These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Tech articles’ Category

DoS Attack: Service Unavailable

Friday, September 30th, 2016

Continuing our series on Cyber Security, this blog post aims to shed some light on a security term that is casually thrown around these days, Denial-of-Service.

As the term conveys a “Denial-of- Service” (DoS) attack aims to cut off the provision of a service. When we speak of it in terms of computing we would generally refer to an online network-based service that is renderred inaccessible to legitimate users during the course of the attack. A successful DoS attack would require a large number of requests being sent to the network service at a specific point in time.

In general for a seamless network communication to happen a “request-acknowledge” signal is essential, i.e. when a user makes a request to a network service his request would first be acknowledged and then data corresponding to his query would be sent back along with a request for acknowledgement once the data is received. The user then sends an acknowledge signal once the requested data has been received. All this happens in the order of milliseconds hence they are barely noticeable.

Every server that hosts a service would have a maximum request-handling capacity, and when that threshold is exceeded the server or the service becomes unavailable. It is this request limit which is exploited and abused by a DoS attack.

When speaking in terms of malware related DoS, malware authors employ their botnet (a collection of computers infected with silently-running backdoor Trojans) to perform this kind of attack. A botnet controller (aka “Bot Master”) can send out instructions to the entire botnet under his command to target a specific service, typically a web service, to effect a DoS on the target website.

Several DoS attacks have been orchestrated targeting organizations along with ransom demands to call off the attack. In the days of e-commerce and online services it is essentials that business organizations keep their services up and running in order to retain their customer base.

In this series we shall have a look at various flavours of DoS attacks and how they are orchestrated.

Image Courtesy of:

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Interesting Persistence Technique

Thursday, June 16th, 2016

Here is an interesting persistence technique, which I have not seen before, used by a malware which I analyzed last week at K7 Threat Control Lab. It uses a simple RunOnce registry entry to maintain its persistence but in a unique way. I would like to post a complete analysis, albeit brief, of its functionality.

Functionality in a Nutshell

  • Push-Pop-Call
  • Misuse of Process Environment Block (PEB)
  • API Hashing Technique
  • Anti-Debug & Anti-Emulation Techniques
  • Strings Obfuscation Mechanism
  • Registry Abuse
  • Hidden DLL with multiple entrypoints (Export & DLL main) and its role
  • Multiple Injections into explorer.exe
  • Rootkit-like Behavior
  • Persistence Mechanism – RunOnce entry
  • Final Injection to IExplore.exe to act as downloader


This malware uses a Push-Pop-Call sequence at the Entrypoint to change the execution flow of the program as shown in Figure 1. This is not a clever technique since it can be used by Anti-Virus software to flag the malware immediately given that this sequence is unlikely to be found in clean programs.

Figure 1

Misuse of Process Environment Block (PEB)

Not an uncommon technique, this malware uses PEB_LDR_DATA, a member of the PEB structure, to locate InMemoryOrderModuleList LinkedList, which is then used to retrieve names of the loaded modules. It calculates the hash for each of the retrieved module names and compares with that of Kernel32.dll (hardcoded in the code), and extracts the base address of Kernel32.dll when the hashes match as shown in Figure 2.

Figure 2

API Hashing Technique

Using the retrieved Kernel32.dll base address, it enumerates export function names and calculates their hashes, which, in turn, are compared with predefined API hashes (in the data section) to identify the addresses of preferred APIs that are listed below. This common technique is to avoid heuristic detection on import APIs.

  • ConvertThreadToFiber
  • CreateDirectoryA
  • CreateFiber
  • CreateFileA
  • CreateMutexA
  • CreateProcessA
  • CreateThread
  • DeleteFileA
  • GetFileSize
  • GetFileTime
  • GetModuleFilenameA
  • LoadLibraryA
  • MoveFileExA
  • ReadFile
  • ReleaseMutex
  • RemoveDirectoryA
  • SetFileAttributesA
  • SetFilePointer
  • SetFileTime
  • SwitchtoFiber
  • WaitForMultipleObjects
  • WriteFile
  • WritePrivateProfileStringA

The hash calculation algorithm is shown in Figure 3 below.

Figure 3

Anti-Debug & Anti-Emulation Techniques

It implements Anti-Debug & Anti-Emulation techniques to prevent or misguide the reverse engineering process. This malware creates a thread which possesses an Anti-Debug technique of Memory Access Violation Exception (shown in Figure 4 below), thus complicating the analysis flow for researchers.

Figure 4

It also adds additional Exception Handlers in the existing SEH chain, which would be triggered by a memory access violation as shown in Figure 5.

Figure 5

It also uses undocumented ntdll.dll APIs which could act as an anti-emulation technique

  • ZwCreateThread
  • ZwResumeThread

Strings Obfuscation Mechanism

It employs an uncomplicated obfuscation mechanism to hide strings to dodge its presence from Anti-Virus products. Figure 6 shows how it decrypts a string to be used as its mutex.

Figure 6

Registry Abuse

It uses the registry to find the default path of “user\%AppData%” by querying the following registry key:

Subkey : “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
Value    : “AppData”

It uses the registry to find the default browser path:

Subkey : “http\shell\open\command”

It also escalates its privilege under Internet Explorer by adding its path to the following registry key:

SubKey : “Software\Microsoft\Internet Explorer\LowRegistry”
Value    : “ms-ldr”
Data     : “%Malware Path%”

Hidden DLL with Multiple Entrypoints (Export & DLL Main) and its Role

It drops its main payload, ntuser.cpl (a DLL file), extracted and decrypted from its ‘data’ section, under a randomly named folder in the retrieved %APPDATA% directory as exemplified below:

USER/%APPDATA%/ {6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}/ntuser.cpl

The decryption logic used is shown below in Figure 7:

Figure 7

It tries harder to misguide analysis by executing the DLL with multiple entrypoints. Initially with the help of rundll32 it executes the dropped ntuser.cpl using its export function “_4CDFA75B”. This export function “_4CDFA75B” then injects the entire ntuser.cpl to explorer.exe with “DLLMain” as its new entrypoint. Injection technique 1 uses the following APIs:

  • CreateProcessA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • UnmapViewOfFile
  • ZwMapViewOfSection
  • CreateRemoteThread

Multiple Injections into Explorer.exe

As ntuser.cpl loads into the memory space of explorer.exe, it uses the ‘ZwQuerySystemInformation’ API to get the snapshot of the current running processes. Now ntuser.cpl injects itself to the running processes that have access to ‘CREATE_THREAD & VM_OPERATION & VM_WRITE & QUERY_INFORMATION’ permissions, including explorer.exe.  But, this time with a new entrypoint being one of its functions. Injection technique 2 uses the following APIs:

  • OpenProcess
  • VirtualFreeEx
  • VirtualAllocEx
  • VirtualQueryEx
  • VirtualProtectEx
  • WriteProcessMemory
  • VirtualQueryEx
  • CreateRemoteThread

The latest injected code in explorer.exe now injects code into IExplore.exe, again with a new entrypoint being one of its functions using a similar injection technique to that described above.

These multiple injections are done just to halt the flow of analysis and to use system processes to download malicious content which will not trigger any alert by Anti-Virus Software, including Firewall.

Rootkit Behavior

It injects all system processes when attempting to act as a rootkit by hooking the following APIs, to maintain its stealth status:

  • NtCreateThread
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread

Persistence Mechanism

The latest injected code in explorer.exe also has the task of maintaining its persistence. This is achieved by creating a thread which checks the availability of mutex (MSCTF.Shared.MUTEX.LDR) and if this fails, it adds the following RunOnce entry:

SubKey : “Software\Microsoft\Windows\CurrentVersion\RunOnce”
Data      : “rundll32 “%APPDATA%\{6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}\ntuser.cpl”,_4CDFA75B”

Hence during reboot, the mutex gets killed and immediately a RunOnce entry is registered to maintain persistence.

Final Injection into IExplore.exe to Act as Downloader

Using IExplore.exe injected code, it checks for internet connectivity every 5 minutes, and if it has access to the internet, it uses ‘URLDownloadToFileA’ to download malicious content from the following URL

“hxxp: / /″

Post downloading it executes the downloaded content using CreateProcessA.

On final analysis this turns out to be just a mere Downloader, with a high level of obfuscation, injection techniques, and Anti-Debugging/Anti-Emulation tricks along with rootkit behavior.

Sample analyzed:

MD5: 6F14315A8875B1CF04E9FDB963E12966
SHA256: B129D92F6C62B7C81B5EF69FA38194AB3886BA7F18230581BC2D241C997F7FA6

Shiv Chand.K
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Tearing Down the Wall

Thursday, October 1st, 2015

In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Let’s Get Edgewise

Friday, August 7th, 2015

This article intends to inform the general public about ‘Edge’, the newest browser from Microsoft shipped with Windows 10. It sheds some light on what’s new, what’s changed and why Edge was considered necessary.

It has been more than a week since Windows 10 started hitting users’ PCs; it has however been around for a couple of months via the Windows Insider program as a public beta. Reviews on the operating system have been trending in the tech review sites. Opinions in general have been on the positive side for Microsoft’s la(te)st operating system. One of the features that is generating interest is the new browser “Edge” offered in Windows 10.

Microsoft finally bid goodbye to its ageing browser, Internet Explorer (‘IE’). Antiquated design, interoperability issues and security holes riddled IE, warranting a better, modernized browser. Codenamed as project Spartan it finally shaped up as Edge. Microsoft reworked its browser almost from scratch, borrowing bits of goodness from its competitors while being unique in its own way by having a personal assistant or being able to annotate on webpages and share them; most important of all, though, improvements to security were made.

Security was probably one of the main concerns that pushed Microsoft to reimagine its browser design. So from a security perspective, Microsoft has got rid of its ActiveX support, infamous for its security vulnerabilities. Added to the “gone” list were BHOs (Browser Helper Objects, which went on to be synonymic to toolbars) and VBScript support. Over the years support for these three features caused numerous security headaches for Internet Explorer.

Edge would remain sandboxed from the rest of the Operating System, hence attempting to prevent any malicious scripts or code from affecting the OS itself. SmartScreen introduced in IE8 is also a part of the Windows 10 shell and is supported by Edge. This can filter out phishing sites by performing reputation checks and blocking them out. The new rendering engine would greatly eliminate interoperability problems for web developers, thereby allowing them to devote more time to security and stability.

Most security features that had been an opt-in in IE until now have been made mandatory and will always be on and protecting users. Though Edge looks promising it is a bit rough-edged at the moment. Microsoft is in the process of embracing the extensions model like its competitors, Google’s Chrome and Mozilla’s Firefox, which is said to roll out by the end of this year. Once this is done, Edge would be in a better position to handle the internet; at least way better than IE, one would hope.

A word of caution to our readers; while you may be impatient to upgrade your operating systems to Windows 10, beware of a new wave of spam emails doing the rounds. These are bogus emails offering users a free Windows 10 upgrade; even if you are not a Windows 7 or 8 user (free upgrades are given by Microsoft to genuine Windows 7 and 8 users only). These mails mostly come with a malware of the nasty ransomware category. Microsoft states that users will be informed of the upgrade on their screens and not via emails. Kindly refrain from clicking on such fraudulent emails.

Some images (adapted to suit the article) are courtesy of several sites.

Kaarthik RM
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Shell Team Six:Zero Day After-Party (Part VI)

Monday, April 27th, 2015

This is the final part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. Continuing from the fifth part of our paper…

Data Exfiltration and Cleanup

This stage of the APT involves the assailants collecting the sensitive data and transmitting it stealthily to a remote location. Data extraction can either be a one-time event or spread over a period of time, followed by constant snooping of the victim, all the while remaining hidden.

Once the objective of an APT campaign is achieved, the attackers exit the network in a phased manner after covering their tracks and clearing all the potential evidence of an intrusion.  The attackers could also plant or manipulate data in the target’s environment in an effort to create misdirection.

Extraction methodology

Confidential data that is collected during the period of the APT is copied to a staging server, compressed, encrypted and kept ready for transfer. Outbound sessions are then established that resemble legitimate traffic thereby attempting to fly under the security radar. The confidential data is thus extracted possibly in small chunks over a period of time.

The bad actors could exfiltrate data using any/all of the following methods:

HTTP/FTP/Cloud Storage Uploads

An HTTP/FTP upload or a cloud transfer is initiated by an application which is already approved by the firewall. Additionally, the packets could be SSL or custom encrypted making it difficult for security solutions to sniff.

Outgoing Emails with Password Protected Attachments

Sensitive contents are password protected and then transmitted using either a compromised employee’s email credentials, or by using a custom SMTP server.

Customized DNS Queries

Small chunks of data such as user credentials may be sent as custom DNS requests to DNS servers controlled by the attackers. The packets are then reassembled as required at the attackers end.

Fig.14. shows encrypted data sent as a DNS query

VPN/IPv6 Tunnels

VPN and IPv6 tunnels are created from the staging server to a remotely controlled machine. The contents are then securely transmitted through these tunnels.

The hacking outfit commonly known in computer security circles as Comment Crew [13] has been observed using the above data exfiltration techniques. Sensitive data which could potentially be Gigabytes in size would first be collected in a centralized location & compressed in a password-protected RAR file. The final archives would be split into chunks and uploaded using FTP, custom file transfer tools, etc.

Cleanup Methodology

The attackers tend to delete their malicious code and its associated components by remotely issuing self-destruct commands from their C2C server. A time/event bound kill switch built into the malicious code could also be automatically triggered to avoid being caught.

System logs that maintain login attempts, security logs that maintain protection status, audit files that track system changes, etc. are modified by the attackers to make a forensic reconstruction of the attack impossible.

Indicators of Compromise

Capturing and transmitting confidential data is the raison d’etre of any APT. In order to facilitate this transmission, the attacker must contact external servers from inside the victim’s network.

Here are some of the common symptoms that indicate suspicious activity within the organization’s network:

Wrong Data in the Wrong Place

Movement of encrypted or confidential data from a machine containing sensitive information to a potential upload server with Internet access, all within the organizations internal network could indicate that something is wrong.

Similarly, availability of large quantities of known-encrypted or sensitive data on a machine it’s not supposed be on could also indicate that something is amiss.

Anomalous Traffic

The following anomalies could indicate a compromise:

  1. Connections made directly to IP addresses
  2. HTTP/FTP connections on non-standard ports
  3. Connections to previously unused or high risk geo locations
  4. Accessing algorithmically generated domain names (DGA)

Other Indicators

Inconsistent events in audit logs maintained at network and endpoint level, changes in the system drivers list without an application uninstallation progress, etc. can also be used as indicators of compromise.


Confidential information is the crown jewel of any company and typically it is this information that the attacker is focused on stealing. The following solutions can be involved in protecting the exfiltration of this confidential data:

Hardened DNS Servers

Outgoing DNS queries should be logged and monitored extensively for anomalies. Organizations could also create and maintain their own hardened DNS servers.

Security Solutions

Data aware technologies like Data Leakage Prevention (DLP) can be added to the organization’s existing layer of defense. Once critical and confidential data is identified, DLP solutions track and prevent this data from falling into the wrong hands.

URL scanners with built-in reputation intelligence can be used to detect:

  1. Access to subdomain/domains which are not popular or appear suspicious
  2. Repeated attempts to connect to domains which no longer resolve
  3. Attempts to connect to blacklisted or malicious IP addresses/domains
  4. Newly registered domains

Network scanners with Deep Packet Inspection and machine learning capabilities can be used to build a knowledge base of general network usage trends. Alarms are raised when deviations exceed pre-defined thresholds. This knowledge base includes:

  1. Commonly used protocols with source and destination information
  2. Common geo locations contacted
  3. Number of connections and the length of connections made depending on the time of the day

Software that take disk backups and dump physical memory images at regular intervals are of great help during incident response and forensic analysis of a potential APT attack.


The implications of the complexity and perseverance of Advanced Persistent Threats are of major significance to the existing security infrastructure. The evasion techniques discussed in this paper have exerted colossal pressure on the current methods used to detect and report these threats, especially where the human element is involved.

Safeguarding oneself against APTs requires more than just traditional security solutions. The need of the hour is a comprehensive, holistic security plan that intelligently integrates events reported from numerous forms of security established at various levels of the organization. This solution should be able to handle massive volumes of logs and spot patterns of an attack, find sources of a breach and stop new threats in their tracks.

Things are about to get a whole lot more difficult with compromised mobile devices joining the fray. Strategies to identify and stop sophisticated, multi-pronged APT attacks have been discussed; however coordinated implementation is far from straightforward. We live in interesting times.



Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Shell Team Six:Zero Day After-Party (Part V)

Friday, April 10th, 2015

This is the fifth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the fourth part of our paper

Expanding Access and Strengthening Foothold

The device that falls first is usually not the primary target of the APT. This backdoored computer is instead used as a base to search and compromise more devices that likely contain credentials to other workstations, application servers, etc. The assailants move laterally within the network, gaining access to these machines, strengthening their foothold, all the while hunting for valuable target information which was the objective of the attack.

Expansion Methodology

The initial infected host connects back to a command and control (C2C) infrastructure controlled by the bad actors. It sends critical information such as password details, privileges of the currently logged user, mapped drive information, etc. and awaits further instructions. The following techniques are used by the attackers to expand their access:

Privilege Escalation

The attackers exploit privilege escalation vulnerabilities to escape the confines of a limited user’s account. The objective here is to gain “root” on the infected machine which enables them to perform tasks that require elevated privileges such as creating/deleting system services, accessing critical process’ memory space, mapping internal networks, etc.

Fig.13: Privilege escalation code used from the Council for Foreign Relations Watering Hole attack

Remote Exploitation

Malware components can exploit network vulnerabilities to compromise systems accessible in the local network. The Stuxnet malware exploited a 0day Print Spooler (CVE-2010-2729) remote code execution vulnerability to propagate itself into new machines.

Installing More Tools

During the initial compromise, the malware authors use custom zero-day code that exploits vulnerabilities in common applications. In the expansion stage of the APT though, to avoid having to re-write code, the bad actors tend to use standard tools.

These tools could include system utilities like PsExec [9], network packet sniffers like tcpdump [10], password extracting tools like gsecdump [11], Cain&Abel [12], etc.

Obtain Credentials

With the help of the tools installed, the attackers brute-force login credentials to workstations and servers that likely contain sensitive data.

They could establish remote desktop sessions to these machines and eventually make their way onto domain controllers that have unrestricted access to the entire network.  They then begin their hunt for the target data to be extracted, if they haven’t found it already, that is.

Indicators of Compromise

Once the assailants possess domain level credentials, their movement within the network resembles that of legitimate traffic and so becomes very difficult to track. The following behaviors on the other hand could indicate a compromise and are relatively easy to track:

Presence of Unwarranted Files

Unauthorized use of kernel modules to elevate ones privileges could imply a compromise. The presence of unapproved software, modified versions of existing drivers containing trojanized code, tools like port scanners, password crackers, network sniffers, etc. could also indicate a compromise.

Login Irregularities

Repeated failed login attempts using non-existent user accounts, successful login attempts to machines that deviate from established baseline logins, login activity at odd hours, etc. could mean something is amiss.

Anomalies in Security Settings

Unauthorized disabling of security software, tampering of exclusion lists in firewalls and Anti-Virus, even for a brief period of time, could indicate a compromise.

Anomalies in User Account Activity

Changes in behavior of a user account such as time of activity, type of information accessed, systems accessed, etc. could indicate a compromise.


Along with multi-factor authentication for sensitive accounts, updated Anti-Virus software that detects unwanted tools, a strong password policy, etc. the following solutions can be implemented to augment the network’s security:

Unified Extensible Firmware Interface (UEFI) and Secure-Boot

Privilege escalation attempts can be significantly reduced by using UEFI/secure-boot enabled machines that provide a level of trust from boot-up time.

Early Launch Anti-Malware (ELAM)

Security solutions with early loading components that are capable of detecting and blocking unauthorized kernel code should be installed throughout the network.

Click here to read the final part of this blog



Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Shell Team Six:Zero Day After-Party (Part III)

Monday, February 23rd, 2015

This is the third part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the second part of our paper…

Exploiting Popular Applications

Popular applications such as web browsers, word processors, etc. in an attempt to provide rich functionality, at times fail to handle untrusted data properly. The attackers probe these applications with a variety of mechanisms such as fuzzing, reverse-engineering, study of any stolen code, etc. in order to discover bugs that allow them to execute malicious code without any user interaction.

Lack of buffer boundary checks in the application’s code is exploited, critical memory area is over written to hijack the control flow of the program and  execute the attacker’s shell code.

Likewise, bugs in handling multiple references to the same object have lead to Use-After-Free class of vulnerabilities which after seeding memory areas with malicious code can be exploited to execute the attacker’s shell code.

Data Execution Prevention (DEP) Bypass

DEP is a security feature provided by the operating system to thwart buffer overflow attacks that store and execute malicious code from a non-executable memory location. The OS leverages the No-eXecute technology in modern day CPUs to enforce hardware assisted DEP that prevents memory areas without explicit execute-privilege from executing. Attempts to transfer control to an instruction in a memory page without execute-privilege will generate an access fault, thereby rendering the attack ineffective.

Bypassing the DEP feature in a process involves locating already existing pieces of executable code from process memory space and manipulating them to use attacker controlled data to achieve arbitrary code execution. This is accomplished using one of the following techniques:

  • Return-to-libc
  • Branch Oriented Programming (BOP)
    • Return Oriented Programming (ROP)
    • Jump Oriented Programming (JOP)


This evasion technique involves replacing the return address on the call stack with that of an existing routine in a loaded binary. The parameters/arguments that are passed to such routines are controlled by the exploit data strategically placed on the stack.  A system function like WinExec() can be invoked to load and run a malicious component without running non-executable exploit data.

Fig.6: The stack layout when using return-to-libc attack to invoke system() in GNU Linux (32-bit).

Branch Oriented Programming

This bypassing method involves an attacker gaining control of the call stack and executing carefully stitched pieces of executable code called “gadgets”. These gadgets contain one or two instructions which typically end in a return instruction (ROP) or a jump instruction (JOP) and are located in a subroutine within an existing program or a shared library. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine.

Fig.7: ROP gadget execution sequence based on exploit controlled stack layout

Address Space Layout Randomization (ASLR) Bypass

In order to thwart BOP attacks, the concept of randomizing executable code locations, by randomizing the base address of the loaded binary, on every system reboot was introduced. This security measure known as ASLR made it difficult for the attacker to predict where the required gadget sequence resides in memory. However, APTs have been observed bypassing this protection using the following techniques:

Loading Non-ASLR modules

Dynamic-Link Libraries compiled without the dynamic-base option cannot take advantage of the protection offered by ASLR and as a result, are usually loaded at a fixed memory space. For example, Microsoft’s MSVCR71.DLL shipped with Java Runtime Environment 1.6 is usually loaded at a fixed address in the context of Internet Explorer making it easy to construct the required gadget chain in memory.

Fig.8: An ASLR incompatible version of MSVCR71.dll

DLL Base Address calculation via Memory Address Leakage

This technique involves determining the base address of any loaded ASLR-compatible DLL based on any leaked address of a memory variable or API within that DLL. Based on the address of this known entity, the relative addresses of all the required gadgets can be calculated and a ROP attack constructed.

Attack techniques such as modifying the BSTR length or null termination allows access to memory areas outside the original boundaries, leading to the memory address of known items being revealed to the exploit code. This can then be used to pinpoint the DLL’s location to use ROP gadgets within it. Array() object also has a length component that can be overwritten to leak memory addresses beyond its bounds.

Browser Security Bypass

Leveraging the operating system’s security, popular web browsers run certain parts of their code, JavaScript execution and HTML rendering for example, as a sandboxed background process. This process runs with limited privileges and has restricted access to the file system, network, etc.  A master controller acting as an intermediary interacts with the user and manages these sandboxed processes. By using this master-slave architecture and providing a controlled environment, users are protected from exploit attempts by limiting a shell code’s capability to access host system resources and confining its damage to within the sandbox.

Since these browsers rely on the operating system’s security model, exploiting unpatched kernel vulnerabilities will result in the malicious code escaping its confined environment. The infamous Duqu malware relied on vulnerability (CVE-2011-3402) in the Win32k.sys driver that improperly handles specially crafted True Type Font (TTF) files. This allowed the malware to escape a user-mode sandboxed environment implemented by the Microsoft Word process and compromise the host.

Fig.9: Vulnerable code snippet from win32k.sys that lead to the Duqu TTF exploit

Enhanced Mitigation Experience Toolkit (EMET) Bypass

EMET is a Microsoft tool that provides additional security to commonly-exploited third-party applications such as web browsers, word processors, etc. It extends the operating system’s protection mechanisms to these vulnerable applications and makes exploitation attempts extremely difficult.

The following table lists the protections offered by EMET and known bypassing techniques [4]:

Click here to read the fourth part of this blog


Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Shell Team Six:Zero Day After-Party (Part I)

Wednesday, January 21st, 2015

This is the first part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. This first part introduces the reader to the different phases of an APT and discusses the methodology, prevention and detection techniques of the initial phase of an attack in detail.

The IT security industry is faced with the challenge of dealing with old invasion tactics that have been reborn in new avatars as Advanced Persistent Threats (APTs). APT attacks are tenacious at pursuing their targets and are played out in stages, possibly over a long period of time. With financial backing from state actors and criminal rings, APTs tend to be compound, sophisticated and difficult to detect. Each facet of the intrusion, in an idealist scenario, may be refined to such an extent that the end goal is achieved without a trace before, during or after the event.

Despite the complexity of these types of attacks, certain parameters always need to be satisfied to deliver the payload and retrieve the expected results, leading to the emergence of an attack pattern which may be placed under the microscope and flagged. These parameters include executing arbitrary code by invoking zero-day exploits for popular software, defeating security measures such as DEP & ASLR, e.g. via heap spray and ROP/JOP chains, exploiting EoP vulnerabilities, establishing remote C&C communication channels to issue commands or to exfiltrate stolen data in encrypted form, etc.

Drawing on evidence from documented real-world case studies, this paper details techniques that assist an assailant during the different phases of an APT, bypassing protection mechanisms like application-sandboxing, EMET, IDS, etc. thus attempting to fly under the defense radar at all times. Equipped with this information, we hope to explore methods of discovering each part of the life-cycle of a targeted attack as it is in progress or in the post mortem, thus reducing their efficacy and impact.


“If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle.” Sun Tzu

As technologies implemented in organizations are becoming advanced, the threats are rapidly evolving too. Through tenacious and coordinated attacks on one’s infrastructure, APTs are able to infiltrate and overwhelm the organization.

The threat landscape has changed. But the general principles of war remain the same.  Knowing the modus-operandi of your faceless attackers helps one evaluate, and harden one’s security measures, and gear up towards facing the attackers head on.  This paper aims to help you do just that.

APT Life-Cycle

The stages of an APT can broadly be classified as follows:

•   Target reconnaissance
•   Initial compromise
•   Expanding access and strengthening foothold
•   Data exfiltration and cleanup


 Target Reconnaissance

The reconnaissance phase of a targeted attack sets the stage for the rest of the threat campaign and therefore involves a high degree of planning. The perpetrators spend significant amounts of time learning about their target, collecting as much information as possible about the human, physical and virtual resources of the organization. The intelligence garnered during this stage not only helps the assailants determine key points of entry into the target network but also empowers them to navigate the victim’s network once inside more effectively & efficiently.

Reconnaissance Methodology

The target’s virtual network is plotted using publicly available resources. These resources include:

•   DNS records
•   WHOIS information
•   Email messages
•   Inadequately protected network logs
•   Misconfigured servers, etc.

The organizational structure is also studied to determine employees and their organizational access levels, using social media, search engines and the target’s own website. Profile intelligence gathered could include potential passwords, personal and official email addresses, whether the user is a regular employee, a SOHO user, or a contractor.

Based on this harvested intelligence the infrastructure needed for the attack will be acquired, the course of action to successfully execute the campaign will be determined & evasion techniques that could be followed during the attack will be planned. New domains may be registered, command and control servers set up, exploits crafted, vulnerable employees identified, custom social engineering schemes plotted for these target employees, malicious files created, etc.
Recently, US airport workers from over 75 airports were targeted via malicious emails based on information such as their names, titles, and email addresses that were harvested via publicly-available documents [1].

Fig.1 shows how a simple search engine query can divulge information like emails exchanged between personnel in public forums which may seem innocuous, but can be used to launch a spear phishing attack. Popular mailing lists mask this sensitive information to avoid it from being scraped and abused by bots. Valid users on the other hand are allowed access after solving a simple CAPTCHA.

Fig.1: Search result revealing email addresses and other information about employees of an organization.


Most of the intelligence collected by the assailants during this stage is publicly available and in general doesn’t involve the attackers touching any of the internal systems. Information that was gathered from previous APT campaigns but applicable to the current one could also be reused. This makes detecting an APT during these early stages of the attack challenging.

Usual best security practices such as conducting periodic penetration tests, hardening the applications & the operating systems, etc. are still relevant, but these measures by themselves don’t stand a chance against this adversary.

Organizations should take care to both restrict the amount of information that is flowing outside and be aware of publicly available sensitive information which could potentially be used against them.

Profile Scraper

Automated bots can be used to collect publicly available information on the company, the employees, etc. from popular social networking sites and search engines, etc. The data collected can automatically be analyzed for potential sensitive leaks.

Honey Profiles

Fake profiles at different organizational levels meant to be trip wires can be set up on popular social networking sites and connection attempts and profile hits can be analyzed. This could allow organizations to both recognize if they are being targeted and predict which individual or group of individuals are being targeted.

Click here to read the second part of this blog.


Images courtesy of

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: (Part 3)

Thursday, October 9th, 2014

This is the final part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

Continuing from the second part of my paper..

Social Engineering. Malware authors/Spammers/Phishers who now have a larger character set to play with are likely to register domains resembling an original site to trick users into divulging information.

Fig.10 below shows the domain information for and an IDN equivalent. Considering that the name servers, the e-mail address used to register the domain, etc, do not match, even security savvy users are likely to find it tricky to validate a URL from such IDNs before visiting it.

Fig.10: whois information on the original and the squatted IDN version

Thanks to social networking sites like Facebook, twitter etc., which enable instant sharing of information among millions of users from different backgrounds, uncommon URLs could invoke a click from curious users even if they don’t recognise the character set. Malware campaigns such as these, though short lived, could still cause enough damage globally.

Fig.11: Representative example of an attack based on socially engineered IDNs

Matching Incongruence

URL scanners could focus more on consistency or the lack thereof while dealing with phishing and malware related URLs arriving from IDNs. Language mismatch between the message body of the e-mail and the URL, or the URL and the contents of the page that the URL points to, can be deemed suspicious.

Restrictions may be imposed on visiting IDNs which don’t match a user-defined list of allowed languages. Similarly, domains created by combining visually similar characters from different character sets can also be curbed. Popularly known as a Homograph attack, most common browsers already defend users against such threats. While this protection is only limited to within the browser, it can be extended to protect e-mail, social networking and other layers as well [12].

Fig.12 below shows two domains, one created entirely using the Latin character set and the other using a combination of Latin and Cyrillic character sets. Though both domains visually appear to be similar, their Puny Code representation proves otherwise.

Fig.12: Example of two visually similar domains and their Puny Code representation [13]

Security vendors could also continue existing practices of assigning a poor reputation to domains that originate from certain high-risk countries. Such domains are usually created due to nonexistent or inadequate cyber laws in the host country, which result in malware authors abusing them. Reputation can also be assigned to registrars of IDNs based on their commitment to handling abuse reports, enforcement and verification of registrant details, ease of registering domains in bulk, etc.

A solution to address the e-mail spam problem could involve creating a white list of registered mail servers. The project, for example, works on the assumption that all computers send out spam, unless they have been previously registered on the white list [14]. In addition, since there are few mail servers catering to a significantly large user base, one could argue that e-mail could continue using IPv4, which could breath new life into the practice of IP blacklisting, at least for e-mail spam.

There is a Certainty in Uncertainty

The implications of the transition from IPv4 to IPv6, and the introduction of IDNs, are bound to be of major significance to the Internet infrastructure. These changes engender the continuous growth of the Internet by accommodating an increasing number of inter-connected devices, and variegated foreign languages.

As with any change, given the absence of a crystal ball, the move to these new technologies involves risk.Without doubt spammers, phishers and malware authors, seeking to make a quick buck, will exploit the larger attack surface provided by a vastly increased IP address space and language diversity via IDNs. We in the AV industry must take cognizance of this to determine the security implications and forge robust solutions.

As discussed in this paper, the new technologies will put pressure on current methods to counter spam, phishing and malicious URLs, especially where reputation is of prime importance. Fortunately, AV vendors have generally been able to adapt to the regular inflow of new issues, with new responses for these constantly on the anvil.

The changes about to be witnessed and the solutions proposed are likely to have security companies relying heavily on aggressive heuristics and policy-based restrictions, which could increase the number of false positives. However in corporate environments, rules can be configured to suit the risk appetite of the user in question.

Things are about to get a whole lot more difficult. However, greater vigilance, user education, and as ever, timely security industry data sharing, will help in controlling the fallout. The challenge is indeed a major one, but it is certainly not insurmountable.

[13] Information on
[14] Information on

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: