The K7TCL team is back from AVAR 2011, Hong Kong.

As reserve speakers, Samuel Jebamani, Saravanan Mohankumar and myself did not get the opportunity to present. However V Dhanalakshmi was able to present to an appreciative audience.

There were a couple of interesting presentations, apart from Dhana’s, and it was good to touch base with the usual suspects from the Anti-Virus community.

The AVAR2011 organisers will be making all the conference slides, including Dhana’s “Paranoid Android?”, available publicly reasonably soon. In addition, I’ll be publishing my own paper, describing Asian malware, as blog postings in weekly instalments. Stay tuned if you’re interested.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

It has only been a few days since I returned from a spate of back-to-back security conferences in Europe in the early part of May. AMTSO (not really a conference, strictly-speaking) and CARO were held in Prague, Czech Republic, and EICAR was held in Krems, Austria, both mouth-wateringly picturesque venues.

CARO and EICAR focussed on significantly different topics, with certain highlights and disappointments in both. No different from any other security conference I suppose. Let us focus only on some of the highs here.

The CARO workshop was meant to focus on “hardening the net”. The highlights included the keynote presentation, by Igor Muttik of McAfee, on the fact that malware seems to exist everywhere, including in the most unexpected places. The most interesting presentation, in my opinion, was the one by Dmitry Volkov of GroupIB focussing on the state of cybercrime in Russia and her neighbouring states, the absence of satisfactory employment for young IT professionals and the plethora of legal loopholes being identified as key drivers.

EICAR’s main focus was on “Cyber War”, exemplified by an interesting keynote presentation by Rainer Fahs. It was very interesting to get a viewpoint on nation-to-nation computer system attacks, the infamous Stuxnet being a prime example, from the perspective of international politics and military diplomacy, rather than focus on the technical aspects of the malware … again. The role of Anti-Virus in fighting cyber wars was also discussed, the general consensus being that AV would find it difficult to deal with unpredictable, sophisticated, and targeted state-sponsored attacks on computer systems. Nevertheless we would do our best to protect our clients.

Looking forward to the next set of security conferences which encourage a good exchange of information and, usually, healthy debate.

Credits:
Images courtesy of infosecevents.net and caro2011.org

Samir Mody
Senior Manager, K7TCL

A fellow researcher from the anti-virus community recently blogged about an alluring spam message, which was spreading through Facebook. The spam message, purported to be a surprise package from a friend, unsurprisingly, redirected the user to a website which hosts malware.

Digging around the domain name reveals minimal information on the domain registration date, the registrant’s information, etc. The Top Level Domain “.tk” geographically belongs to Tokelau, a territory of New Zealand. However, a whois on the domain name reveals that the IP address hosting the site belongs to Romania & that the domain is registered to an address in Amsterdam, The Netherlands. In addition, analyzing the malware itself reveals that it originated in Russia.

A Google search for the domain name reveals more URLs, which currently host the malware, and these URLs seem to follow a similar pattern:

http://surprise-[followed by 5 random characters].tk/surprise.exe

While most vendors now detect the malware, the sites serving the malware are still up and running.  K7TCL has notified the responsible authorities about the malware sites, but given the fact that the TLD .tk is known for its notoriety, the sites might not get taken down for a while.

Lokesh Kumar
K7 TCL

Rogue Anti-Virus (aka FakeAV, FakeAlert, Fraud Trojan, Scareware, etc) is a common subset of the plethora of malware families out there. The typical characteristics of Rogue AV include:

A compelling Anti-Virus software Graphic User Interface which displays fake reports of virus infections on the user's computer

A prompt to clean up the alleged viruses on the computer

A demand for a removal fee of anywhere between US $40 and US $100

Unsurprisingly rogue AV generates a copious income level for its “purveyors”, and therefore it is ubiquitous. Well, almost ubiquitous. Even though rogue AV families form a large proportion of the samples from various sources, and many Anti-Virus companies report a variant of rogue AV within the top 10 most prevalent threats, yet it is interesting to note that when we drill down to sample submissions from our Indian customers over the past quarter, rogue AV is conspicuous by its absence. The number of incidents of rogue AV does not even make the top 20 threat types. This implies that rogue AV may not be as prevalent in India as in other parts of the world. How may this be explained?

As with other “professional malware”, Rogue AV tends to have a geographical bias, the targets being mainly home users in North America and Europe. The evidence for this, apart from the reported instances globally, is clear in terms of the choice of language, i.e. English, used to communicate with the victim, and the choice of currency, i.e. US dollars, to steal from the victim.

In addition, many rogue AV families make heavy use of Google Trends and Search Engine Optimization (known as Black Hat SEO in the security community) poisoning to execute on the computers of millions of internet surfers out there. A description of these specific techniques is a subject for another blog, but suffice to say that the abuse of SEO may not have affected Indian internet surfers, who are fewer in number and searching for India-specific content, as much as those in other countries. There is even a distinct possibility that, as for certain spam campaigns, IPs originating from India are rejected by the rogue AV establishment as unsuitable for exploitation.

However, there are indications that the trends might be changing, even if only slightly. There is an anecdote of a user in India who was searching for “Mehndi” (Henna) in Google, and got pop ups about her computer being infected. Fortunately this user was using the latest version of K7′s flagship security product which blocked the rogue AV even before the bad application was allowed to touch the computer. It is, however, a warning that, as Indian incomes grow and internet access becomes more widespread, surfers in India might become more susceptible to rogue AV attacks. It is important for users to be more vigilant, whilst also ensuring good security practises such as up-to-date Anti-Virus software, a well-configured firewall, and a fully-patched operating system.

Samir Mody
Senior Manager K7TCL

The latest round of Facebook-related malware has been found inadvertently hosted on an Indian government site dedicated to women from the southern state of Kerala. The malicious file, detected by K7 security products as Riskware (0015e4f01), bears a name of the following format:

facebook-pic000<5 digits>.exe

where <5 digits> represents a 5-digit number.

To an IT security professional such a filename, and the URL hosting it, show clear danger signals. One does not generally require an explicit EXE to view Facebook pictures, and it is probably unusual for a government site in India to host EXEs, and that too related to a public social networking site.

The server hosting the site for ladies from Kerala has clearly been compromised. The owners of the compromised domain have been advised to review their site and the procedures in place to secure it against hacking.

In general we urge extreme caution when browsing sites which serve up incongruous, unexpected executable files using various social engineering techniques.

Samir Mody
Senior Manager K7TCL

An Arizona man, James Bragg, recently pleaded guilty of conspriacy to commit securities fraud, and now faces a large fine and possible prison term for the pump-and-dump scams he perpetrated using botnets and spam.

Pump-and-dump scams involve hyping the value of a cheap/worthless stock by advertising it heavily over the internet using spam. Typically, the stock is bought by the attacker who then sends out the mails to hype the stock, which creates buying interest, and then the attacker sells all their stock, cashing in on the falsely inflated value.

In this case, the defendant had allegedly hired people to use botnets to distribute his messages. The botnets were also used to compromise private accounts so that these could be used to buy up large amounts of the stocks in question. He also faces charges from sending spam.

Full story is here http://www.theregister.co.uk/2010/10/21/pump_and_dump_botnet/

Andrew Lee
CTO, K7 Computing

Dear readers,

As you may have noticed, there have been many changes around here in terms of the new K7 website and even some new products in the shape of K7SecureWeb.

All this activity and a few internal changes have meant that this blog has been a bit underused in recent weeks. The good news is that we’re now re-launching the blog, and while I’ll be the main writer here; keeping you updated with the goings on here at K7, and on Security issues in general; we will also be having contributions from other team members. This will include contributions from our Virus Lab experts, our development and technical teams and our cloud computing division.

Just to introduce myself, I’m the Chief Technology Officer here at K7 – and you can see a bit more about me here http://corp.k7computing.com/About-Us/K7-Management-Team.php. I can also be found blogging over at http://avien.net/blog and I’ll be speaking at various events including Virus Bulletin 2010 in Vancouver, Virus Bulletin’s new Seminar series in London, and the AVAR conference in Bali.

I hope to be posting regular and interesting content here, and would love to hear your feedback, which you can leave on the comments section. I’ll try to answer all genuine comments as I can, but please be aware that I won’t be answering any support questions here, so please direct those to our wonderful support staff, who will be only too happy to help out.

Andrew Lee
CTO K7 Computing