These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Archive for the ‘Uncategorized’ Category

Con-Currency Error

Friday, February 18th, 2011

Rogue Anti-Virus (aka FakeAV, FakeAlert, Fraud Trojan, Scareware, etc) is a common subset of the plethora of malware families out there. The typical characteristics of Rogue AV include:

A compelling Anti-Virus software Graphic User Interface which displays fake reports of virus infections on the user's computer

A prompt to clean up the alleged viruses on the computer

A demand for a removal fee of anywhere between US $40 and US $100

Unsurprisingly rogue AV generates a copious income level for its “purveyors”, and therefore it is ubiquitous. Well, almost ubiquitous. Even though rogue AV families form a large proportion of the samples from various sources, and many Anti-Virus companies report a variant of rogue AV within the top 10 most prevalent threats, yet it is interesting to note that when we drill down to sample submissions from our Indian customers over the past quarter, rogue AV is conspicuous by its absence. The number of incidents of rogue AV does not even make the top 20 threat types. This implies that rogue AV may not be as prevalent in India as in other parts of the world. How may this be explained?

As with other “professional malware”, Rogue AV tends to have a geographical bias, the targets being mainly home users in North America and Europe. The evidence for this, apart from the reported instances globally, is clear in terms of the choice of language, i.e. English, used to communicate with the victim, and the choice of currency, i.e. US dollars, to steal from the victim.

In addition, many rogue AV families make heavy use of Google Trends and Search Engine Optimization (known as Black Hat SEO in the security community) poisoning to execute on the computers of millions of internet surfers out there. A description of these specific techniques is a subject for another blog, but suffice to say that the abuse of SEO may not have affected Indian internet surfers, who are fewer in number and searching for India-specific content, as much as those in other countries. There is even a distinct possibility that, as for certain spam campaigns, IPs originating from India are rejected by the rogue AV establishment as unsuitable for exploitation.

However, there are indications that the trends might be changing, even if only slightly. There is an anecdote of a user in India who was searching for “Mehndi” (Henna) in Google, and got pop ups about her computer being infected. Fortunately this user was using the latest version of K7′s flagship security product which blocked the rogue AV even before the bad application was allowed to touch the computer. It is, however, a warning that, as Indian incomes grow and internet access becomes more widespread, surfers in India might become more susceptible to rogue AV attacks. It is important for users to be more vigilant, whilst also ensuring good security practises such as up-to-date Anti-Virus software, a well-configured firewall, and a fully-patched operating system.

Samir Mody
Senior Manager K7TCL

South Indian Ladies from Kerala Face Reserve Cyber Insecurity

Saturday, January 29th, 2011

The latest round of Facebook-related malware has been found inadvertently hosted on an Indian government site dedicated to women from the southern state of Kerala. The malicious file, detected by K7 security products as Riskware (0015e4f01), bears a name of the following format:

facebook-pic000<5 digits>.exe

where <5 digits> represents a 5-digit number.

To an IT security professional such a filename, and the URL hosting it, show clear danger signals. One does not generally require an explicit EXE to view Facebook pictures, and it is probably unusual for a government site in India to host EXEs, and that too related to a public social networking site.

The server hosting the site for ladies from Kerala has clearly been compromised. The owners of the compromised domain have been advised to review their site and the procedures in place to secure it against hacking.

In general we urge extreme caution when browsing sites which serve up incongruous, unexpected executable files using various social engineering techniques.

Samir Mody
Senior Manager K7TCL

Pump-and-dump scamster pleads guilty

Thursday, October 21st, 2010

An Arizona man, James Bragg, recently pleaded guilty of conspriacy to commit securities fraud, and now faces a large fine and possible prison term for the pump-and-dump scams he perpetrated using botnets and spam.

Pump-and-dump scams involve hyping the value of a cheap/worthless stock by advertising it heavily over the internet using spam. Typically, the stock is bought by the attacker who then sends out the mails to hype the stock, which creates buying interest, and then the attacker sells all their stock, cashing in on the falsely inflated value.

In this case, the defendant had allegedly hired people to use botnets to distribute his messages. The botnets were also used to compromise private accounts so that these could be used to buy up large amounts of the stocks in question. He also faces charges from sending spam.

Full story is here

Andrew Lee
CTO, K7 Computing

Blog Relaunch!

Tuesday, August 24th, 2010

Dear readers,

As you may have noticed, there have been many changes around here in terms of the new K7 website and even some new products in the shape of K7SecureWeb.

All this activity and a few internal changes have meant that this blog has been a bit underused in recent weeks. The good news is that we’re now re-launching the blog, and while I’ll be the main writer here; keeping you updated with the goings on here at K7, and on Security issues in general; we will also be having contributions from other team members. This will include contributions from our Virus Lab experts, our development and technical teams and our cloud computing division.

Just to introduce myself, I’m the Chief Technology Officer here at K7 – and you can see a bit more about me here I can also be found blogging over at and I’ll be speaking at various events including Virus Bulletin 2010 in Vancouver, Virus Bulletin’s new Seminar series in London, and the AVAR conference in Bali.

I hope to be posting regular and interesting content here, and would love to hear your feedback, which you can leave on the comments section. I’ll try to answer all genuine comments as I can, but please be aware that I won’t be answering any support questions here, so please direct those to our wonderful support staff, who will be only too happy to help out.

Andrew Lee
CTO K7 Computing