These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Uncategorized’ Category

Interesting Persistence Technique

Thursday, June 16th, 2016

Here is an interesting persistence technique, which I have not seen before, used by a malware which I analyzed last week at K7 Threat Control Lab. It uses a simple RunOnce registry entry to maintain its persistence but in a unique way. I would like to post a complete analysis, albeit brief, of its functionality.

Functionality in a Nutshell

  • Push-Pop-Call
  • Misuse of Process Environment Block (PEB)
  • API Hashing Technique
  • Anti-Debug & Anti-Emulation Techniques
  • Strings Obfuscation Mechanism
  • Registry Abuse
  • Hidden DLL with multiple entrypoints (Export & DLL main) and its role
  • Multiple Injections into explorer.exe
  • Rootkit-like Behavior
  • Persistence Mechanism – RunOnce entry
  • Final Injection to IExplore.exe to act as downloader


This malware uses a Push-Pop-Call sequence at the Entrypoint to change the execution flow of the program as shown in Figure 1. This is not a clever technique since it can be used by Anti-Virus software to flag the malware immediately given that this sequence is unlikely to be found in clean programs.

Figure 1

Misuse of Process Environment Block (PEB)

Not an uncommon technique, this malware uses PEB_LDR_DATA, a member of the PEB structure, to locate InMemoryOrderModuleList LinkedList, which is then used to retrieve names of the loaded modules. It calculates the hash for each of the retrieved module names and compares with that of Kernel32.dll (hardcoded in the code), and extracts the base address of Kernel32.dll when the hashes match as shown in Figure 2.

Figure 2

API Hashing Technique

Using the retrieved Kernel32.dll base address, it enumerates export function names and calculates their hashes, which, in turn, are compared with predefined API hashes (in the data section) to identify the addresses of preferred APIs that are listed below. This common technique is to avoid heuristic detection on import APIs.

  • ConvertThreadToFiber
  • CreateDirectoryA
  • CreateFiber
  • CreateFileA
  • CreateMutexA
  • CreateProcessA
  • CreateThread
  • DeleteFileA
  • GetFileSize
  • GetFileTime
  • GetModuleFilenameA
  • LoadLibraryA
  • MoveFileExA
  • ReadFile
  • ReleaseMutex
  • RemoveDirectoryA
  • SetFileAttributesA
  • SetFilePointer
  • SetFileTime
  • SwitchtoFiber
  • WaitForMultipleObjects
  • WriteFile
  • WritePrivateProfileStringA

The hash calculation algorithm is shown in Figure 3 below.

Figure 3

Anti-Debug & Anti-Emulation Techniques

It implements Anti-Debug & Anti-Emulation techniques to prevent or misguide the reverse engineering process. This malware creates a thread which possesses an Anti-Debug technique of Memory Access Violation Exception (shown in Figure 4 below), thus complicating the analysis flow for researchers.

Figure 4

It also adds additional Exception Handlers in the existing SEH chain, which would be triggered by a memory access violation as shown in Figure 5.

Figure 5

It also uses undocumented ntdll.dll APIs which could act as an anti-emulation technique

  • ZwCreateThread
  • ZwResumeThread

Strings Obfuscation Mechanism

It employs an uncomplicated obfuscation mechanism to hide strings to dodge its presence from Anti-Virus products. Figure 6 shows how it decrypts a string to be used as its mutex.

Figure 6

Registry Abuse

It uses the registry to find the default path of “user\%AppData%” by querying the following registry key:

Subkey : “Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
Value    : “AppData”

It uses the registry to find the default browser path:

Subkey : “http\shell\open\command”

It also escalates its privilege under Internet Explorer by adding its path to the following registry key:

SubKey : “Software\Microsoft\Internet Explorer\LowRegistry”
Value    : “ms-ldr”
Data     : “%Malware Path%”

Hidden DLL with Multiple Entrypoints (Export & DLL Main) and its Role

It drops its main payload, ntuser.cpl (a DLL file), extracted and decrypted from its ‘data’ section, under a randomly named folder in the retrieved %APPDATA% directory as exemplified below:

USER/%APPDATA%/ {6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}/ntuser.cpl

The decryption logic used is shown below in Figure 7:

Figure 7

It tries harder to misguide analysis by executing the DLL with multiple entrypoints. Initially with the help of rundll32 it executes the dropped ntuser.cpl using its export function “_4CDFA75B”. This export function “_4CDFA75B” then injects the entire ntuser.cpl to explorer.exe with “DLLMain” as its new entrypoint. Injection technique 1 uses the following APIs:

  • CreateProcessA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • UnmapViewOfFile
  • ZwMapViewOfSection
  • CreateRemoteThread

Multiple Injections into Explorer.exe

As ntuser.cpl loads into the memory space of explorer.exe, it uses the ‘ZwQuerySystemInformation’ API to get the snapshot of the current running processes. Now ntuser.cpl injects itself to the running processes that have access to ‘CREATE_THREAD & VM_OPERATION & VM_WRITE & QUERY_INFORMATION’ permissions, including explorer.exe.  But, this time with a new entrypoint being one of its functions. Injection technique 2 uses the following APIs:

  • OpenProcess
  • VirtualFreeEx
  • VirtualAllocEx
  • VirtualQueryEx
  • VirtualProtectEx
  • WriteProcessMemory
  • VirtualQueryEx
  • CreateRemoteThread

The latest injected code in explorer.exe now injects code into IExplore.exe, again with a new entrypoint being one of its functions using a similar injection technique to that described above.

These multiple injections are done just to halt the flow of analysis and to use system processes to download malicious content which will not trigger any alert by Anti-Virus Software, including Firewall.

Rootkit Behavior

It injects all system processes when attempting to act as a rootkit by hooking the following APIs, to maintain its stealth status:

  • NtCreateThread
  • NtEnumerateValueKey
  • NtQueryDirectoryFile
  • NtResumeThread

Persistence Mechanism

The latest injected code in explorer.exe also has the task of maintaining its persistence. This is achieved by creating a thread which checks the availability of mutex (MSCTF.Shared.MUTEX.LDR) and if this fails, it adds the following RunOnce entry:

SubKey : “Software\Microsoft\Windows\CurrentVersion\RunOnce”
Data      : “rundll32 “%APPDATA%\{6JJ0C2I2-2W3D-2P70-7999-9N8KF3N5}\ntuser.cpl”,_4CDFA75B”

Hence during reboot, the mutex gets killed and immediately a RunOnce entry is registered to maintain persistence.

Final Injection into IExplore.exe to Act as Downloader

Using IExplore.exe injected code, it checks for internet connectivity every 5 minutes, and if it has access to the internet, it uses ‘URLDownloadToFileA’ to download malicious content from the following URL

“hxxp: / /″

Post downloading it executes the downloaded content using CreateProcessA.

On final analysis this turns out to be just a mere Downloader, with a high level of obfuscation, injection techniques, and Anti-Debugging/Anti-Emulation tricks along with rootkit behavior.

Sample analyzed:

MD5: 6F14315A8875B1CF04E9FDB963E12966
SHA256: B129D92F6C62B7C81B5EF69FA38194AB3886BA7F18230581BC2D241C997F7FA6

Shiv Chand.K
Senior Threat Researcher

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Serving Over a Billion Cloud Lookups a Month

Wednesday, September 23rd, 2015

This blog is to share with the general public an internal milestone that was achieved by K7’s Product Engineering Team.

K7 Web Categorization, engine hosted on K7 Cloud Infrastructure, has been tirelessly serving our customers for close to a year. Recently we zoomed past an average serving up of more than one billion queries every month. Web Categorization is the process by which a website previously unknown to K7 will go through an automated Artificial Intelligence (Machine Learning) system that evaluates the page content, and thus predicts the category of website. This categorization of web pages is single-handedly responsible for providing the Category-Based Web Filtering for our enterprise customers. It also provides our home users with an enhanced browsing experience.

Those of you who are “cloud savvy” would probably be wondering if one billion queries is a low number considering our customer base – it indeed is. Utilizing efficient caching on the client side, as well as smart use of internet infrastructure & protocols, we are able to optimize the load on our cloud servers. The server software running on these cloud servers has been developed in-house using highly-optimized but traditional programming techniques to minimize hardware resources, and maximize throughput such that the inflow which peaked at 10000 queries per second a few months ago was handled with ease.

In this day and age of cloud computing the use of interpreted/JIT-compiled languages is predominant. However, there is still a special place for custom-built C/C++ compiled server software, if you care to extract every ounce of performance out of your hardware and provide a quality service to clients seamlessly.

Image courtesy of:

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: (Part 1)

Tuesday, July 22nd, 2014

This is the first part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

The Internet landscape is about to witness profound changes with the mass adoption of Internet Protocol Version 6 (IPv6) and Internationalised Domain Names (IDNs) in the near future. While these developments have the potential to be immensely beneficial, they also present certain challenges to the security industry which need to be addressed. These changes not only increase the attack surface for malware authors and spammers, but also render traditional methods of URL and spam blocking obsolete.

The exhaustion of the 32 bit IPv4 addresses assigned by the Internet Assigned Numbers Authority (IANA) has led to the roll-out of its 128 bit successor, IPv6. This provides a significant increase in the address pool available to assign unique IP addresses, not only to computers, but also to other Internet-connected devices. Spammers and malware authors would now have a larger address space to infect and cycle through, vitiating existing methods of detecting spam/malware URLs.

The Internet Corporation for Assigned Names and Numbers (ICANN) has expanded domain names to include non-ASCII based IDNs in a user’s native language script. While these transitions have the potential to localise the global Internet, they also provide cyber criminals (spammers/phishers/malware distributors) enhanced opportunities for exploitation, especially via social engineering.

These cyber criminals will now have the ability to redirect a user to a URL with a character set unfamiliar to him/her. Given the exponential increase in the number of URLs shared among users in our socially inter-networked world, validation of these URLs by the user prima facie now becomes much more complicated, leading to a higher compromise success rate for cyber criminals.

This paper describes the imminent major changes to the Internet networking infrastructure. It attempts to explore the security challenges involved in these milestone developments and presents potential solutions to address them.

The IPv4 Clock is Ticking

The expansion of the Internet from an esoteric academic project to a publicly accessible resource, coupled with the surge of Internet enabled devices over the last decade have contributed to the shrinking pool of available IPv4 addresses.

Fig.1 depicts the number of expected Internet enabled devices and Internet users by 2016, and how they measure up with the number of IPv4 addresses available.

Fig.1: Number of connected devices & Internet users by 2016 [1]

Conservation efforts like Network Address Translation (NAT), Classless Inter Domain Routing (CIDR), reclaiming unused addresses etc., only prolonged what was unavoidable – the depletion, and eventual exhaustion, of IPv4 addresses.

Given that ICANN, which is responsible for distributing IP addresses, gave away the last block of IPv4 addresses to the five Regional Internet Registries (RIR) in early 2011 [2], the need for change is rather pressing.

IPv6 to the Rescue

This IPv4 address crunch has been anticipated for many years, and the Internet Engineering Task Force (IETF) has been working on refining IPv6, the successor to IPv4, since the early 1990s [3]. This version of the Internet Protocol can support up to 300 undecillion addresses compared to the relatively miniscule 4 billion, a number smaller than the current world population, offered by its predecessor. Apart from this massive increase in the address space, the IETF also embedded other features to IPv6 such as support for IPSec, auto-configuration of devices, etc. [4]

These benefits, along with the availability of IPv6 from ISPs, increased end-user device support & IPv6 content, will ensure the adoption of IPv6 in the years to come, eventually making it the dominant Internet Protocol.

Fig.2 shows that, as expected, the percentage of users accessing Google over a native IPv6 connection has seen a steep rise over recent times.

Fig.2: Percentage of IPv6 users accessing Google [5]

What’s in a Domain Name

The demand for Internationalised Domain Names (IDNs) has always existed in view of the fact that 60% of the countries around the world have an official language other than English [6]. ICANN, which has domain names within its remit, has recently started allowing IDNs to satisfy this unmet demand.

The introduction of IDNs allows non-ASCII character sets like Arabic, Cyrillic, Tamil, Hindi, Chinese, etc, to be included in a domain name, potentially paving the way for a truly globalised Internet.

These IDNs are converted into ASCII using Puny Code, an encoding syntax invisible to the user, which allows for standard domain name resolutions.

Fig.3 shows a domain name in English, its nonexistent IDN equivalent in the Tamil script, and the Puny Code representation of the IDN which is used for a domain name resolution.

Fig3: Domain Name, IDN, Puny Code representation

The current demand for IDNs, combined with registrars throwing them away at a price cheaper than the regular domains, could see a surge in the number of non-English sites registering domain names in their local language.

Click here to read the second part of this blog.

[4] Information on

Images courtesy of &

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Avar 2012

Friday, November 9th, 2012

The 15th AVAR conference is scheduled for the coming week (12th to 14th November) to be held in HangZhou, China. Topics discussed will include the status of malicious software development, advanced persistent threats, trends and propagation modes of  zero day threats and other security related concepts.

Representatives from K7′s Threat Control Lab (K7TCL) will be available at the conference to both present their papers and participate in the panel discussions.

Saravanan MohanKumar will be presenting on the impact of prevalent rootkits on Microsoft’s upcoming Windows 8 operating system, in his talk titled “Windows Ate(8) Rootkits” on the 14th of November at 9 AM. I will be presenting on the security implications of IP version 6 and Internationalized domain names in my talk titled ‘’ on the 14th of November at 11.30 AM.

V.Dhanalakshmi has a reserve presentation prepared on automated analysis of Android malware, in her talk titled ‘Good App? Bad App? : Unearthing the Android Puzzle via Automation’. All three papers will be available in the conference proceedings.

We hope to see you all there.

Lokesh Kumar
Malware Collections Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Carniv0re Has a 0-T0lerance P0licy, IE It Pr0tects R0bustly!

Thursday, September 20th, 2012

The current unpatched Microsoft Internet Explorer (6 && 7 && 8 && 9) vulnerability was being actively exploited in the wild even before it was assigned a CVE. 0-day indeed. Microsoft is due to release an Out-Of-Band patch for this exploit shortly, but unfortunately some damage has already been done via targeted attacks currently emanating from China. All of this follows in the wake of the Java vulnerability written about recently.

As MAPP partners we were privy to extra information from Microsoft about how to go about detecting attempts to exploit the vulnerability. However it turns out that the Carnivore technology embedded in K7 security products already blocked any attempt to exploit this vulnerability, as it did in the Java vulnerability case a few weeks back.

Here is an attempt to exploit the currently unpatched Use-After-Free Internet Explorer vulnerability:

No patches were required, no HTML/JavaScript heuristic detection, no nothing. Note, that is not to say that you do not need to install patches. Please install the patches, especially OS-related ones, as soon as possible.

Targeted attacks are becoming more and more prevalent, and a common feature of these is the use of exploits, some of them ’0-day’, to deliver the malicious payloads. Carnivore provides an early warning and blocking safety mechanism whether the modus operandi involves a browser, a document, or something else in the future. Carnivore may not be perfect, but it certainly is a powerful maintainer of border security.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Drop By @ AppData’s – Open Round the Clock

Monday, March 26th, 2012

Malware authors work round the clock to serve up mouthwatering malware to an unsuspecting victim.

What we have on today’s menu is a small but effective tweak that malware authors incorporated into their “software” that makes %AppData% the prime real estate on your system’s hard drive for malware and their families.

The Application Data area of the current user, to be more specific. This is one location on your hard drive that stands exposed to multiple hits of various malware families.

For starters let’s look at where this folder is found on your machine. In WinXP it’s at <root>\Documents and settings\%Current_User%\Application Data and <root>\Documents and settings\%Current_User%\Local Settings\Application Data. For Vista and Windows 7 it’s at <root>\Users\<username>\AppData\Roaming and <root>\Users\<username>\AppData\Local. (Please feel free to do a quick check in these areas on your computer to find out if you have something suspicious lurking…)

It wasn’t always this way. It was only recently that most of the file-copy actions moved from the Windows, System32, and Program Files directories to the %AppData% directory.

So, “Why move away from the system areas?”, you might ask. Well, that’s the main course. The basic answer could well be that relatively recent flavours of Windows, i.e. Vista and Windows 7, with their more stringent security measures, have succeeded to a certain level, in forcing malware authors out of the system areas to the %AppData% areas.

System areas are now protected and require Administrator privileges to effect a modification.  So why worry about putting in extra code when it’s not needed, the malware authors might have thought. Malware families with a legacy, like ZBot, have moved out of the system directories. Yes, gone are the days of %System%\SDRA64.EXE, %System%\NTOS.EXE etc. It’s now just random folders and random filenames in the AppData path. Rogue AVs that ‘Installed’ under proper program directories, viz. %Program Files%\Antivirus 2008\Antvrs.exe, have now become ‘xyz123.exe’s in %AppData%.

And, finally, for dessert. We would only say that the system directories haven’t been deserted entirely but have just been relegated to second choice. AppData is the new “system area” for malware authors. Note, under Windows XP you don’t require administrator privileges to copy any file into a system area and masquerade as a system file.

* Image courtesy :


If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Oh Hack! Here We Go Again ….

Thursday, February 16th, 2012

Government sites in India are clearly vulnerable to attack. The Hindu has reported the latest incident where the Andhra Pradesh state government’s sites have been hacked, with possible data siphoned off, and a calling-card left behind. Such incidents do not inspire confidence, especially when the PM has asseverated that IT security is of some importance to national security.

Interestingly, the hackers of the AP government sites are of the old school kudos-seeking type, identifying themselves as “Bb0y” and “Hmei7″. Not all hacking is done for monetary gain or for the theft of information, but there exists a clear and present danger to vulnerable government infrastructure, which compromises national security. The presence of what appears to be Urdu script on the hacker’s calling-card image cannot escape notice since it raises questions about the possible nationality of the hackers. The timing of this hack is potentially interesting given the ongoing investigation into the recent incident in New Delhi involving an Israeli Defence Attaché’s spouse. Nation-to-nation conflicts were covered in a recent blog.

India has too many enemies or opportunistic malefactors beyond her borders and, indeed, within them. One can only hope that critical military, DRDO, ISRO, and key government (e.g. the Cabinet Ministries) IT infrastructure is very well secured. The rest of the central and state government institutions need to get their act together. It’s not rocket science.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Been There, Done That

Friday, November 18th, 2011

The K7TCL team is back from AVAR 2011, Hong Kong.

As reserve speakers, Samuel Jebamani, Saravanan Mohankumar and myself did not get the opportunity to present. However V Dhanalakshmi was able to present to an appreciative audience.

There were a couple of interesting presentations, apart from Dhana’s, and it was good to touch base with the usual suspects from the Anti-Virus community.

The AVAR2011 organisers will be making all the conference slides, including Dhana’s “Paranoid Android?”, available publicly reasonably soon. In addition, I’ll be publishing my own paper, describing Asian malware, as blog postings in weekly instalments. Stay tuned if you’re interested.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:


Friday, May 20th, 2011

It has only been a few days since I returned from a spate of back-to-back security conferences in Europe in the early part of May. AMTSO (not really a conference, strictly-speaking) and CARO were held in Prague, Czech Republic, and EICAR was held in Krems, Austria, both mouth-wateringly picturesque venues.

CARO and EICAR focussed on significantly different topics, with certain highlights and disappointments in both. No different from any other security conference I suppose. Let us focus only on some of the highs here.

The CARO workshop was meant to focus on “hardening the net”. The highlights included the keynote presentation, by Igor Muttik of McAfee, on the fact that malware seems to exist everywhere, including in the most unexpected places. The most interesting presentation, in my opinion, was the one by Dmitry Volkov of GroupIB focussing on the state of cybercrime in Russia and her neighbouring states, the absence of satisfactory employment for young IT professionals and the plethora of legal loopholes being identified as key drivers.

EICAR’s main focus was on “Cyber War”, exemplified by an interesting keynote presentation by Rainer Fahs. It was very interesting to get a viewpoint on nation-to-nation computer system attacks, the infamous Stuxnet being a prime example, from the perspective of international politics and military diplomacy, rather than focus on the technical aspects of the malware … again. The role of Anti-Virus in fighting cyber wars was also discussed, the general consensus being that AV would find it difficult to deal with unpredictable, sophisticated, and targeted state-sponsored attacks on computer systems. Nevertheless we would do our best to protect our clients.

Looking forward to the next set of security conferences which encourage a good exchange of information and, usually, healthy debate.

Images courtesy of and

Samir Mody
Senior Manager, K7TCL

An Expected Surprise

Thursday, March 3rd, 2011

A fellow researcher from the anti-virus community recently blogged about an alluring spam message, which was spreading through Facebook. The spam message, purported to be a surprise package from a friend, unsurprisingly, redirected the user to a website which hosts malware.

Digging around the domain name reveals minimal information on the domain registration date, the registrant’s information, etc. The Top Level Domain “.tk” geographically belongs to Tokelau, a territory of New Zealand. However, a whois on the domain name reveals that the IP address hosting the site belongs to Romania & that the domain is registered to an address in Amsterdam, The Netherlands. In addition, analyzing the malware itself reveals that it originated in Russia.

A Google search for the domain name reveals more URLs, which currently host the malware, and these URLs seem to follow a similar pattern:

http://surprise-[followed by 5 random characters].tk/surprise.exe

While most vendors now detect the malware, the sites serving the malware are still up and running.  K7TCL has notified the responsible authorities about the malware sites, but given the fact that the TLD .tk is known for its notoriety, the sites might not get taken down for a while.

Lokesh Kumar