tax return, i.e. well after the deadline of 31st of July, IST, for filing returns.

The actual message received is shown in the image below:

What caught our attention is that, on hovering over the button “File your Income-tax return Today!” the website in the hyper link was different from the website address the email was claiming to come from. The resulting website when you click on this button asks for sensitive information like PAN card and bank account details.

Further investigation helped to identify the websites as clean. However, it has been constantly advised by the Government of India not to carry out these kinds of sensitive activities through any unauthorized third-party websites, to avoid any unhappy situations, as explained in the following popup image from, the bona fide portal through which ITRs ought to be filed:

The websites involved in such ITR-filing activities seem to be  unaware of the future consequences of their ill-thought-out email campaigns to promote their businesses.

It’s a known issue that hackers are always in search of new ways to harvest private/critical information from users for their own gain. The strategies used here by the third-party agency to redirect to its own tax filing page might also be used by hackers in phishing activities to exploit GOOD RETURNS!

Let’s now look at other facets of the above email which increase suspicion levels:

  1. The email is not addressed to the receiver but rather to a generic “Hello [NAME]”
  2. Questions are to be emailed to an email domain name which appears, at first glance, to originate from outside India

No wonder this email, which by the way was received TWICE within a short span of time, ended up automatically in the spam folder.

Vivek Das
Automation Developer, K7Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

URL “Falls” Positive

Thursday, July 24th, 2014

Occasionally, we at K7 Threat Control Lab receive reports from our clients that the website they visited is being blocked by our product, claiming it as a URL false detection. In a lot of such cases, our investigations have proved that the reported URL turns out to be injected with malicious scripts.

Recently, we came across one such incident from a client regarding an Indian government site being blocked.

When analyzed, many of the pages on that website were found to be injected with a JavaScript pointing to a randomly named PHP file “QwYygBKV.php” as shown in the image below.

It is likely that the web server has been compromised by remote hackers via exploitation of some vulnerability. Here is the code which writes the script tag in HTML files:

Inspite of the random name, the above said PHP file was found in many other domains as well. Even though the web page to which the URL redirects is not alive and gives “404” error, the reported website is still detected because its pages hold the link to malicious content. Interestingly, the malicious PHP was hosted on the reported domain itself, usually the link is a redirection to another malicious website.

In this case, the administrator possibly would have removed the aforementioned PHP file. Unfortunately the infection is not cleaned completely -the web pages still carry the link to the currently unavailable malicious content.

We have informed the concerned authority of the reported website about the scenario and the recommended course of action.

One would hope that such incidents would remind administrators that when weeding websites of infections, identifying the vulnerabilities that were exploited and patching them in the first place and ensuring the integrity of the website content, are as important as removing the malware component itself.

As for K7 users, this website shall remain blocked since the loophole that the attacker exploited to host this file on the site might still be at large.

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: (Part 1)

Tuesday, July 22nd, 2014

This is the first part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

The Internet landscape is about to witness profound changes with the mass adoption of Internet Protocol Version 6 (IPv6) and Internationalised Domain Names (IDNs) in the near future. While these developments have the potential to be immensely beneficial, they also present certain challenges to the security industry which need to be addressed. These changes not only increase the attack surface for malware authors and spammers, but also render traditional methods of URL and spam blocking obsolete.

The exhaustion of the 32 bit IPv4 addresses assigned by the Internet Assigned Numbers Authority (IANA) has led to the roll-out of its 128 bit successor, IPv6. This provides a significant increase in the address pool available to assign unique IP addresses, not only to computers, but also to other Internet-connected devices. Spammers and malware authors would now have a larger address space to infect and cycle through, vitiating existing methods of detecting spam/malware URLs.

The Internet Corporation for Assigned Names and Numbers (ICANN) has expanded domain names to include non-ASCII based IDNs in a user’s native language script. While these transitions have the potential to localise the global Internet, they also provide cyber criminals (spammers/phishers/malware distributors) enhanced opportunities for exploitation, especially via social engineering.

These cyber criminals will now have the ability to redirect a user to a URL with a character set unfamiliar to him/her. Given the exponential increase in the number of URLs shared among users in our socially inter-networked world, validation of these URLs by the user prima facie now becomes much more complicated, leading to a higher compromise success rate for cyber criminals.

This paper describes the imminent major changes to the Internet networking infrastructure. It attempts to explore the security challenges involved in these milestone developments and presents potential solutions to address them.

The IPv4 Clock is Ticking

The expansion of the Internet from an esoteric academic project to a publicly accessible resource, coupled with the surge of Internet enabled devices over the last decade have contributed to the shrinking pool of available IPv4 addresses.

Fig.1 depicts the number of expected Internet enabled devices and Internet users by 2016, and how they measure up with the number of IPv4 addresses available.

Fig.1: Number of connected devices & Internet users by 2016 [1]

Conservation efforts like Network Address Translation (NAT), Classless Inter Domain Routing (CIDR), reclaiming unused addresses etc., only prolonged what was unavoidable – the depletion, and eventual exhaustion, of IPv4 addresses.

Given that ICANN, which is responsible for distributing IP addresses, gave away the last block of IPv4 addresses to the five Regional Internet Registries (RIR) in early 2011 [2], the need for change is rather pressing.

IPv6 to the Rescue

This IPv4 address crunch has been anticipated for many years, and the Internet Engineering Task Force (IETF) has been working on refining IPv6, the successor to IPv4, since the early 1990s [3]. This version of the Internet Protocol can support up to 300 undecillion addresses compared to the relatively miniscule 4 billion, a number smaller than the current world population, offered by its predecessor. Apart from this massive increase in the address space, the IETF also embedded other features to IPv6 such as support for IPSec, auto-configuration of devices, etc. [4]

These benefits, along with the availability of IPv6 from ISPs, increased end-user device support & IPv6 content, will ensure the adoption of IPv6 in the years to come, eventually making it the dominant Internet Protocol.

Fig.2 shows that, as expected, the percentage of users accessing Google over a native IPv6 connection has seen a steep rise over recent times.

Fig.2: Percentage of IPv6 users accessing Google [5]

What’s in a Domain Name

The demand for Internationalised Domain Names (IDNs) has always existed in view of the fact that 60% of the countries around the world have an official language other than English [6]. ICANN, which has domain names within its remit, has recently started allowing IDNs to satisfy this unmet demand.

The introduction of IDNs allows non-ASCII character sets like Arabic, Cyrillic, Tamil, Hindi, Chinese, etc, to be included in a domain name, potentially paving the way for a truly globalised Internet.

These IDNs are converted into ASCII using Puny Code, an encoding syntax invisible to the user, which allows for standard domain name resolutions.

Fig.3 shows a domain name in English, its nonexistent IDN equivalent in the Tamil script, and the Puny Code representation of the IDN which is used for a domain name resolution.

Fig3: Domain Name, IDN, Puny Code representation

The current demand for IDNs, combined with registrars throwing them away at a price cheaper than the regular domains, could see a surge in the number of non-English sites registering domain names in their local language.

To be continued…

[4] Information on

Images courtesy of &

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Paranoid Android? (Part 2)

Thursday, June 26th, 2014

This is the second part of a two-part blog based on my paper for AVAR 2011 that discusses the Android Threat Landscape and the ways of mitigating the risk.

Continuing from the first part of my paper…

Threat Store

Similar to the change in the malware trend for PCs, Android also has a change in the trend for its threats. During the early stages, most of the Android threats were found to be of less severity. Compromised devices were used to send out SMSs or make calls to premium rate numbers without the user’s knowledge, e.g. Trojan-SMS.AndroidOS.FakePlayer.a [Kaspersky].

Towards the end of the year 2010, Android malware took a different shape with botnet behaviour that works with a Command & Control method, awaiting remote commands from the malware author. As per the commands received, most malicious applications either download various other applications or send out confidential data, unique device identifiers, and the SIM card number to the malware author. Trojan.AndroidOS.Genimi is one such malware, which takes pride in behaving like a bot.

Some malware avail of certain vulnerabilities to gain root access to the device and perform their desired actions. The infamous TrojanSpy:AndroidOS/DroidDream.A (aka Backdoor.AndroidOS.Rooter.a [Kaspersky]), is of the kind that acquires root access to the victim’s device. Droiddream is often found to be bundled with legitimate applications, like games, and gets installed with the original application. The first time round it requires user intervention to start itself. Once the infected application is started, to gain root access, it uses the PoC exploit called Exploid. If this action fails, it tries another PoC exploit, RageAgainsttheCage.  Once root access has been secured, Droiddream checks if the DownloadsManager package is installed on the device, and if not installed, it installs the application that it carries within itself in the system/apps directory. This time the user will not be requested for the permissions needed to install the application. The malicious DownloadsManager application installs silently in the background and starts the specified service. This application can now act as per the commands from the C&C server.

The recent Android malware trend has advanced further. Android threats can now even make new outgoing calls, record the conversation on calls without the user’s knowledge, monitor and log the activities of the user in the device, and pass on all of this information to the malware controller. Trojan.AndroidOS.NickiSpy, mentioned earlier, functions as described.

Let us have a quick look at the behavior of some of the known Android malware, which were found since August 2010. The threats are listed in chronological order:

Threat Name Behavior
Trojan-SMS.AndroidOS.FakePlayer.a, Trojan-SMS.AndroidOS.FakePlayer.b, Trojan-SMS.AndroidOS.FakePlayer.c Manual install, distributed via SMS,sends out SMS to premium rate numbers, third party market
AndroidOS_Droisnake.A Manual install, sends out GPS information to a server, downloads an application and gains user data, Android Marketplace
Trojan- Spy.AndroidOS.Geinimi.a Both manual and automatic install, botnet, works on C&C method, third party Chinese market
Trojan-Spy.AndroidOS.Adrd.a (Less severe version of Trojan- Spy.AndroidOS.Geinimi.a), manual install only, botnet, works on C&C method, third party Chinese market
Trojan-Spy.AndroidOS.Adrd.c Manual install, works on C&C method, Third party Android Marketplace
Backdoor.AndroidOS.Rooter.a, Well-Known, DroidDream Malware Manual install, first to exploit Exploid and RageAgainsttheCage code, gains root access, Android Marketplace
Backdoor.AndroidOS.SerBG.c Manual install, Android Marketplace, gains root access, bundled with a security tool released as a Droiddream Cure
Android.Zeahache Manual install, gains root access, first found in a Chinese application downloaded from a Chinese application market
Trojan.AndroidOS.Pirater.a Manual install, both Android and third party markets, sends out SMS or makes calls to premium rate numbers, gathers information like phone status, network status, accesses address book, also capable of malfunctions like switching the phone on or off
Backdoor.AndroidOS.Adsms.a Distributed via SMS, targets Chinese users, installs a configuration file that sends out SMS to premium rate numbers, Android Marketplace
Trojan-SMS.AndroidOS.Raden.b Manual install, Android Marketplace, targets Chinese users to send out SMS to premium rate numbers
Trojan-Downloader.AndroidOS.DorDrae.b, well-Known as DroidDreamLight New version of the same DroidDreamLight, manual install, works on C&C method, Android Marketplace
Backdoor.AndroidOS.KungFu.b Both manual and automatic install, gains root access, works on C&C method
Android.Basebridge Manual install, third party market, gains root privileges, sends out SMS to premium rate numbers, capable of malicious functions like making calls, deleting all inbox messages, etc
Trojan.AndroidOS.Plangton.b Both manual and automatic install, Android Marketplace, sends out the device information to a remote server, downloads a file from the remote server that monitors all activities and sends back the information to the remote server, simply works in C&C fashion
Backdoor.AndroidOS.Xsider.b Both manual and automatic install, third party market, targets Chinese users and those who use custom ROMs
Android.Golddream Both manual and automatic install, third party and Android Marketplace, works on C&C method
Trojan-Spy.AndroidOS.Smser.a,    Trojan-SMS.AndroidOS.Hispo.a, Manual install, third party market, sends out all the SMS from the compromised device to a remote location
Android/Sndapps.A Manual install, Android Marketplace, works on C&C , sends out personal information like email addresses and numbers in the contact list to a remote server
Android.NickiSpy Manual install, third party market, first to spy on user conversations, record and send it to a remote server, works on C&C method
Trojan-Spy.AndroidOS.Cosha.a (well-known as Android.LuvTrap) Manual install, Chinese third party market, downloads premium rate numbers from a website and sends out SMS to those numbers by masking the confirmation alerts from users
Android.Premiumtext Manual install, third party market, sends out premium rate SMS
Android.Nickibot Manual install, third party market, newer version of Nickispy, but controlled by SMS messages instead of C&C messages,
Android.Dogowar Manual install, Third party market, sends out SMS to all of the contact numbers

Table 1: Android Malware from August 2010 to September 2011

The list in Table 1 is extensive and does not include the malware seen after the time mentioned. Some of the malware are found to be bundled with Chinese applications when they are spotted for the first time, and most Android malware are believed to originate in Russia or China.

With the advancement in technology, smartphones play a vital role in managing business communications. There is a huge risk that sensitive data stored on smartphones may get stolen. Mobile security reports reveal the immense growth of Android malware since 2010, as exemplified in Table 1. All Android users should be aware of the risks of infection, and the possible ways of safeguarding themselves.


Most of the time users, when downloading applications either for their PC or mobile device, during the installation process, are impatient when reading through the licence agreement or any alerts that popup.  They tend to simply say ‘OK’ for the installation. Hackers find gaining the user’s own permission as their easiest way of compromising a mobile device. This process is called “social engineering”, a classic exploitation of “PEBCAK”, i.e. “Problem Exists Between Chair And Keyboard” when applied to PCs. In the case of mobile devices, a more appropriate acronym could be …”SUPER”, i.e. Smart User Prevents Error Root.

Social networking plays a major role in the modern world and is a widely used global communication medium.  Hackers take advantage of the users of smartphones that facilitate social networking, often via applications that trick the user into providing the required permissions to access the contacts list or email address book. Once these permissions are granted, it may be possible to send out unwanted SMS or spam mails from the compromised device. Users have the responsibility to pay close attention to the permission levels they grant for the applications they install, deciding whether each application is in need of the requested Capabilities to perform its activities. Of course, this is no easy task given that many users may be technically unable to gauge the specific permissions required per application. More information and education in this respect might be helpful.

Additionally, users need to be aware of the usage of the applications which they download and from where they are downloaded. Users are strongly recommended to download applications from the established and dedicated online Android application market(now play store), rather than downloading from a new or unknown source. This will reduce the risk of becoming a malware victim to an extent, since the well-known markets are scrutinized on a regular basis and infected or malware applications will be cleared off. It also helps that applications from the Android Marketplace(now play store) come with review comments and a reputation level for the applications. This may guide the user in validating applications prior to install.

Users, as always, should have updated security software installed to protect their devices from being hijacked. Security software will block known malware, whilst also monitoring the runtime behavior of applications such that any malpractice identified would be blocked. Security software could also block access to unwanted or blacklisted websites, in addition to blocking suspicious network activity without explicit user consent.

Some of the Android Security software products have Parental Control included in their features list that helps users to either blacklist or whitelist a contact number, which holds good even for SMS services. User would then be able to add contact information to a whitelist database, restricting the numbers to which SMS can be sent.

As Android malware aim at obtaining root access, few security products go a step further and identify if the device is ‘rooted’ and warn the user about the same. This feature also explicitly alerts the user if any application requests root access.

In the event that a phone is lost or stolen, in which case all the information stored in the phone is now exposed to the outside world, some security software provides the users with the ability to remotely clear off the data from the stolen device, and block the device itself, with an online data backup to recover the lost data.

With Freedom Comes Great Responsibility

Google’s target to spread Android in Asia is being achieved with great success, as exemplied by the Android sales graph which shows a persistent upward trend. The cost effective Android phones have already conquered much of the smartphone-user and gadget-lover market. However, the popularity of Android makes it a viable and tempting target for hackers, and therefore the increasing spread of Android-specific malware has to be expected.

Current Android malware functionality ranges from sending SMS (to premium rate numbers) to stealing confidential data, and being controlled via remote Command & Control servers. Hackers use online Android application markets as a pathway onto the victim’s device. It’s a must that users make themselves well aware of the online stores, which must be of good repute, from where they download applications.

The Android OS strives to fulfil the user’s demand for security features within its current security model. The concept of permissions via application ‘Capabilities’, to an extent, holds good to protect the device from abuse. However, the hackers use clever social engineering techniques to entice users into providing the requisite permissions to their malware programs. Users should be wary of attempts to trick them into granting permissions which are inconsistent with the advertised functionality of the application in question.

It goes without saying that each device should have security software installed to detect and block any untoward activity. However, as the proverb goes, “Prevention is better than Cure”. User education and vigilance would go a long way in mitigating the spread of Android malware, and users have a role to play in this respect.

Images courtesy of:

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Paranoid Android? (Part 1)

Wednesday, June 18th, 2014
Since we recently added  K7 Mobile Security, to our portfolio of security products, we thought it would be apt to revisit one of my research papers that discusses the Android Security Model and the Android Threat Landscape. Here is the first part of a two-part blog based on my paper submitted for AVAR 2011. The Threat Landscape is still relevant today.

Evidently there has been a large and sustained growth of Android use in Asia in recent times. With the increasing popularity of Android comes the danger of malware attacks. Studies on Android mobile security reveal that the growth rate of Android threats is at a faster pace than that for computer malware at the development stage.

Given the fact that the Android business model allows users to download new applications from the internet, no doubt social engineering will play a major role in propagating malware. Thus far, most of the identified Android threats avail of this simple route to reach a victim’s device, then obtain the user’s permission to get installed, and finally make use of the potential flaws in the Android security model to send out confidential data. The consistent increase in the number of threats suggests that it is high time that users are made aware of the possible ways in which their device could be compromised for them to safeguard against attacks. In addition, it is necessary that users be made aware of the current Android threat landscape to help identify and isolate the applications that could contain malicious code.

This paper will discuss the Android Security Model, and hopes to present a detailed account of the nature of the Android threat landscape so that users in Asia and elsewhere are made aware of the dangers involved in the use of Android, whilst also focussing on the ways and means of mitigating the risk.

Nurturing a Behemoth

The year is 2008. Android, the mobile operating system developed by Google, gains in popularity amidst other leading mobile platforms like iPhone OS, Symbian or Windows Mobile, because of its open source status. The success of Android mobiles will be a chain reaction, feeding on its own popularity, since people would prefer cost-effective devices with smartphone-like features rather than costly mobiles with a load of gimmicks.

Unlike Windows Mobile, iOS and Blackberry that have a limited number of applications and strict copyright policy, Android users have the choice of many applications. In other words, the openness in the Android application development environment, allows the application developers and handset manufacturers to develop customized applications which suit customer requirements. This also paves the way for new business opportunities for Android application developers.

The Android operating system is incorporated with the Dalvik VM , mainly for the reason that applications can run even on low-end mobile models with minimal memory usage. This stands as yet another advantageous feature of the Android platform as it overcomes the complaint of high memory usage, which results in application slow down, reported by the users of other high-end mobile platforms.

Given the above characteristics, Asian users are migrating to Android phones at a phenomenal pace, and Google’s plans to capture the smartphone market in Asia are succeeding. However, this increasing popularity provides hackers and malware authors an irresistible opportunity for exploitation and financial gain, and the number of Android mobile malware in the wild has grown at a very high rate, despite Android’s seemingly adequate security features.

Hark! Who Goes There?

Android was developed with the idea of delivering a cost effective smartphone with almost all of the features of a ‘real computer’. The above idea is greatly facilitated by allowing users to install applications of their choice. Unlike Apple or other smartphone markets, Android users are not restricted to download applications solely from one dedicated, proprietary site, i.e. Google’s Android Marketplace, but are free to obtain programs from different marketplaces. This idea of an open market exposes the user to a higher security risk, however Google has incorporated certain security features to protect users from malware attacks, with a negligible compromise on performance or flexibility.

With the target of security, Android isolates applications installed on the device from each other at the system level by assigning each application, and its dedicated process, a unique user identity that is visible only to the system. Whenever an installed Android application or one of its components is called to perform an action, the Linux kernel identifies the application by its assigned user ID and starts the corresponding process in its own sandbox. No two processes can generally run with the same user ID, i.e. within the same process space. This helps to protect the applications from intrusion by any other applications. If the same user ID needs to be shared by two applications, it can be done at install time, provided both the applications have the same certificate. Note, Google allows application developers to upload self-signed applications to the marketplace, i.e. the programs do not necessarily have to be signed by an independent certificate authority. The point made by the certificate concept is to distinguish the application author, and a formal registration process is in place.

The security enforcement of the Android OS is further strengthened with the concept of Capabilities of the components. Applications have a manifest file which defines the API levels that they need, and most importantly, the Capabilities, in other words the Access Permissions over and above the default level for the Dalvik VM, for each of the applications’ components to access device data. An application’s or component’s Capabilities to access another application’s components or the device data are declared statically at install time, perhaps requiring explicit user consent, and they cannot be changed dynamically. Inter-application communication happens only if the requesting application, the caller, has the authorized Capabilities with respect to the callee application.

In the above figure, Application 1 with Capabilities X is authorized to access a component of Application 2, and Application 2 with Capability Y is authorized to access a component of Application 3. Application 3 does not have the Capabilities to access the components of Application 1 or Application 2. All 3 applications run within their own Dalvik VMs and their access permissions are enforced by the Android OS.

Please Sir, Can I have MORE?

Since inter-component communication is really based on the Capabilities of the applications, and these Capabilities may require explicit user consent, malware applications can pretend to be legitimate and entice users into granting permissions to access sensitive areas such as the device or user data, the network, etc. Access permissions have to be requested and granted at install time itself. These malicious applications have to take advantage of social engineering techniques to receive the desired Capabilities to accomplish their tasks.

Hackers are able to enter the Android Marketplace by using the fact that applications can be self-signed, as mentioned earlier. Hackers upload self-signed malicious application to the market bundled with legitimate applications. For instance, the Android malware Nickispy is actually supposed to be part of an alarm receiver but it gains access from the user to make or cancel a call, send out SMS to the numbers in the contacts list, and other actions, by requesting permissions through its manifest file. Let us have a look at Nickispy’s manifest file:

Nickispy, a supposed simple Alarm Receiver application requests the below listed permissions from the user as shown in the figure below:

In fact Nickispy sends out data without the user’s knowledge.

…To second part

Images courtesy of:

Malware Analyst, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Volume III: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 28th, 2014

This is volume III (…a lengthy one…) of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

How Do I Do It?: Obfuscation and Encryption, Immediate-Invocation Techniques

This Java Script worm employs heavy obfuscation, encryption and immediate-invocation techniques to protect itself from prying eyes. This reduces readability by a large extent

Figure 1: Image Showing a Single Line of Script with Around 40K Characters

From the screenshot above it is evident that the script contains just one line of forty four thousand and odd characters

The script heavily uses some random strings for variable names, sized at 7-9 characters they seem to be uniform but are not. In the function expression, the four variable parameters are unique, their first three characters and the last two characters are the same with random characters filled in between.

Formatting the above script (as shown in Figure 1) using tools like Malzilla1, introduces some readability into the script. Note that the function expression is enclosed within parentheses and once the expression ends another set of parentheses encloses a large string (encrypted string in our case).  This form of invoking a function without explicitly calling it is widely called as ‘self-executing anonymous functions3’ or ‘Immediately-Invoked Function Expression2

Below is the first level of obfuscation in the script:

Figure 2: Obfuscated Script with Simple Formatting Applied

This worm deploys its script as a ‘self-executing anonymous function’ / ‘Immediately-Invoked Function Expression.’ To understand this better consider the below example:

Figure 3: Normal Function

The above shows a normal function expression and how it is invoked.

Now consider this:

Figure 4: Immediately-Invoked Function Expression

Here the expression and invocation happen simultaneously. The function expression here is immediately invoked by introducing the argument along with the expression as:

Figure 5: Expression and Argument

The expression is highlighted in red and the argument in green. The underlining factor here is that this function doesn’t need an implicit invocation to get initiated. The code as shown in Figure 2 has just a single function expression with four parameters. The actual arguments are however found within the last parentheses, the function decrypts these encrypted strings into another script as shown in Figure 6:

Figure 6: Second Level of Decryption

This first level of decrypted code is again an immediately invoked function. This would again get decrypted into another script and an array of strings.

Figure 7: Screenshot Showing Array Values Being Referenced

This second level of decrypted script refers to array of values from 0-380; these values are referenced from the array ref Figure 8.

Figure 8: Array of Strings Showing What Will be Referenced in the Script

Applying the appropriate array values in the script made it more readable. One can conclude that this was done to avoid readability.

Figure 9: Final Script with Array Values Replaced

The script in Figure 7 turns into the above shown script (Figure 9) once we substitute the array values in the script. As seen from the screenshot it is clear that the worm is trying to extract several classified user information from “Winmgmts” object.

Apart from the above, the script also uses a lot of size optimization techniques. For instance it uses exponent form to reference large numbers and “!0” for true and “!1” for false This can be seen in the code snippet shown in Figure 10.

Figure 10: Optimization Used in Code

How I Own You?:  Command and Control Module

For a script based malware, ProsLikeFan boasts of quite complex C&C functionalities. Once the script is deployed it can keep checking the C&C server regularly for any commands. Below is a screenshot containing the C&C commands found in the malicious script:

Figure 11: Command and Control Module

The commands include: “u”, “d”, “b”, “redu”, “fbl”, “fbc”, “hp”, “fbf”, “e”, “r” and “dns.”

The command “u” is to update the virus itself or update the C&C with any new changes in the victim’s computer. Command “d” can be used to download a file from a specified URL, while the command “r” can be used to run any executable in the victim’s computer. When used in conjunction these commands can download a file and run it in the victim’s computer. This could possibly download other malware from any location.

The next set of commands target the popular social networking site Facebook “fbl”, “fbf” and “fbc” that can be used to like a Facebook page, become a fan of a Facebook page and send out chat message on a Facebook chat respectively.

Apart from this there are commands to perform other activities like setting the Homepage of Internet Explorer, modifying the DNS settings of the victim’s computer, etc.

A botnet of such infected machines would provide a perfect framework that can be used by other perpetrators who wish to infect the victims with their own bunch of malware. The administrator of the ProsLikeFan botnet can provide it as a service to anyone who wishes to attack unsuspecting victims. Most cases of infection that were reported back to the lab had instances of other malware infections found in the victim’s machine.

This Is Me!: Conclusion

Though the worm’s activity may seem nothing out of ordinary, it is necessary to analyze why the worm achieves this using unconventional methods. Like using a JavaScript based worm to infect a victim and make him part of a botnet. This may be because non-PE format introduces a level of freedom when the attacker needs to modify a specific module in the script. It can be freely spammed out via email unlike executable which would get filtered out. Initial versions of this worm had just one level of encryption, and then it went on to being a multi-level obfuscated script. Text files unlike PE binaries do not have a fixed structure, making detection a bit more complex. Even then they are detectable.






4. “Fans Like Pro, Too” – Peter Ferrie, Virus Bulletin, Sep’13

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Volume II: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 21st, 2014

This is volume II of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

Who aM I?: What is ProsLikeFan?

While the typical autorun malware is usually a Microsoft Portable Executable(PE) file, ProsLikeFan however, is JavaScript based. Unlike PE malware, malware written in a scripting language have their limitations like exposing their malicious intent in plain text. To overcome this, the malware author needs to employ various encryption and obfuscation techniques.

ProsLikeFan uses the WMI (Windows Management Interface) query language to retrieve sensitive system information and posts this information to a remote host. It also exploits the autorun mechanism to propagate to other computers, brings down system security level by modifying certain registry entries, infects pen drives, sends out Facebook chat messages, ‘likes’ a Facebook page, downloads and runs an executable, changes IE homepage settings etc., all the while actively listening to any commands from its C&C server. It does all the above mentioned without giving away much about what it intends to do, to a large extent. This is achieved by keeping its code encrypted to multiple levels there by avoiding readability.

What I Can Do?: Overview of What the Worm Can Do

To begin with, this worm is VM aware i.e., it can detect if it is being run on a virtual environment like VMware, Bochs, and VirtualBox etc. It achieves this by retrieving the system information using the Windows Management Instrumentation interface and verifies the same against known virtualization systems. It looks for BIOS manufacturers, processor names, SCSI Controller’s manufacturer names, disk drive model, computer system manufacturer name etc. for matching.

The worm hides itself from the victim, by using standard registry modifications techniques that are widely employed by most malicious software. It disables notifications from the ‘Windows Security Center’, turns off the Windows firewall, blocks the usage of proxy servers, prevents access to the user’s homepage settings and disables system restore.

The worm then copies itself to a location under %appdata% and %program files% with a random filename of 5-6 characters.  It also places a copy of itself in the startup folder. Once executed, it can retrieve a trove of information from the user’s machine. It looks into specific locations for stored FTP passwords and user names. It then uploads the stolen data (Computer Name, Anti-Virus Software, Current User Name etc.) extracted through WMI and other means to a remote server. It keeps enumerating all running processes at regular intervals and tries to terminate any security software related process.

To spread across to other computers, the worm uses the autorun technique. It waits for a removable drive to be connected on the infected computer. Once connected, the worm creates a directory with a copy of the main JavaScript file in the removable device. It then proceeds to hide all folders and creates shortcuts to these folders with a folder icon. This shortcut would in turn execute the main ‘.js’ file before opening the corresponding folder.

Apart from removable devices, the worm also uses file-sharing networks to spread. It places a copy of the main script in a zip file in the shared folders of well-known P2P application like Ares, Bearshare etc.

…To Volume III

Images courtesy of:

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Volume I: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 14th, 2014

This is volume I of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

To Brief it Out…

The Autorun Worm: an infection that uses an antiquated mechanism to make itself prevalent, especially in the Asian region. Even though the Autorun or Autoplay feature was deprecated by Microsoft quite some time ago, it is still actively exploited in the wild. For instance an autorun worm, widely known as ProsLikeFan, has been spreading like wildfire. Most interestingly, this isn’t your traditional Win32 PE binary, but a highly obfuscated JavaScript. This worm is certainly not the handiwork of a script-kiddy.

Beneath several layers of obfuscation lies a WMI malware which can retrieve users’ system information and post this information to a C&C server, and invites other malware to the host machine at the behest of the remote attacker.

This paper will discuss the reasons why autorun-related malware are very prevalent in the Asian region, the Indian sub-continent in particular. We will also focus on a technical dissection of the afore-mentioned JavaScript malware, cover its lifecycle its geographical prominence and will also include a brief take on its C&C network.

Autorun & Its Prevalence

An autorun worm uses the now deprecated feature: Autoplay, to initiate malicious executables from removable drives. This exploit’s target vector has a wider coverage, owing to the fact that removable drives or pen drives have become the most popular method for quick data transfer by physical media.

Autorun worms have had higher success ratio in the Asian region. A closer look at the infection ratio of worms in the Asian region would give us a better insight on the above mentioned fact. Figure 1 given below shows worm infections as a percentage of the total infections in the Asian region.

Figure 1: Worm Infection Rate

The world over average for worm infections is 17.5% as shown in the above graph. This is with respect to data from Microsoft’s Security Intelligence Report 1. It is evident from the graph above that in India almost 40% of the infections seem to be worm related.

Figure 1.1 displayed below provides the breakup of the Worm related malware.

Figure 1.1: Breakup of Worms Based on K7 Threat Control Lab’s internal Telemetry

From the chart above, it is clear that autorun malware dominates the infection ratio of the worm category. One must consider that families like Vobfus, Gamarue etc. also employ the autorun technique to improve their infection vector. Though most of the above mentioned worm families are all Win32PE types, it is interesting to note that there is an increase in the Non-PE category of worms. For instance ProsLikeFan, as it is commonly known, is a JavaScript malware that is on the rise.

Figure 1.2: Software Piracy Rates According to BSA Global 2

The reason autorun malware thrives in India (according to Figure 1.2) is due to the fact that software piracy is still at large, this rules out timely security updates. Also a very small percentage of the computer users in India are broadband internet users, this again widens the target. It is evident that only a very small percentage of computer users would have the update from Microsoft that deprecated the autorun mechanism for removable drives.

To Volume II…


Images courtesy of and

Kaarthik RM & Raja Babu A

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Cryptolocker – A New Wave of Ransomware

Wednesday, October 16th, 2013

The infamous ransomware malware works by restricting access to the computer or files that it infects. The malware on behalf of the malware author then demands a ransom to be paid by the victim, in order for the restriction to be removed.

At K7′s Threat Control Lab, we recently noticed a new wave of this ransomware malware. This notorious variant called CryptoLocker, by most security vendors, installs itself into the victims “Documents and Settings” folder. The malware then adds itself to the Windows auto start location in the registry to ensure that it loads automatically every time the user logs on.

Cryptolocker then makes an HTTP POST request to a pre-determined set of domain names to download a unique password file, using which it then encrypts the victim’s documents. The documents targetted include images, spreadsheets, presentations, text files among others.

Once encrypted, the ransomware then pops up a ransom page like the one displayed below:

The malware gives the victim a limited amount of time, to buy the password file to unlock the user’s data.

Protection for this threat is provided at multiple layers by K7′s Threat Control Lab. We proactively detect both the spam emails and malicious URLs, used to spread this ransomware, which seem to be the current infection vector. In case the malicious content does get through this layer of protection, we detect the malicious files themselves by our on-access-scanner as Trojan ( 0000c3521 ) and Trojan ( 0040f66a1 ). We have also provided detection for the this ransomware based on its run time malicious behaviour.

Our usual sentiments about keeping one’s security solutions & Windows patches up-to-date and being vary of downloading files from unknown sites apply.

Lokesh Kumar
Malware Collections Manager, K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: