These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security’ Category

Petya or NotPetya, We’re Gonna Get Ya

Thursday, July 6th, 2017

In our last blog we assured users of K7 Security products that they are protected against the destructive Petya ransomware. The good news is that we’ve just tightened the noose even further! Now, not only Petya but also other malware which may exhibit similar modus operandi are going to be robustly and proactively blocked. This is an effort to safeguard our users from any such ransomware attacks in future.

Let’s have a gander through what we have done:

  • Blocking the Petya ransomware at the very early stages, even before it enters a computer by including an IDS signature to block all currently known versions of EternalBlue type packets attempting to exploit MS17-010.

  • In order to tackle a situation where a malware like Petya attempts to affect the boot area, we have reinforced a protection rule in our security products to block unauthorized writes to the Master Boot Record (MBR).

  • Last but not least, we tweaked our “Ransomware Protection” logic to block the encryption procedure peculiar to Petya.

As always, we at K7 Engineering focus on complete protection at multiple layers for our users so as to safeguard them from any (new) malware occurrences.

K7 Engineering

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Stop Lamenting About “WannaCry”

Tuesday, May 16th, 2017

WannaCry ransomware, a security disaster has already infected thousands of computers all over the world, especially in Russia, India and China, and has hit emergency services in various countries, e.g. the UK. There have been images of infected ATMs, gigantic billboards, etc., making this attack a high-profile event.

This attack is a macabre reminder of the ill effects of

  • exploiting a critical vulnerability in the Windows OS
  • using a pirated version of an operating system
  • leaving computer unpatched and connected to the internet, in other words highly vulnerable

In most of the attack scenarios tracked, WannaCry ransomware infects a computer by using the “EternalBlue” exploit (developed by the NSA and released to the public by Shadowbrokers in April 2017), which exploits a critical vulnerability in Microsoft SMBv1 server (CVE-2017-0143 to CVE-2017-0148) by sending a specially-crafted packet. There was a Microsoft patch MS17-010 available to fix this vulnerability released in March 2017. It is also alleged, although without any concrete evidence, that this malware may enter a computer by the common email-borne route.

Please note that K7 security products contains heuristic anti-ransomware functionality which is capable of stopping WannaCry in its tracks without any signatures updates (please read the Virus Bulletin blog which includes a video of K7’s talk from 2015 about fighting back against ransomware). However to ensure stopping all variants of the ransomware before any encryption starts, we at K7 Threat Control Lab have taken the necessary steps to block it at all of its possible execution points. Users of K7 Security products are protected against this ransomware and the detection names at the time of writing are as follows:

Trojan (0050db011)

Trojan (0050d8371)

Trojan (0050d7201)

In addition, K7 blocks this multi-component malware with the behavioral detection as

Suspicious Program ( ID21236 )

Suspicious Program ( ID21237 )

Suspicious Program ( ID21238 )

Before we look at the technical details of this malware and explore how it works we must urge users to apply the latest Windows patches which Microsoft has made available even for the unsupported Windows XP, and may be applicable on pirated versions of Windows too (note, using pirated software is an extremely bad idea). In order to better protect the computer against being exploited from an external source, blocking in-bound connections on TCP ports 139 and 445 and UDP ports 137 and 138 might be an option to carefully consider. The client firewall in K7 Security Products can be configured to restrict traffic as described on the mentioned ports.

In addition there has been some misinformation aggressively disseminated on social media and the news that using a certain password which is embedded in the code can be used to decrypt the encrypted data. This is far from the truth. WannaCry uses the embedded password to decrypt its internal embedded ZIP containing ransomware components. Users are strongly advised to ignore any mention about this password and avoid being influenced by a whole lot of scaremongering junk information being released irresponsibly. There is currently no way to retrieve all the encrypted data barring use of the cyber criminals’ own decryption service at a cost of US$300-US$600.

WannaCry involves multiple executable files to infect an end user.  The main dropper EXE accesses the URL as shown in the images below,

This URL is now known as the “kill switch” since if it is accessible the dropper stops execution. Such a “kill switch” is unprecedented in the history of ubiquitous run-of-the-mill ransomware and raises interesting questions about the true purpose of the attack. Interestingly the above domain has now been registered by researchers, thus stopping the attack at the dropper stage in many situations. There are few recent samples which ignores whether or not the URL connection is successful.

MD5: d724d8cc6420f06e8a48752f0da11c66

MD5: E8089341EE0442A2ECF82E4B70829143

Anyway, let’s assume the executable proceeds with its malicious behavior. The dropper EXE starts itself as a service with the security parameters as “-m security”, service name “mssecsvc2.0” and display name as “Microsoft Security Center (2.0) service”

Then it tries to load the payload executable which it carries within itself under the resource named “R” in the sample which we analyzed (d5dcd28612f4d6ffca0cfeaefd606bcf).

In any PE parsing tool, it shows that the resource contains an embedded PE

It extracts the file with the name “tasksche.exe” under the directory called “windows\<randomname>” as shown below. Note, we have also seen occurrences of this file being dropped under “ProgramData\<randomname>.”

After which the dropper starts the payload “tasksche.exe” using CreateProcessA. The payload tasksche.exe (84C82835A5D21BBCF75A61706D8AB549) contains the required functionality for encrypting data on the computer, and the files to display the ransom notes, etc. It carries within itself a password-protected ZIP in .resource section, as mentioned earlier. Interestingly, the password for the ZIP is plain text and not encrypted.

Upon further research we found that even though the password is in plain text, the password keeps changing. Sample 4da1f312a214c07143abeeafb695d904 uses the password “wcry@123”.

Unzipping the password-protected ZIP drops the following files in the desktop directory,

Folder “msg” contains the rtf files with extension .wnry for different languages.

Here are the details of the other files that are unzipped:

1. b.wnry – BMP image file (desktop background mentioning the decryptor tool @WanaDecryptor@.exe to receive ransom payment)

2. c.wnry – contains Tor browser download link

3. r.wnry – Text Message

4. s.wnry – ZIP file with has tor.exe along with its dependent DLLs

5. t.wnry – Encrypted data which then decrypts itself in memory (it’s a DLL file)

6. u.wnry

7. taskdl.exe

8. taskse.exe

It also unzips a batch file that writes a VBScript file m.vbs, that points to an LNK file to run “@WanaDecryptor@.exe” a shown below,

This @WanaDecryptor@.exe, once run, calls taskdl.exe and displays the below screen to the user,

It also copies itself to other locations like

C:\ProgramData\<randomfolder>\@WanaDecryptor@.exe

The following file extensions are susceptible to encryption:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Encrypted files would have extension .wncry  appended to the user file name, e.g. if the file name is user_pic.jpg, after encryption it would be user_pic.jpg.wncry.  The bytes of encrypted file at offset zero would be ‘0×57 0×41 0x4E 0×41 0×43 0×52 0×59 0×21’ (ASCII “WANACRY!”)

In all the folder locations in which encryption occurs there also two additional files dropped:
@WanaDecryptor@.exe.lnk which points to @WanaDecryptor@.exe and @Please_Read_Me@.txt, which contains the ransom note.

As with all ransomware, and to guard against data loss in general, it is important to maintain regular backups of critical data to be able to retrieve it in the case of file or disk corruption.

What is in store for the world now with respect to WannaCry? Are we going to see a different infection strategy, will the binaries be custom-packed, will strings be encrypted? Or will the attack lie low for a while? We’ll be monitoring the twists and turns in the WannaCry saga over time, and will publish new information as and when required.

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Virus Alert!

Thursday, April 6th, 2017

We at K7 Threat Control Lab recently encountered an incident reiterating the power of social engineering to trick smartphone users to install bad stuff.

The picture above is self-explanatory. It is clearly a fake message, but it is more convincing since it displays the device make and the current WiFi SSID of the victim, and even uses Google colours and identifiers.

This scareware message attempts to coerce the user to “download the latest Antivirus App”. It is likely from the message “0 minutes and 00 seconds” that upon clicking on the link “REMOVE VIRUS NOW”  user will be redirected to download some dangerous app either from a third party market or even from Google Play Store. The download was never attempted but the app may well have been a deceptor which would claim to have discovered all manner of issues with the device, the fixing of which would require payment.

This fake message may well be generated from the Mi4i device itself (place of manufacture also plays a role in the device’s integrity) or from the WiFi router to which the device was connected at the time.

These kinds of specially crafted user-specific messages exploit the user’s fear factor to force them to download the app recommended in the message, thus compromising their devices themselves.

To avoid any such unwanted circumstances we recommend the smartphone users to:

  • Carefully analyse the messages or alerts which they receive before taking any action. Ignore irrelevant messages
  • Not install apps recommended by strangers
  • Use a top-rated mobile security product such as K7 Mobile Security to block any infection
  • Regularly update the mobile OS and security application installed to be free from mobile malware

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

DoS Attack: Service Unavailable

Friday, September 30th, 2016

Continuing our series on Cyber Security, this blog post aims to shed some light on a security term that is casually thrown around these days, Denial-of-Service.

As the term conveys a “Denial-of- Service” (DoS) attack aims to cut off the provision of a service. When we speak of it in terms of computing we would generally refer to an online network-based service that is renderred inaccessible to legitimate users during the course of the attack. A successful DoS attack would require a large number of requests being sent to the network service at a specific point in time.

In general for a seamless network communication to happen a “request-acknowledge” signal is essential, i.e. when a user makes a request to a network service his request would first be acknowledged and then data corresponding to his query would be sent back along with a request for acknowledgement once the data is received. The user then sends an acknowledge signal once the requested data has been received. All this happens in the order of milliseconds hence they are barely noticeable.

Every server that hosts a service would have a maximum request-handling capacity, and when that threshold is exceeded the server or the service becomes unavailable. It is this request limit which is exploited and abused by a DoS attack.

When speaking in terms of malware related DoS, malware authors employ their botnet (a collection of computers infected with silently-running backdoor Trojans) to perform this kind of attack. A botnet controller (aka “Bot Master”) can send out instructions to the entire botnet under his command to target a specific service, typically a web service, to effect a DoS on the target website.

Several DoS attacks have been orchestrated targeting organizations along with ransom demands to call off the attack. In the days of e-commerce and online services it is essentials that business organizations keep their services up and running in order to retain their customer base.

In this series we shall have a look at various flavours of DoS attacks and how they are orchestrated.

Image Courtesy of:
tgm.org

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Quadrooter: Android Chipped but not Cracked

Thursday, August 11th, 2016

Shattering the period of calm after the discovery of Android Stagefright exploit, Android Quadrooter has become the current hot topic in the mobile security industry. Quadrooter, as its name suggests, is a group of four vulnerabilities in the software drivers for Qualcomm chipsets within certain Android devices.  These drivers are responsible for communication between chipset components in the Android packages developed by the manufacturer.

Exploiting any one of these four vulnerabilities in the drivers would provide a hacker with root access on the device. Unlike Stagefright, which was exploitable via remotely sent crafted messages, these Quadrooter vulnerabilities are apparently exploitable only through apps which must be explicitly downloaded and installed by the user.  Although this is may be considered another dangerous method that hackers can incorporate into their malware to attain root permissions, at the time of writing, not a single actual sample has been found in the wild.

Patching the vulnerable software drivers with appropriate security updates would be the most suitable solution to mitigate the risk caused by these vulnerabilities. However it is a never ending debate whether a security update from Google (or Qualcomm, etc.,) can be customized to suit a handset manufacturer’s model within a reasonable time frame. In fact how quickly does a manufacturer’s customized security update reach its own users’ devices? “ .

The  good news is that Google claims that these exploits can be blocked by the “Verify Apps” feature in the Android OS from version 4.2 (Jelly Bean). Locate this feature at:

Settings>System>Security>Verify Apps

Here are a few steps to follow to help avoid dangerous security issues when downloading an application and other unwanted scenarios:

  • Always prefer to download an application from the official Google Play
  • Think twice before you download an application whether you really need it
  • Check any documented usage of the application to ensure that it does not perform any functionality separate from your expectations
  • Verify the reputation of the application by checking the reviews available
  • Avoid using free Wi-Fi hotspots, in particular those that are not password protected
  • Install a reputed and up-to-date mobile security product like “K7 Mobile Security”
  • Avail of the available application verification features like “verify apps” in recent Android OSs to identify a malware before installation.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 “Ransomware Protection” is Fighting Fit and Ready

Wednesday, July 13th, 2016

Ransomware, a nasty and, unfortunately, common subclass of malware, are really bad news. The good news, however, is that K7′s heuristic, dynamic behaviour-based anti-ransomware feature, Ransomware Protection, was “productionised” and released some time ago. We strongly believe Ransomware Protection will provide users with robust safeguards against various strains of crypto ransomware, from the past (e.g. CryptoLocker), the present (e.g. Locky) and the future (???).

Ransomware Protection_cropped.png

Ransomware Protection’s blocking logic is based on recognising and arresting fundamental changes that take place in targeted files when the ransomware’s industry-grade encryption algorithms are applied to them.

At the Virus Bulletin 2015 international security conference we demonstrated a PoC of the anti-ransomware technology in our presentation “Dead and Buried in Their Crypts: Defeating Modern Ransomware”, and explained how the technology works in some detail so that all of us in the security industry could implement an effective strategy against this highly-damaging type of malware.

Elevating a PoC to a full-blown production-level feature is a time-consuming process since many factors related to stability, false positives and performance need to be considered in an end user environment. We are delighted to have been able to develop and release an anti-ransomware jab which will boost end-user resistance to any ransomware attack. Your precious documents, images and videos should now be safe. Note, we still highly recommend that you backup your important files as the spectre of bad sectors developing on your hard drive continues to loom large.

Samir Mody, Senior Manager, K7 Threat Control Lab
Gregory Panakkal, Senior Software Architect, K7 Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Sharing Our Knowledge with VIT

Wednesday, June 29th, 2016

A few weeks ago we had announced our intention to spread our knowledge about low-level security. We would like to share a proud moment with the public to demonstrate our commitment to the cause of spreading technical awareness, borne from our decades of experience and expertise in malware research and anti-malware technology development.

We were recently invited by the well-known academic institution, VIT Vellore, to conduct a day-long workshop on the malware analysis techniques we carry out at K7 Threat Control Lab (K7TCL). The idea of the presentation was to enlighten VIT staff on analysis techniques for both Windows and Android malware.

We are happy to have had this opportunity to share our knowledge, and we hope that the interactive session we conducted has helped VIT staff to understand the modern malware threat landscape, and the malware themselves in a more effective way.

Kaarthik.R.M
Shiv Chand.K
V.Dhanalakshmi
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Interesting Persistence Technique

Thursday, June 16th, 2016

Here is an interesting persistence technique, which I have not seen before, used by a malware which I analyzed last week at K7 Threat Control Lab. It uses a simple RunOnce registry entry to maintain its persistence but in a unique way. I would like to post a complete analysis, albeit brief, of its functionality.

Functionality in a Nutshell

  • Push-Pop-Call
  • Misuse of Process Environment Block (PEB)
  • API Hashing Technique
  • Anti-Debug & Anti-Emulation Techniques
  • Strings Obfuscation Mechanism
  • Registry Abuse
  • Hidden DLL with multiple entrypoints (Export & DLL main) and its role
  • Multiple Injections into explorer.exe
  • Rootkit-like Behavior
  • Persistence Mechanism – RunOnce entry
  • Final Injection to IExplore.exe to act as downloader

Push-Pop-Call

This malware uses a Push-Pop-Call sequence at the Entrypoint to change the execution flow of the program as shown in Figure 1. This is not a clever technique since it can be used by Anti-Virus software to flag the malware immediately given that this sequence is unlikely to be found in clean programs.

Figure 1

Misuse of Process Environment Block (PEB)

Not an uncommon technique, this malware uses PEB_LDR_DATA, a member of the PEB structure, to locate InMemoryOrderModuleList LinkedList, which is then used to retrieve names of the loaded modules. It calculates the hash for each of the retrieved module names and compares with that of Kernel32.dll (hardcoded in the code), and extracts the base address of Kernel32.dll when the hashes match as shown in Figure 2.

Figure 2

API Hashing Technique

Using the retrieved Kernel32.dll base address, it enumerates export function names and calculates their hashes, which, in turn, are compared with predefined API hashes (in the data section) to identify the addresses of preferred APIs that are listed below. This common technique is to avoid heuristic detection on import APIs.

  • ConvertThreadToFiber
  • CreateDirectoryA
  • CreateFiber
  • CreateFileA
  • CreateMutexA
  • CreateProcessA
  • CreateThread
  • DeleteFileA
  • GetFileSize
  • GetFileTime
  • GetModuleFilenameA
  • LoadLibraryA
  • MoveFileExA
  • ReadFile
  • ReleaseMutex
  • RemoveDirectoryA
  • SetFileAttributesA
  • SetFilePointer
  • SetFileTime
  • SwitchtoFiber
  • WaitForMultipleObjects
  • WriteFile
  • WritePrivateProfileStringA

The hash calculation algorithm is shown in Figure 3 below.

Figure 3

Anti-Debug & Anti-Emulation Techniques

It implements Anti-Debug & Anti-Emulation techniques to prevent or misguide the reverse engineering process. This malware creates a thread which possesses an Anti-Debug technique of Memory Access Violation Exception (shown in Figure 4 below), thus complicating the analysis flow for researchers.

Figure 4

It also adds additional Exception Handlers in the existing SEH chain, which would be triggered by a memory access violation as shown in Figure 5.

Figure 5

It also uses undocumented ntdll.dll APIs which could act as an anti-emulation technique

  • ZwCreateThread
  • ZwResumeThread

Strings Obfuscation Mechanism

It employs an uncomplicated obfuscation mechanism to hide strings to dodge its presence from Anti-Virus products. Figure 6 shows how it decrypts a string to be used as its mutex.

Figure 6

Registry Abuse

It uses the registry to find the default path of “user\%AppData%” by querying the following registry key:

Subkey : “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
Value    : “AppData”

It uses the registry to find the default browser path:

Subkey : “http\shell\open\command”

It also escalates its privilege under Internet Explorer by adding its path to the following registry key:

SubKey : “Software\Microsoft\Internet Explorer\LowRegistry”
Value    : “ms-ldr”
Data     : “%Malware Path%”

Hidden DLL with Multiple Entrypoints (Export & DLL Main) and its Role

It drops its main payload, ntuser.cpl (a DLL file), extracted and decrypted from its ‘data’ section, under a randomly named folder in the retrieved %APPDATA% directory as exemplified below:

USER/%APPDATA%/ {6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}/ntuser.cpl

The decryption logic used is shown below in Figure 7:

Figure 7

It tries harder to misguide analysis by executing the DLL with multiple entrypoints. Initially with the help of rundll32 it executes the dropped ntuser.cpl using its export function “_4CDFA75B”. This export function “_4CDFA75B” then injects the entire ntuser.cpl to explorer.exe with “DLLMain” as its new entrypoint. Injection technique 1 uses the following APIs:

  • CreateProcessA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • UnmapViewOfFile
  • ZwMapViewOfSection
  • CreateRemoteThread

Multiple Injections into Explorer.exe

As ntuser.cpl loads into the memory space of explorer.exe, it uses the ‘ZwQuerySystemInformation’ API to get the snapshot of the current running processes. Now ntuser.cpl injects itself to the running processes that have access to ‘CREATE_THREAD & VM_OPERATION & VM_WRITE & QUERY_INFORMATION’ permissions, including explorer.exe.  But, this time with a new entrypoint being one of its functions. Injection technique 2 uses the following APIs:

  • OpenProcess
  • VirtualFreeEx
  • VirtualAllocEx
  • VirtualQueryEx
  • VirtualProtectEx
  • WriteProcessMemory
  • VirtualQueryEx
  • CreateRemoteThread

The latest injected code in explorer.exe now injects code into IExplore.exe, again with a new entrypoint being one of its functions using a similar injection technique to that described above.

These multiple injections are done just to halt the flow of analysis and to use system processes to download malicious content which will not trigger any alert by Anti-Virus Software, including Firewall.

Rootkit Behavior

It injects all system processes when attempting to act as a rootkit by hooking the following APIs, to maintain its stealth status:

  • NtCreateThread
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread

Persistence Mechanism

The latest injected code in explorer.exe also has the task of maintaining its persistence. This is achieved by creating a thread which checks the availability of mutex (MSCTF.Shared.MUTEX.LDR) and if this fails, it adds the following RunOnce entry:

SubKey : “Software\Microsoft\Windows\CurrentVersion\RunOnce”
Data      : “rundll32 “%APPDATA%\{6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}\ntuser.cpl”,_4CDFA75B”

Hence during reboot, the mutex gets killed and immediately a RunOnce entry is registered to maintain persistence.

Final Injection into IExplore.exe to Act as Downloader

Using IExplore.exe injected code, it checks for internet connectivity every 5 minutes, and if it has access to the internet, it uses ‘URLDownloadToFileA’ to download malicious content from the following URL

“hxxp: / /business-links-today.org/ldr/admin/feed.php?i=6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5&o=2&v=1.0.8″

Post downloading it executes the downloaded content using CreateProcessA.

On final analysis this turns out to be just a mere Downloader, with a high level of obfuscation, injection techniques, and Anti-Debugging/Anti-Emulation tricks along with rootkit behavior.

Sample analyzed:

MD5: 6F14315A8875B1CF04E9FDB963E12966
SHA256: B129D92F6C62B7C81B5EF69FA38194AB3886BA7F18230581BC2D241C997F7FA6

Shiv Chand.K
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 @ CARO 2016

Thursday, May 26th, 2016

The CARO Workshop 2016, held in Bucharest, Romania, between May 19-20 featured presentations from notable security vendors and researchers, with a focus on the application of machine learning to security. The keynote speech was by Dr. Ashkan Fardost, who, among other things, talked about connecting reindeer to the internet.

K7’s Gregory Panakkal  and Georgelin Manuel participated in the CARO workshop with their presentation titled “A High-Performance, Low-Cost Approach to Large-Scale Malware Clustering”. Their popular talk suggested a technique to cluster huge numbers of malware files on commodity hardware. This presentation demonstrated clustering 2 million files on a machine with a modest configuration in under 3 minutes. The ideas exhibited were well-received, and attracted considerable attention from researchers who are thirsting for alternatives to distributed computing, which is currently the standard solution for handling large numbers of files.

Image courtesy of 2016.caro.org

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

The Pen is Deadlier than … You Might Think

Thursday, May 19th, 2016

This blog intends to educate the general public about the security risks pertaining to pen drives (aka USB sticks/drives, thumb/removable drives), data storage devices that can store text, images, music, videos, etc., and ways of mitigating the risks.

These devices come in handy when the user wants to transfer data between computers. They’re small in size but can hold large amounts of data. However, the utility and ubiquity of pen drives introduce significant security risks.

Pen drives pose a major security challenge to IT administrators. Some surveys indicate that 70% of businesses have reported loss of data through USB. Being small, pen drives can easily be misplaced or stolen and, if data is not backed up, it can mean loss of hours of hard work.  An even bigger challenge is to prevent infection through already infected USB drives.

The Autoplay feature in Windows is the key route to automatically infect PCs as soon as the infected pen drives are plugged-in. This autoplay feature causes removable media such as pen drives, CDs, etc. to open automatically when they are inserted into a computer.

Hackers and autorun worms use the autoplay feature to run malicious executables from removable drives. USB as an infection vector is not new; many older but infamous families of malware, notably Conficker, Sality and Gamarue use USB as part of their infection vector.

It is to be noted that many computers still have Windows XP, for which Microsoft withdrew support in April 2014, installed. Windows XP is popular among PC users especially in India, and has the autoplay feature enabled by default. Thus they are at greater risk of an autorun infection on their system than users who have updated their computer’s OS to recent versions of the Windows Operating System such as Windows 7. It is interesting to mention that most of these autorun worms originated in Asia.

Pen drives also provide an opportunity for malware to spread to stand-alone computers that are not connected to any network. The person carrying the infected pen drive, knowingly or unknowingly, bridges the air gap between the stand-alone computer and the network. It is of high probability that a pen drive used on one infected system (provided the infection on the system is capable of spreading itself) gets itself infected, thus spreading the infection to healthy computers when simply inserted into them.

Hence we advise users to practice one or more of the following recommendations to overcome the risks associated with using pen drives:

  1. Scan the pen drives for malware after sharing with your friends or family as a precaution against infections. Even if you have an up-to-date, reputable Anti-Virus Security product installed on your computer, your friends and family might not on theirs.
  2. Avoid using pen drives on public computers, e.g. at Internet cafes.
  3. If you have not already done so, install a world-class, up-to-date antivirus product like K7 Total Security.
  4. Use the autoscan feature, if any, in your Anti-Virus product to automatically scan all USB drives as they are connected to the system. Also schedule frequent, automatic scans on your PC to keep it infection-free.
  5. To prevent loss or theft of data, you may block USB devices from being used on your system. K7 Total Security has features to block pen drives and restrict read-write access to USB drives.
  6. Vaccinate your pen drive to ensure that it does not get infected by an Autorun worm even if it is used on an infected machine.

Images courtesy of:
Com.net
Technologymess.com

Rathna Kamakshi
Manager – K7 Support

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/