These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Tech articles’ Category

Shell Team Six:Zero Day After-Party (Part I)

Wednesday, January 21st, 2015

This is the first part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. This first part introduces the reader to the different phases of an APT and discusses the methodology, prevention and detection techniques of the initial phase of an attack in detail.

The IT security industry is faced with the challenge of dealing with old invasion tactics that have been reborn in new avatars as Advanced Persistent Threats (APTs). APT attacks are tenacious at pursuing their targets and are played out in stages, possibly over a long period of time. With financial backing from state actors and criminal rings, APTs tend to be compound, sophisticated and difficult to detect. Each facet of the intrusion, in an idealist scenario, may be refined to such an extent that the end goal is achieved without a trace before, during or after the event.

Despite the complexity of these types of attacks, certain parameters always need to be satisfied to deliver the payload and retrieve the expected results, leading to the emergence of an attack pattern which may be placed under the microscope and flagged. These parameters include executing arbitrary code by invoking zero-day exploits for popular software, defeating security measures such as DEP & ASLR, e.g. via heap spray and ROP/JOP chains, exploiting EoP vulnerabilities, establishing remote C&C communication channels to issue commands or to exfiltrate stolen data in encrypted form, etc.

Drawing on evidence from documented real-world case studies, this paper details techniques that assist an assailant during the different phases of an APT, bypassing protection mechanisms like application-sandboxing, EMET, IDS, etc. thus attempting to fly under the defense radar at all times. Equipped with this information, we hope to explore methods of discovering each part of the life-cycle of a targeted attack as it is in progress or in the post mortem, thus reducing their efficacy and impact.

Introduction

“If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle.” Sun Tzu

As technologies implemented in organizations are becoming advanced, the threats are rapidly evolving too. Through tenacious and coordinated attacks on one’s infrastructure, APTs are able to infiltrate and overwhelm the organization.

The threat landscape has changed. But the general principles of war remain the same.  Knowing the modus-operandi of your faceless attackers helps one evaluate, and harden one’s security measures, and gear up towards facing the attackers head on.  This paper aims to help you do just that.

APT Life-Cycle

The stages of an APT can broadly be classified as follows:

•   Target reconnaissance
•   Initial compromise
•   Expanding access and strengthening foothold
•   Data exfiltration and cleanup

 

 Target Reconnaissance

The reconnaissance phase of a targeted attack sets the stage for the rest of the threat campaign and therefore involves a high degree of planning. The perpetrators spend significant amounts of time learning about their target, collecting as much information as possible about the human, physical and virtual resources of the organization. The intelligence garnered during this stage not only helps the assailants determine key points of entry into the target network but also empowers them to navigate the victim’s network once inside more effectively & efficiently.

Reconnaissance Methodology

The target’s virtual network is plotted using publicly available resources. These resources include:

•   DNS records
•   WHOIS information
•   Email messages
•   Inadequately protected network logs
•   Misconfigured servers, etc.

The organizational structure is also studied to determine employees and their organizational access levels, using social media, search engines and the target’s own website. Profile intelligence gathered could include potential passwords, personal and official email addresses, whether the user is a regular employee, a SOHO user, or a contractor.

Based on this harvested intelligence the infrastructure needed for the attack will be acquired, the course of action to successfully execute the campaign will be determined & evasion techniques that could be followed during the attack will be planned. New domains may be registered, command and control servers set up, exploits crafted, vulnerable employees identified, custom social engineering schemes plotted for these target employees, malicious files created, etc.
 
Recently, US airport workers from over 75 airports were targeted via malicious emails based on information such as their names, titles, and email addresses that were harvested via publicly-available documents [1].

Fig.1 shows how a simple search engine query can divulge information like emails exchanged between personnel in public forums which may seem innocuous, but can be used to launch a spear phishing attack. Popular mailing lists mask this sensitive information to avoid it from being scraped and abused by bots. Valid users on the other hand are allowed access after solving a simple CAPTCHA.

Fig.1: Search result revealing email addresses and other information about employees of an organization.

Prevention/Detection

Most of the intelligence collected by the assailants during this stage is publicly available and in general doesn’t involve the attackers touching any of the internal systems. Information that was gathered from previous APT campaigns but applicable to the current one could also be reused. This makes detecting an APT during these early stages of the attack challenging.

Usual best security practices such as conducting periodic penetration tests, hardening the applications & the operating systems, etc. are still relevant, but these measures by themselves don’t stand a chance against this adversary.

Organizations should take care to both restrict the amount of information that is flowing outside and be aware of publicly available sensitive information which could potentially be used against them.

Profile Scraper

Automated bots can be used to collect publicly available information on the company, the employees, etc. from popular social networking sites and search engines, etc. The data collected can automatically be analyzed for potential sensitive leaks.

Honey Profiles

Fake profiles at different organizational levels meant to be trip wires can be set up on popular social networking sites and connection attempts and profile hits can be analyzed. This could allow organizations to both recognize if they are being targeted and predict which individual or group of individuals are being targeted.

Click here to read the second part of this blog.

References:
1] http://www.seculert.com/blog/2014/07/extended-apt-campaign-targeted-us-airports.html

Images courtesy of google.com

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

https://icann-deal.with.it (Part 3)

Thursday, October 9th, 2014

This is the final part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

Continuing from the second part of my paper..

Social Engineering. Malware authors/Spammers/Phishers who now have a larger character set to play with are likely to register domains resembling an original site to trick users into divulging information.

Fig.10 below shows the domain information for baidu.com and an IDN equivalent. Considering that the name servers, the e-mail address used to register the domain, etc, do not match, even security savvy users are likely to find it tricky to validate a URL from such IDNs before visiting it.

Fig.10: whois information on the original baidu.com and the squatted IDN version

Thanks to social networking sites like Facebook, twitter etc., which enable instant sharing of information among millions of users from different backgrounds, uncommon URLs could invoke a click from curious users even if they don’t recognise the character set. Malware campaigns such as these, though short lived, could still cause enough damage globally.

Fig.11: Representative example of an attack based on socially engineered IDNs

Matching Incongruence

URL scanners could focus more on consistency or the lack thereof while dealing with phishing and malware related URLs arriving from IDNs. Language mismatch between the message body of the e-mail and the URL, or the URL and the contents of the page that the URL points to, can be deemed suspicious.

Restrictions may be imposed on visiting IDNs which don’t match a user-defined list of allowed languages. Similarly, domains created by combining visually similar characters from different character sets can also be curbed. Popularly known as a Homograph attack, most common browsers already defend users against such threats. While this protection is only limited to within the browser, it can be extended to protect e-mail, social networking and other layers as well [12].

Fig.12 below shows two domains, one created entirely using the Latin character set and the other using a combination of Latin and Cyrillic character sets. Though both domains visually appear to be similar, their Puny Code representation proves otherwise.

Fig.12: Example of two visually similar domains and their Puny Code representation [13]

Security vendors could also continue existing practices of assigning a poor reputation to domains that originate from certain high-risk countries. Such domains are usually created due to nonexistent or inadequate cyber laws in the host country, which result in malware authors abusing them. Reputation can also be assigned to registrars of IDNs based on their commitment to handling abuse reports, enforcement and verification of registrant details, ease of registering domains in bulk, etc.

A solution to address the e-mail spam problem could involve creating a white list of registered mail servers. The Ipv6whitelist.eu project, for example, works on the assumption that all computers send out spam, unless they have been previously registered on the white list [14]. In addition, since there are few mail servers catering to a significantly large user base, one could argue that e-mail could continue using IPv4, which could breath new life into the practice of IP blacklisting, at least for e-mail spam.

There is a Certainty in Uncertainty

The implications of the transition from IPv4 to IPv6, and the introduction of IDNs, are bound to be of major significance to the Internet infrastructure. These changes engender the continuous growth of the Internet by accommodating an increasing number of inter-connected devices, and variegated foreign languages.

As with any change, given the absence of a crystal ball, the move to these new technologies involves risk.Without doubt spammers, phishers and malware authors, seeking to make a quick buck, will exploit the larger attack surface provided by a vastly increased IP address space and language diversity via IDNs. We in the AV industry must take cognizance of this to determine the security implications and forge robust solutions.

As discussed in this paper, the new technologies will put pressure on current methods to counter spam, phishing and malicious URLs, especially where reputation is of prime importance. Fortunately, AV vendors have generally been able to adapt to the regular inflow of new issues, with new responses for these constantly on the anvil.

The changes about to be witnessed and the solutions proposed are likely to have security companies relying heavily on aggressive heuristics and policy-based restrictions, which could increase the number of false positives. However in corporate environments, rules can be configured to suit the risk appetite of the user in question.

Things are about to get a whole lot more difficult. However, greater vigilance, user education, and as ever, timely security industry data sharing, will help in controlling the fallout. The challenge is indeed a major one, but it is certainly not insurmountable. we.can.deal.with.it

References:
[12] http://en.wikipedia.org/wiki/IDN_homograph_attack#Defending_against_the_attack
[13] Information on http://en.wikipedia.org/wiki/IDN_homograph_attack
[14] Information on http://www.ipv6whitelist.eu

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

https://icann-deal.with.it (Part 2)

Thursday, September 4th, 2014

This is the second part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

Continuing from the first part of my paper…

Internet Metamorphosis

The Internet is witnessing a critical phase in the transition from an old technology to a new one, and users must understand the security implications involved. These implications could manifest themselves either during the implementation stage or after.

Tunnel Vision. IP tunnelling implementation involves encapsulating the IPv6 packets into IPv4, which is similar to creating a Virtual Private Network (VPN). Teredo, for example, is a tunnelling protocol that is installed by default on Windows Vista and Windows 7 operating systems, and provides IPv6 connectivity to a native IPv4 device [7].

Fig.4: Example of tunnelled IPv6 traffic[8]

Since the IPv6 contents are disguised inside the IPv4 packets, most security devices struggle to analyse and detect them. This in turn opens the door for attacks when these tunnels are used to transport malware.

There have been known instances of malware which enable IPv6 on a compromised host to communicate with its creator using these IP tunnels. The fact that IPv6 is enabled by default on most new operating systems makes it easier for malware to spread without being noticed. The infamous Zeus, for example, is known to support IPv6 from early 2010 onwards. This malware not only boasts of having the capability to sniff IPv6 traffic, but also supports an IPv6 Peer-to-Peer network [9].

Stack ’em Up. Dual Stack Implementation involves running both IPv4 and IPv6 in parallel, with one protocol taking preference over the other. Communication is done using the preferred protocol first, failing which it is retried using the secondary protocol.

Fig.5: Example of dual stack traffic[8]

Considering that communications happen natively either in IPv4 or in IPv6, and that both protocols co-exist in the network, until sufficient machines become IPv6 compliant, at which point IPv4 can be pensioned off, this is the preferred method of transition.

To NAT or Not. Network Address Translation (NAT) is a technique that allows multiple devices within an internal network to get online by sharing a single public IP address. This public IP address would be provided to a router at the gateway level, which in turn directs traffic to machines inside the network that use non-routable IP addresses.

On a small scale, NAT is used within a Small Office Home Office (SOHO) environment, and on a large scale, often referred to as Carrier Grade NAT (CGN), it is used by ISPs who have a limited number of IPv4 addresses.

Fig.6: Simple implementation of NAT within a SOHO environment

Apart from cutting down on the number of routable IPv4 addresses used, this technology also provided a certain degree of privacy and security to the users in the internal network. Automated port scans and information gathering attempts are deterred at the gateway, and would only succeed from inside the private network.

The gargantuan number of addresses available in IPv6 means that ISPs could technically do away with NAT, and assign a static IP address to each of its users, and yet never run out of addresses in the foreseeable future.

While this would promote end to end connectivity, which was how the Internet was originally envisaged, it could also open up the flood gates of machines which were never previously directly connected to the Internet, for now they would be vulnerable to prying eyes and groping hands.

The silver lining, however, is that since an IPv6 address can now be mapped to each user, tracking down malicious traffic & the victims of a malware incident also becomes easier. It could be a boon or a bane, depending on how one perceives it.

The Whois Who of Malware URLs , Phishing & Spam

Over the years as communication media within the Internet expanded from e-mails to other forms such as instant messaging, forums, blogging, social networking, etc., spammers followed suit with campaigns targeting these channels. These campaigns include the relatively innocuous comment spam posted in blogs/forums, Pump ’n Dump scams, attempts to sell Viagra and the like, phishers vying for sensitive user information, and malware related spam which go for the jugular.

The current volume of spam received via various communication channels is kept to a minimum thanks to a combination of techniques which involves, but is not limited to, content based and list based filtering. Given the plethora of malware URLs and spam messages disseminated everyday, most of this filtering is done using automated systems.

Fig.7 below shows a steady rise in the number of malware/phishing URLs for the first half of the year 2012

Fig.7: Number of malicious URLs crawled by K7 from January 2012 to June 2012 [10]

Content Based Filtering. This works on analyzing different characteristics of a message or a URL. For example, messages with keywords such as Viagra, Rolex, etc, somewhere in the MIME envelope could automatically be declared as spam. Similarly, a URL with words like PayPal or Facebook in the sub-domain component, combined with a recently registered domain name having a minimum validity can be deemed suspicious. However, when these keywords are represented in another language, automated content based filtering could become more challenging since we would now have to recognise the representation of a keyword in as many different character sets or Puny Code equivalents, as possible.

List Based Filtering. This aims to assign a reputation to the source of the e-mail message or the URL. For example, when a stream of messages detected as spam originates from a single IP address, that address may then be assigned a bad reputation, and would go into a blacklist. Similarly, a malicious domain or IP could go into this list.

Subsequent messages from a blacklisted IP address would automatically be labeled as spam & dropped when e-mail servers query the blacklist in real time. Likewise, URLs containing blacklisted domains or IP addresses would also be blocked as malicious.

Fig.8: One blacklisted IP address used to both send spam and host malware [10]

Once a domain/IP address gets blacklisted, the attacker shifts to a new address from which to send the spam or on which to host malware until that gets blacklisted too. They do this by either releasing and renewing their IP from their service provider, if the machine used to send the spam or host the malware is physically owned and controlled by them, or by selecting a new bot, a machine from their botnet consisting of many infected machines, from which to send the spam vicariously or to host malware on the attacker’s behalf.

On an IPv4 network the attacker has a theoretical maximum of only 4 billion addresses to cycle through. This number increases manifold within an IPv6 network. The increase in the number of domain names, due to the introduction of IDNs, is also likely to add to the blacklist woes, especially when these domains originate from an IPv6 network.

Fig.9 below shows the steady rise in the number of IDNs in the first half of the year 2012. Though currently small, the numbers are expected to increase significantly over time.

Fig.9: Number of malicious IDNs crawled by K7 from January 2012 to June 2012 [10]

Another problem with respect to blacklists is the amount of disk space occupied by these lists and the time taken to look them up. Even in the case of the relatively impoverished IPv4, assuming that all 4 billion addresses get blacklisted, a flat CSV file containing all these addresses occupies a minimum of approximately 60 Gigabytes of disk space on a Unix platform [11]. Consider further the amount of time taken in creating, maintaining, and querying such a big database in real time. Such a system would be nigh on unworkable for IPv6.

Click here to read the third part of this blog.

References:
[7] Information on http://www.us-cert.gov/reading_room/IPv6Malware-Tunneling.pdf
[8] Information on http://www.cybertelecom.org/dns/ipv6_transition.htm
[9] https://blog.damballa.com/archives/438
[10] Internal data
[11] http://www.circleid.com/posts/digging_through_the_problem_of_ipv6_and_email_part_1

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Volume III: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 28th, 2014

This is volume III (…a lengthy one…) of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

Carrying on from where we left off earlier…

How Do I Do It?: Obfuscation and Encryption, Immediate-Invocation Techniques

This Java Script worm employs heavy obfuscation, encryption and immediate-invocation techniques to protect itself from prying eyes. This reduces readability by a large extent

Figure 1: Image Showing a Single Line of Script with Around 40K Characters

From the screenshot above it is evident that the script contains just one line of forty four thousand and odd characters

The script heavily uses some random strings for variable names, sized at 7-9 characters they seem to be uniform but are not. In the function expression, the four variable parameters are unique, their first three characters and the last two characters are the same with random characters filled in between.

Formatting the above script (as shown in Figure 1) using tools like Malzilla1, introduces some readability into the script. Note that the function expression is enclosed within parentheses and once the expression ends another set of parentheses encloses a large string (encrypted string in our case).  This form of invoking a function without explicitly calling it is widely called as ‘self-executing anonymous functions3’ or ‘Immediately-Invoked Function Expression2

Below is the first level of obfuscation in the script:

Figure 2: Obfuscated Script with Simple Formatting Applied

This worm deploys its script as a ‘self-executing anonymous function’ / ‘Immediately-Invoked Function Expression.’ To understand this better consider the below example:

Figure 3: Normal Function

The above shows a normal function expression and how it is invoked.

Now consider this:

Figure 4: Immediately-Invoked Function Expression

Here the expression and invocation happen simultaneously. The function expression here is immediately invoked by introducing the argument along with the expression as:

Figure 5: Expression and Argument

The expression is highlighted in red and the argument in green. The underlining factor here is that this function doesn’t need an implicit invocation to get initiated. The code as shown in Figure 2 has just a single function expression with four parameters. The actual arguments are however found within the last parentheses, the function decrypts these encrypted strings into another script as shown in Figure 6:

Figure 6: Second Level of Decryption

This first level of decrypted code is again an immediately invoked function. This would again get decrypted into another script and an array of strings.

Figure 7: Screenshot Showing Array Values Being Referenced

This second level of decrypted script refers to array of values from 0-380; these values are referenced from the array ref Figure 8.

Figure 8: Array of Strings Showing What Will be Referenced in the Script

Applying the appropriate array values in the script made it more readable. One can conclude that this was done to avoid readability.

Figure 9: Final Script with Array Values Replaced

The script in Figure 7 turns into the above shown script (Figure 9) once we substitute the array values in the script. As seen from the screenshot it is clear that the worm is trying to extract several classified user information from “Winmgmts” object.

Apart from the above, the script also uses a lot of size optimization techniques. For instance it uses exponent form to reference large numbers and “!0” for true and “!1” for false This can be seen in the code snippet shown in Figure 10.

Figure 10: Optimization Used in Code

How I Own You?:  Command and Control Module

For a script based malware, ProsLikeFan boasts of quite complex C&C functionalities. Once the script is deployed it can keep checking the C&C server regularly for any commands. Below is a screenshot containing the C&C commands found in the malicious script:

Figure 11: Command and Control Module

The commands include: “u”, “d”, “b”, “redu”, “fbl”, “fbc”, “hp”, “fbf”, “e”, “r” and “dns.”

The command “u” is to update the virus itself or update the C&C with any new changes in the victim’s computer. Command “d” can be used to download a file from a specified URL, while the command “r” can be used to run any executable in the victim’s computer. When used in conjunction these commands can download a file and run it in the victim’s computer. This could possibly download other malware from any location.

The next set of commands target the popular social networking site Facebook “fbl”, “fbf” and “fbc” that can be used to like a Facebook page, become a fan of a Facebook page and send out chat message on a Facebook chat respectively.

Apart from this there are commands to perform other activities like setting the Homepage of Internet Explorer, modifying the DNS settings of the victim’s computer, etc.

A botnet of such infected machines would provide a perfect framework that can be used by other perpetrators who wish to infect the victims with their own bunch of malware. The administrator of the ProsLikeFan botnet can provide it as a service to anyone who wishes to attack unsuspecting victims. Most cases of infection that were reported back to the lab had instances of other malware infections found in the victim’s machine.

This Is Me!: Conclusion

Though the worm’s activity may seem nothing out of ordinary, it is necessary to analyze why the worm achieves this using unconventional methods. Like using a JavaScript based worm to infect a victim and make him part of a botnet. This may be because non-PE format introduces a level of freedom when the attacker needs to modify a specific module in the script. It can be freely spammed out via email unlike executable which would get filtered out. Initial versions of this worm had just one level of encryption, and then it went on to being a multi-level obfuscated script. Text files unlike PE binaries do not have a fixed structure, making detection a bit more complex. Even then they are detectable.

THE END

References:

1. http://malzilla.sourceforge.net

2. http://benalman.com

3. http://markdalgleish.com

4. “Fans Like Pro, Too” – Peter Ferrie, Virus Bulletin, Sep’13

Kaarthik RM & Raja Babu A
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Volume I: Who aM I? Confessions of an Obfuscated JS Worm

Friday, March 14th, 2014

This is volume I of a three part series based on our (Kaarthik RM and Rajababu A) paper for AVAR 2013, discussing the prevalence of autorun malware in the Asian region, taking it further by analyzing an example of such a malware

To Brief it Out…

The Autorun Worm: an infection that uses an antiquated mechanism to make itself prevalent, especially in the Asian region. Even though the Autorun or Autoplay feature was deprecated by Microsoft quite some time ago, it is still actively exploited in the wild. For instance an autorun worm, widely known as ProsLikeFan, has been spreading like wildfire. Most interestingly, this isn’t your traditional Win32 PE binary, but a highly obfuscated JavaScript. This worm is certainly not the handiwork of a script-kiddy.

Beneath several layers of obfuscation lies a WMI malware which can retrieve users’ system information and post this information to a C&C server, and invites other malware to the host machine at the behest of the remote attacker.

This paper will discuss the reasons why autorun-related malware are very prevalent in the Asian region, the Indian sub-continent in particular. We will also focus on a technical dissection of the afore-mentioned JavaScript malware, cover its lifecycle its geographical prominence and will also include a brief take on its C&C network.

Autorun & Its Prevalence

An autorun worm uses the now deprecated feature: Autoplay, to initiate malicious executables from removable drives. This exploit’s target vector has a wider coverage, owing to the fact that removable drives or pen drives have become the most popular method for quick data transfer by physical media.

Autorun worms have had higher success ratio in the Asian region. A closer look at the infection ratio of worms in the Asian region would give us a better insight on the above mentioned fact. Figure 1 given below shows worm infections as a percentage of the total infections in the Asian region.

Figure 1: Worm Infection Rate

The world over average for worm infections is 17.5% as shown in the above graph. This is with respect to data from Microsoft’s Security Intelligence Report 1. It is evident from the graph above that in India almost 40% of the infections seem to be worm related.

Figure 1.1 displayed below provides the breakup of the Worm related malware.

Figure 1.1: Breakup of Worms Based on K7 Threat Control Lab’s internal Telemetry

From the chart above, it is clear that autorun malware dominates the infection ratio of the worm category. One must consider that families like Vobfus, Gamarue etc. also employ the autorun technique to improve their infection vector. Though most of the above mentioned worm families are all Win32PE types, it is interesting to note that there is an increase in the Non-PE category of worms. For instance ProsLikeFan, as it is commonly known, is a JavaScript malware that is on the rise.

Figure 1.2: Software Piracy Rates According to BSA Global 2

The reason autorun malware thrives in India (according to Figure 1.2) is due to the fact that software piracy is still at large, this rules out timely security updates. Also a very small percentage of the computer users in India are broadband internet users, this again widens the target. It is evident that only a very small percentage of computer users would have the update from Microsoft that deprecated the autorun mechanism for removable drives.

To Volume II…

1. http://www.microsoft.com/security/sir/threat/default.aspx#asia
2. http://globalstudy.bsa.org/2011

Images courtesy of host.nacdnet.org and openclipart.org

Kaarthik RM & Raja Babu A
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

K7 URL scanner now in VirusTotal

Friday, April 20th, 2012

K7TCL is proud to announce that our partnership with VirusTotal has just become stronger. Our file scanner has been on VT for ages, but we have just recently included our URL-scanning capabilities on the VirusTotal site.

We would like to take this opportunity to commend the guys at VT for their diligent work, and we very much look forward to continuing to foster our relationship with them.

Samir Mody/Lokesh Kumar
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Beware Who Hosts Your Holiday

Friday, December 23rd, 2011

We recently came across an Indian holiday booking site which appears to be serving up a copy of an old malware. Shown below is the screen shot of the site in discussion:

A quick look at the source code for the page shows an encoded binary file embedded in a VBScript:

Visiting this site with a poorly configured Internet Explorer browser will lead to the above script being rendered. The encoded file in turn is decoded and a malicious file named svchost.exe is dropped onto the user’s computer and is executed.

The malicious executable is an infamous file infector named Win32.Ramnet and detection for this executable has been around for more than a year now. This seems to suggest that the machine hosting the website has either little or no security solution in place.

With the holiday season in full swing, online shoppers are requested not to let their guard down. While you may be on holiday, the miscreants aren’t.

K7 Security products don’t just detect and delete the malicious file, but also prevent access to the hacked site:

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Depths Phishermen Go To Catch a Phish

Monday, October 3rd, 2011

It is common knowledge that phishers [Authors of a phish] attempt to steal sensitive information such as passwords, credit card details etc. by masquerading as a trustworthy entity. Some key elements of a phish are:

  • A fake website created by simply ripping content off the original site and pasting them on the spurious one

  • A bait which engages potentially attractive terms like “Watch nude girls now”, “You’ve won a million dollars”, “Find what your neighbor is up to “, etc. to attract victims

  • Scare mongering by using words like “Account has been suspended”, “Computer found to be infected”, “Severe action will taken” etc.

  • Create a YouTube video

Yes, you read that right!! Phishers now go to the depths of creating videos explaining to the potential victim how to execute the phish. Call it a “how-to-guide” to give your secrets away, if you’d like.

The site under discussion http://fbshirts.[Blocked], apart from having all the usual elements of a phish also has a video on YouTube instructing users how to give away their Facebook “mobile email address”. This is a personalized email address used to post status updates straight to your profile.

Users who’ve fallen victim to this scam will have a spam message posted on their facebook wall like the one below:

One would like to think that no one would fall victim for such a scam. But the number of hits that this video has received, (80,432 and counting) paints a bleak picture. See image below:

Our usual sentiments about keeping one’s security solutions up-to-date and being vary of giving one’s personal information to unknown sites apply.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

A Malware Musical!

Friday, September 23rd, 2011

We at K7 TCL came across an interesting source for a malware file to be hosted on. The site hosting the malware was the official fan site of the famous Indian playback singer Sonu Nigam.

This file has been up in the server for almost a month now. Users must exercise caution when they happen to download an executable file from a fan site that has remotely no purpose of distributing executable files to its visitors.

The malware file upon execution has capabilities to read saved passwords from a user’s internet browser, Mozilla Firefox, to be specific. It tries to read data from ‘signons[number].txt’ file found in the Firefox directory.

This text file holds the user’s logon information for websites for which the user has set ‘Remember Password’ in Firefox. Now imagine the scale of damage this could cause if the infected machine was a public computer at an internet café.
Following simple practices whenever you use a public computer would save you from such threats:

  • Never save your logon information on public computers
  • Always clear the history and cache before leaving the computer, or you could use the private browsing session option available in most modern browsers
  • If possible use portable applications, these are applications that run out of a pen drive
  • Avoid entering any kind of sensitive information on a public computer

For our customers though, it’s just a one step process: keep your antivirus definitions up to date. K7TotalSecurity detects this file, as Trojan ( 001987931 )

The server hosting the fan site has been clearly compromised. The administrators of the compromised domain have been intimated about the impending damage they might be causing to unsuspecting fans.

Kaarthik .R.M
K7 TCL

File-AVE IT!

Friday, September 16th, 2011

Fileave.com is a one click hosting site which provides free file hosting for its users. When compared to other similar one click hosts, the 50MB of free disk space provided by fileave.com may sound minuscule, but the fact that there’s no “wait” restrictions or CAPTCHAs to solve before downloading a file seems to make it a favourite among malware authors to host their malicious code.

The graph above displays the number of unique URLs hosting malicious files from fileave.com which were collected by our automated systems.

Closer inspection revealed that the sudden spike from ~100 URLs in the month of July to ~550 in the month of August was due to a mass compromise using the “Black-hole” exploit kit with the final payload hosted on fileave.com. The malware author responsible for this mass compromise had registered a total of ~400 unique URLs in just 1 month in the following format:

  • “http://clickme[2 Random characters].fileave.com”

Discounting these URLs, the graph still shows a worrying trend:

The number of malware authors using fileave.com to host their malicious payload is on the rise. Our blog readers might recall that we had recently blogged about how malware authors abuse file hosting services with minimal security checks. The fact that fileave.com has none of these measures in place is bound to be exploited even more by malware authors in the days to come.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/