These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Security’ Category

Dealing with Spam

Thursday, November 26th, 2015

In the interest of educating the general public about secure computing, we would like to share a blog series that intends to explain the various types of security threats over the Internet and a few precautionary steps to avoid falling prey to these security threats. This is the first part of the blog series that talks about the basic concepts of spam emails, their dangers and a few preventive measures to adopt to deal with them.

The message or email which we receive over the Internet but we never asked for is called spam. Mostly such messages are sent from unknown email addresses, using computer programs called spambots, to a bulk number of users for marketing a product or cheating the user, typically for financial gain. Spam uses social engineering tricks on victims to trick them into performing an action specified in the message.

In recent years the number of spam messages has considerably increased so much that one cannot differentiate them from legitimate messages in one’s inbox.

Spam includes unwanted messages using varied themes like:

  • a person requesting for help
  • being told that we have become a lucky winner of a prize or a victim of blackmail
  • a newsletter that is never subscribed to
  • fake job offers
  • malware
  • obscene material
  • a huge bounty is promised out of the blue from an individual from a different country
  • someone offering a business partnership
  • a claim that we need to prove our identity by logging in or resetting the password of our bank account, email account, etc. This dangerous attack is called “phishing”
  • causing a social issue with fake news
  • offers on weight-loss products, medicines, drugs, etc.,

Spam consumes lots of storage space, internet bandwidth and other resources on a user’s computer or device. It can defame a brand and the products advertised are mostly illegal or banned. Some spam messages may also try to steal the victim’s personal information as in the case of phishing attacks. Apart from exhausting one’s time, and spreading malware, the above-mentioned points provide several other reasons to declare spam to be dangerous. Filtering out spam from our inbox helps us to use email services at ease.

How do we deal with spam? When we suspect an email to be spam, we can:

  • Mark it as spam through the feature available in most of the email service providers

  • Create filters to move emails to a spam folder, thus preventing them from polluting one’s inbox. Filtering is also possible by adding specific email addresses to the ignore list, specific contents in the subject line of the email, etc.
  • report such messages to various spam control authorities
  • use anti-spam software which can block a spam email based on previously recorded spam activities, suspicious titles or content, spam score and various other factors. K7 products contain in-built anti-spam features and also block malware which harvest email addresses from the computer

Additionally, the following safety guidelines are recommended when dealing with spam:

  • Do not open emails that you never expected or suspect to have come from an unknown user. Most certainly don’t respond to such emails
  • Avoid using the “unsubscribe” option that sometimes comes in spam emails as this would intimate to the spammers that your email address is a valid one
  • Do not forward chain emails and suspected spam emails
  • Do not publish your email addresses in public forums and comments sections. Use of temporary email addresses can help to some extent in these cases

We need to realise that changing our email address is not a long-term solution to the spam problem, as email harvesters can obtain one’s email address through various ways. Unless and until, we habituate better Internet practices, we can never learn to safeguard ourselves from spam.

Images courtesy of:

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Preinstalled: Clean or Malware System App?

Tuesday, November 17th, 2015

This blog intends to educate the general public about the various privilege levels in which an Android malware can be installed and the difficulties in removing malware that are installed as system applications.

The trend of malware or adware preinstalled as system apps is an increasingly worrying one, albeit not a completely new phenomenon.

With security in mind, Android system applications are hosted in the system partition with high privileges unlike user-installed applications, and cannot be uninstalled or modified easily by an end user. Therefore the installation of malware as a system app complicates the removal process.

The privilege levels under which a malware can be installed on a victim’s device are as follows:

  • User level – location on the device: /data/app
  • System level – location on the device: /system/app

Unlike the user level app installation, it is possible to install an application at the high privilege (system) area only if the device is rooted by a user.  There are two primary ways in which many malicious applications are installed on a phone’s system partition:

  • An already installed malware:
    • roots the victim’s device either by availing of an exploit or by running another application that requires root (administrative) permissions
    • downloads and installs another malware on to the system partition
  • Devices come equipped with malware as preinstalled system applications

Now, the obvious question is “Does the handset manufacturer preinstall malware or adware as part of its manufacturing process?” The answer appears to be that there are middle-men who gain monetary benefits from malware writers and adware developers by installing their malware and adware applications into custom ROM, thus replacing the stock ROM in new devices before the handsets reach end users or retailers via distributors. The notable rise in the mobile shopping increases the concern about preinstalled malware even further.

Removing a malware application installed in the user area is similar to that of uninstalling any other user-downloaded application. However, deleting a system application, malicious or not, is not seen as an easy task for an end user since it would require the device to be rooted that would typically render the device’s warranty void.

As per the Android architecture, mobile security products have the same privilege as any other user applications and therefore cannot by default modify or delete a system application. Mobile security products would protect their users from being compromised by these preinstalled malware by blocking the application from execution.

Just to re-iterate, with an enhancement in the Android boot framework to load security products or its processes at a very early stage in the boot process, even before the system applications are loaded, it is possible to stop and remove such malware/adware system apps.

Users are recommended to:

  • Purchase the handset only from reputed vendors and distributors.
  • Verify the handset package’s state to determine if the package is tampered with before purchasing or using it.
  • Verify the unique id of the device or the ROM on the handset manufacturer’s website, if possible.

Image courtesy of:

Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Assemble to Witness the Fight Against Ransomware at AVAR 2015!

Friday, November 6th, 2015

Samir Mody and Gregory Panakkal, our lead innovators in matters of proactive security, will be showcasing a generic anti-ransomware model at the 2015 AVAR Conference at Danang, Vietnam. Their talk is to be held on Dec 4th at  10:00AM.

The duo had recently demonstrated the concept at the VB International Conference held earlier this year in Prague, Czech Republic. They will follow it up with “Fighting Back Against and Defeating Destructive Ransomware”. The overall objective of this proof-of-concept is to demonstrate a solution to generically detect a multitude of ransomware patterns, including samples later contributed by attendees at the VB 2015 conference.

The presentation at AVAR 2015 hopes to exhibit post-R&D enhancements to the prototype based on the audience feedback from the launch at the VB 2015 conference.

So, be there at the city of Danang, Vietnam on 4th Dec 2015 for the AVAR 2015 Conference, and witness the fight against ransomware.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Safe Shopping On the Go!

Friday, October 23rd, 2015

This blog is to inform the general public about the existence of vulnerabilities in mobile shopping applications and a few safety tips to improve data security.

Trendy “SHOPPING ON THE GO!!” As we have already blogged previously, the convenience of online shopping, especially mobile shopping, is coupled with its own risk.

Many shopping portals promote their mobile applications over and above their websites, as smartphone usage continues to increase at a relentless pace.

However, the security of such mobile shopping applications and their technical strength in protecting the users’ personal data like credit card information, email address, etc., are of critical importance. A study from AppVigil reveals that most of the e-commerce applications in India are vulnerable to attacks, with shopping applications topping the list.

With the festival season already underway, the exciting promotional offers and special discounts from emerging or well-established mobile shopping portals may tempt users to such an extent that they become excessively casual about their own data security.

Just to re-iterate, cyber criminals are always on the prowl, availing of all possible routes to compromise a user’s device. Exploiting a vulnerable shopping application would be an easy way for the cyber criminals to intrude on to the victim’s device and execute their malicious behaviour.

Here are a few tips to ensure a safer mobile shopping experience:

  • Always select a reputed shopping portal
  • Think twice before you save any of your card information
  • Minimize card and location details saved in an application
  • Do not open any unwanted advertisements or messages from an unknown seller or portal
  • Install a reputed mobile security product to stop security exploitation of your device

Images courtesy of:

Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Don’t Lose Interest Over Banking Security

Friday, October 16th, 2015

The evolution of Internet technology has brought about a paradigm shift in the way we bank. As responsible netizens, it is of utmost importance that we understand the implications of these changes and develop basic security etiquette. This blog aims to provide a few security tips that will educate readers about how to bank safely online.

For years the mere utterance of the word banking would invoke feelings of anxiety amongst most people.  The thought of having to stand in endless queues waiting for your turn, filling in numerous forms only to be informed by the teller that you’ve left out some esoteric detail and that you’d have to go all the way back to the start of the line, would be enough to send chills down your spine.

The last decade however has witnessed a revolution where you can conduct transactions, transfer funds to friends and family, all at just the click of a button. The progression of technology and the convenience factor have been the catalysts in driving out traditional ways of banking, ushering in its online avatar.

To access an online banking facility, you would register with the institution and set up your credentials. This is a combination of user name and some password, using which you could use some of the common facilities offered by online banks. The facilities include viewing account balances, transferring money, downloading financial statements, etc.

While this new technology may have eliminated the red tape & inefficiency, the story is not all rosy. The advent of online banking has brought with it its own set of problems – a security problem on a global scale with massive financial consequences; billion-dollars-worth consequences, to be more precise.

Exploiting a lack of user awareness to their advantage, cyber criminals have managed to swindle billions of dollars of money, transcending both physical and virtual borders. Using techniques such as Phishing and Vishing, the fraudsters lure potential victims into disclosing their online banking credentials and other personally identifiable information. Once the bait has been taken, the innocent victims enter the deep web of the Internet – a world full of poisoned DNS servers, infected hosts and web sites laden with exploits masquerading as your regular banking site, aimed at just one thing – stealing your money.

All is not lost though, for here are some of the steps that you should follow to ensure the safety of your hard-earned money:

  1. Enable multi-factor authentication. Most banks send a randomly generated PIN to your registered mobile, which will have to be keyed in along with your regular credentials to gain access to your online bank account. This may now be mandatory
  2. Create a strong password. Avoid using any common words or phrases and never create a password that contains your name, initials, or your date-of-birth. Also, remember to change these passwords at regular intervals
  3. Secure your mobile device/computer and keep it up-to-date. Make sure you have a firewall turned on and are running a top-rated, Anti-Virus software solution such as K7 Anti-Virus. This will ensure you are protected from Trojans, keyloggers and other forms of malware that could be used to gain access to your financial data. You could also conduct online banking transactions in a dedicated, secure browser such as K7 Secure Web which will protect transactions even if the computer were infected with common malware
  4. Up-to-date browsers replete with patches for any 3rd party plugins
  5. Avoid clicking through suspicious emails. Beware of unsolicited emails that purport to be from your bank. Treat such emails with suspicion as it may well be a phishing attempt to trick you into handing your credentials over. Banks will never ask you for confidential information via email or by calling you up
  6. Access your accounts from secure locations. It’s always best practice to connect to your bank using computers and networks you know and trust. Look for a small padlock icon on the address bar – the web address of the site you are on should begin with ‘https’
  7. Always logout when you have completed your banking work. It is good practice to always log out of your online banking session when you have finished your business. This will lessen the chances of falling prey to session hijacking and cross-site scripting exploits
  8. Set up instant account notifications. Banks offer a facility for customers to set up text or email notifications to alert them to certain sensitive activities on their account. Such alerts could give quick notice of suspicious activity on your account

With more people registering to conduct online banking transactions every day, it is only fair to say that this problem of virtual robbery could only get worse. As responsible online banking users, we must ensure that we follow the above-mentioned basic security precautions to keep ourselves and our money safe online.

Lokesh Kumar,
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Tearing Down the Wall

Thursday, October 1st, 2015

In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Running the Ransomware Gauntlet at Virus Bulletin 2015

Thursday, September 17th, 2015

This blog is to inform the general public that two researchers representing K7 Threat Control Lab will be presenting and explaining their generic anti-ransomware solution at the Virus Bulletin international security conference. This blog also aims to solicit from fellow conference delegates a few of the latest ransomware samples to test the effectiveness of a new generic anti-ransomware prototype to be demoed for the very first time at the conference.

Are you attending the Virus Bulletin international security conference later this month? If so, my colleague, Gregory Panakkal, and I are due to present ways and means of fighting back against destructive modern ransomware on Friday, the 2nd of October, right after the lunch interval. We have a heuristic anti-ransomware Proof-of-Concept prototype which we will be demonstrating to delegates, explaining its modus operandi.

Have you got a brand new sample of ransomware you would like to throw at our anti-ransomware PoC demo? We are inviting conference delegates to help test the efficacy of the PoC vis-à-vis unknown variants of ransomware in real time, i.e. in our live demo. However, given the demo environment, the following pre-conditions exist for the samples:

  1. Must run in a VM
  2. Must encrypt target files without an active internet connection

If you have a suitable sample please use the VB 2015 demo public key to encrypt it.

Then send the encrypted sample to any time before 13:00 (local time in Prague) on Friday, the 2nd of October 2015.

We hope to see as many of you as possible at the conference and at our presentation, and of course we are hoping to receive a couple of samples to test live as well.

Samir Mody

Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Pick the Permissions; Android Marshmallow

Wednesday, September 2nd, 2015

This blog intends to inform the general public about some of the feature enhancements in the next version of Android (6.0), labelled “Android Marshmallow” focussing on the significance of the permissions list of an application.

Last week Google announced its next version of Android, Android 6.0 nicknamed “Marshmallow”. Though the final release date of Marshmallow is not yet confirmed, here are some of the interesting features included in Marshmallow, by no means an exhaustive list:

  • Android Pay

With this feature users can enter their credit card details and Google will create a virtual account to enable an easy checkout process using the NFC system.

  • Application linking

As of now when a user clicks on a link, a dialog box pops up prompting the user to select one of the available applications like Chrome or another suitable browser application to render the link. With Android Marshmallow, the Android OS verifies the link with the respective application server (provided the corresponding app is installed) and post authentication, with the help of an auto-verify feature (application developers can code an auto-verify feature in their application) the link is opened within the application.

  • Unlock feature

Fingerprint scanner support.

  • Power

Though not security-related it is interesting to know that “Doze Mode” is incorporated to improve the device’s standby time. Using motion detectors, Android will identify if the device is idle or in use. If the device is found idle, Android kills the background processes to improve the battery life.

  • App permissions

Yes! Now I can choose what an application should be allowed to do in real time!. Traditionally, Android applications request the user for their required resource-access permissions at install time. These permissions cannot be modified post installation. With Android Marshmallow, users can choose to allow or deny a specific permission from the permission list of an Android application whilst the application is active. The description of this feature claims that the applications will request for the required permissions the first time the application’s feature is invoked, instead of requesting all the permissions in one go at installation time. As many of Android malware disguise themselves as legitimate applications or are bundled with other legitimate applications, restricting an application based on the permissions (which in turn restricts the app’s functionality) would help increase the security of the user’s device and personal data.

However, users-awareness about the importance of the permissions granted and the functionality of an application is still essential. As we discussed in our previous blog, a taxi-booking application does not typically need permission to access the files in the device’s SD card to perform its functionality. Similarly, a gaming application does not require permission to access contacts information for it to operate. One should be aware about the permissions that should be granted or denied to avail of the application’s actual functionality.

In addition, for Android Marshmallow, if the same permission restrictions hold good for a legitimate security application as well, there is a possibility that a malware with super-user access could modify the granted permissions list of the security application. As suggested by us in our VB2014 paper, updating the Android OS framework such that trusted security applications are loaded earlier than any other application installed could help handling these situations.

Image courtesy:

Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Social Networking Abuse – Potent Threat

Thursday, August 20th, 2015

This blog intends to highlight some of the dangers faced by the general public associated with an ever expanding use of social networking sites, all set to grow at an even greater rate post the launch of government initiatives such as the Digital India campaign.

Social networking sites such as Twitter and Facebook provide an efficient interface for communication with multiple people in a user-friendly manner. People are connected to their friends, family and followers in real-time, on-the-go using mobile devices. The ugly side to this increasing use of social networking sites is the potential for controlled, targeted abuse within a very short space of time. Recently the Hindu newspaper reported the abuse of Twitter in the recruitment programme of banned organisations.

Users of social networking sites do not appear to think twice about sharing large amounts of their private Personally Identifiable Information (PII) online. This freely available PII, which includes date of birth, phone number, address, and so on allows malevolent actors to hone their attacks’ penetrative function. In addition, given the speed of transmission, it is possible for attackers to reach a large number of victims very quickly, potentially triggering a mass panic scenario, or spreading malware, or increasing recruitment for banned organisations, etc.

There is at least one documented case of the use of social networks to trigger mass panic in India through the use of doctored images and targeted, threatening messages. In August 2012 thousands of Indians from some North-Eastern states of the nation were made to feel threatened to the extent that they decided to flee in large numbers to their home states from other parts of the country; a grave situation indeed.

The above real-world example provides a stark reminder about the havoc that can be caused when malicious content goes viral, either intentionally or otherwise. Legislation related to IT in many countries provides for monitoring of online content, inclusive of social networking sites, especially given that national security could well be at stake. In the documented case mentioned above, the attack vectors were neutered and some semblance of normality restored only after the offending sites were temporarily blocked and bulk SMS/MMS were banned for a short time as per the provisions in law.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Gone in 60 Seconds: Is the Internet Becoming Volatile?

Friday, August 14th, 2015

This blog intends to inform the general public about the impact on the Internet of an increase in the prevalence of self-destructing messaging services.

Almost everyone of us is so happy with more than one genie at hand; as we own a smartphone, tablet, laptop, etc … and a click of a button or a screen-touch can satisfy our cravings from food to knowledge. Also the communication world is never running short of new stuff popping up now and then with tweets, pokes, chats, likes, posts and so on.

Don’t we enjoy a twist in the movies we watch? One has to wonder if the Internet is the next ‘anterograde amnesia’ victim, where an unforeseen whirl takes over social networking services silently.

On one hand, Hadoop technology is booming to handle the exponential growth of data, and spiders are crawling over the internet to feed search engines. But there is a potential balance created by self-destructing communication methods important enough to discuss, as the number of apps and services providing this functionality are increasing with more number of users everyday. In addition the social networking giants’ competing feature is shifting focus from providing nearly unlimited storage space to providing an expiry time on demand. A silent balance is inching toward creating major chunks of the lost internet.

When communicating confidential information over the internet, there is a jolt in us. We think several times, whether we can trust the internet and its services. And for one reason or another, we compromise ourselves with the communication services we get online.

Now, the privacy jolt is taking a noticeable turn because it seems to give more power to the users like data wiping, evidence shredding, and “suicidal messages”. It is not strange for us to regret sending a wrong file or a message to an unintended recipient, for liking a wrong post or comment by mistake too. But it is also important to note that these auto-timed or customisable self-expiring messages are redefining secretive communication.

This trend seems to cure the privacy fever of social media with email bombs, ephemeral messages, auto-expiring tweets, timed chats, self-deleting pokes and much more; from its suffering to hold itself together with features like ‘recall’ or ‘undo’ a sent email, off the record chats, etc.

Such self-destructing email services promise to destroy their path traversed over the servers and the email itself in a prescribed amount of time. These promises are not new to us as we have been relying for years on strong encryption and secure channels.

There is always more than one solution to a problem. Few apps use temporary hyperlinks. Some provide a one-time password to access the timed webpage. The passwords and the websites are not available after the expiry time. Some store the contents temporarily in servers until the message is delivered to all the intended recipients and delete the contents from the servers and from the recipient’s inbox once the message is read. Some use external apps and browser extensions too.

Some apps face issues like screenshots being taken, accessed via different modes instead of viewing the content via the app, and message ID vulnerability hacks on related sites too. Some apps have already fallen victims to cyber forensic studies as they save the images and videos in hidden folders or rename the files to unknown file extensions; because researchers are ready to spend a number of hours and thousands of dollars for their research. But competitors release newer products with upgraded versions which offer more sophisticated artificially-intelligent communication systems.

Cyber criminals use such service widely to communicate their secrets or threaten victims. Of course anyone can use this service for having a legitimate conversation as well. One need not forget self-expiring attachments are also joining hands with this feature which prevents the messages from being copied, forwarded, edited, printed, or saved.

With competitors focusing on providing the self-destruction feature, the following questions certainly arise:

  • Will the internet become erasable?
  • Will social networking become the most secret communication method going forward?
  • Did we just discover invisible data or communication?
  • Will these mortal messages force cybercrime lexicology to accept its demise?
  • Will the expansion of SMS be changed to Short-lived Messaging Service?
  • Will the cyber crime investigators exclaim: “Eureka! But where did the evidence go?”?

Looks like we just have to wait and watch what surprises the future brings.

Images courtesy of:

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: