A page hosting model/practice question papers, to aid the students who are to take up their board examinations in the state of Tamil Nadu, has been infected with a JavaScript that in turn loads a BlackHole Exploit. This exploits a cocktail of vulnerabilities across Windows, Java and some Adobe products, etc.

The page contains a JavaScript that in turn contacts the exploit server.

Above are network captures of dailythanthi site connecting to exploit server.

The script was unpacked, thanks to JSUnpack, and we are able to see the iframe that leads to the exploit server.

These servers haven’t been updated as of late, hence there wasn’t any infection to be acquired. But the daily thanthi site still remains compromised.

There are several such domain names hosted on a single IP.

Note the “robots.txt” in the above screenshot of the exploit server’s domain directory. This is to bypass any search bots that might stumble upon this domain from indexing it.

As for K7 users keeping your site blocker up to date would keep you at bay from threats such as this.

When the administrator of the domain from the WhoIs records was contacted we received a mailer-daemon. We then contacted the administrators of the company (interpressindia.com) that maintains the dailythanthi.com site, again it was a mailer-daemon.

As a foot note, if you were wondering what the blog title meant, it is BlackHole written in Morse code.

Kaarthik
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

We would like to take this opportunity to commend the guys at VT for their diligent work, and we very much look forward to continuing to foster our relationship with them.

Samir Mody/Lokesh Kumar
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

What we have on today’s menu is a small but effective tweak that malware authors incorporated into their “software” that makes %AppData% the prime real estate on your system’s hard drive for malware and their families.

The Application Data area of the current user, to be more specific. This is one location on your hard drive that stands exposed to multiple hits of various malware families.

For starters let’s look at where this folder is found on your machine. In WinXP it’s at <root>\Documents and settings\%Current_User%\Application Data and <root>\Documents and settings\%Current_User%\Local Settings\Application Data. For Vista and Windows 7 it’s at <root>\Users\<username>\AppData\Roaming and <root>\Users\<username>\AppData\Local. (Please feel free to do a quick check in these areas on your computer to find out if you have something suspicious lurking…)

It wasn’t always this way. It was only recently that most of the file-copy actions moved from the Windows, System32, and Program Files directories to the %AppData% directory.

So, “Why move away from the system areas?”, you might ask. Well, that’s the main course. The basic answer could well be that relatively recent flavours of Windows, i.e. Vista and Windows 7, with their more stringent security measures, have succeeded to a certain level, in forcing malware authors out of the system areas to the %AppData% areas.

System areas are now protected and require Administrator privileges to effect a modification.  So why worry about putting in extra code when it’s not needed, the malware authors might have thought. Malware families with a legacy, like ZBot, have moved out of the system directories. Yes, gone are the days of %System%\SDRA64.EXE, %System%\NTOS.EXE etc. It’s now just random folders and random filenames in the AppData path. Rogue AVs that ‘Installed’ under proper program directories, viz. %Program Files%\Antivirus 2008\Antvrs.exe, have now become ‘xyz123.exe’s in %AppData%.

And, finally, for dessert. We would only say that the system directories haven’t been deserted entirely but have just been relegated to second choice. AppData is the new “system area” for malware authors. Note, under Windows XP you don’t require administrator privileges to copy any file into a system area and masquerade as a system file.

* Image courtesy : cafebrazil.com

Kaarthik
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

According to much hyped reports in recent weeks, the 8th of March was to be the day the internet died, as the FBI would have been forced to lay to rest those servants of the public weal. If you are still reading this post then your computer didn’t fall victim to the supposed blackout. There are at least two possible reasons for this:

• The FBI has an extension on the deadline. Apparently the dreaded Death Of Internet Day (DOID) has been postponed to the 9th of July, 2012
• Lo and behold, you are not infected with DNSChanger malware and never have been

If you have been a K7 customer for a while, point 2 applies to you. Just to be on the safe side, K7 Security products sniffs for the erstwhile rogue DNS entries and snuffs them out if found, thereby ensuring that our brand new customers too are free from DOID.

Samir Mody/Lokesh Kumar
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Xpaj is not a new virus. It is at least a couple of years old and it has already been written about by my security industry colleagues. However there may be some space for me to provide my views on some of the technical aspects of this virus.

Xpaj is a midinfecting, polymorphic virus with a difference. Most viruses, including the common ones like Virut and Sality, leave behind clear, tell-tale signs, sometimes infection markers, in the infected host to indicate that there is something amiss. For example the entrypoint being modified to point to the last section which has rwx attributes smells somewhat rotten. Xpaj, however, is very clever in making all the modifications in the host whilst remaining extremely well camouflaged.

Changes to the code and data sections have been managed so that all looks normal:

1. The original EP remains unchanged. Xpaj is a midinfector which patches certain relative calls in the host file’s code.
2. There are no changes made to the attributes of any section. The required page permission changes are invoked dynamically via a call to ZwVirtualProtectMemory.
3. Sections after the one containing the bulk of the virus are shifted down with ease, and corrections are made in the metadata areas, including relocating the resources, if any.
4. Xpaj has no problems infecting DLLs with relocations, and can infect SYS files which run in kernel mode.
5. Even the clusters of polymorphic virus code in the host file’s code section looks like bona fide High-Level Language (HLL) code.

Here is an example of some of the Xpaj code pointed to after judicious host-call-patching:

The above snippet conforms to HLL patterns in certain files compiled with Microsoft Visual C++ 8.

The virus code goes on to execute a mini virtual machine which does the decryption and makes the call to ZwVirtualProtectMemory before transferring control to the bulk of the virus code.

The Xpaj virus authors went through a lot of trouble, including a fair amount of QA, to develop their “product”. Xpaj is indeed a sophisticated virus. Of that there is no doubt. It demonstrates the lengths to which malware authors are prepared to go to spread obfuscated malicious code. Interestingly, a denuded Xpaj, divested of its obfuscatory vestments, is nothing more than a clicker.

Well before the outbreak, K7 customers who had their real-time scanner active would, of course, have already been protected. K7 products detect and clean Xpaj-infected files as “Virus ( 700000051 )”.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Interestingly, the hackers of the AP government sites are of the old school kudos-seeking type, identifying themselves as “Bb0y” and “Hmei7″. Not all hacking is done for monetary gain or for the theft of information, but there exists a clear and present danger to vulnerable government infrastructure, which compromises national security. The presence of what appears to be Urdu script on the hacker’s calling-card image cannot escape notice since it raises questions about the possible nationality of the hackers. The timing of this hack is potentially interesting given the ongoing investigation into the recent incident in New Delhi involving an Israeli Defence Attaché’s spouse. Nation-to-nation conflicts were covered in a recent blog.

India has too many enemies or opportunistic malefactors beyond her borders and, indeed, within them. One can only hope that critical military, DRDO, ISRO, and key government (e.g. the Cabinet Ministries) IT infrastructure is very well secured. The rest of the central and state government institutions need to get their act together. It’s not rocket science.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

The malware authors have commented their part of the code in Latin. The malicious code uses a twitter API to get the trending topics of the day, and generates malicious domain names on the fly to which users will be finally redirected.

K7 Computing has informed the party in charge about the attack. K7 security products prevent access to this malicious URL.

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.

For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:

Then there are tools which incorporate multiple scanners & are distributed for free. Given below is a screen shot of one such tool:

If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors are quick to change their binary.

While traditional checksum based detections alone might be ineffective against such files, a combination of several detection methods, which include a behaviour based approach will prove far more effective.

R.V Shyam Charan
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

MIDI is an old-fashioned media file format which theoretically reduces the attack surface for the exploit since the use of these files is uncommon in the modern day. However, it might still be possible for an attacker to lure victims to a website or a document where an embedded malicious MIDI file is rendered automatically, triggering the vulnerability. We have not seen any reports of Exploit ( 700000031 ) in the wild thus far.

We, at K7TCL, will continue to focus on timely detection of high-risk exploits. It is important to target detection based on the risk factor since the incorporation of detection for exploit files can be non-trivial due to the fact that many exploit files, by their very nature, tend to have relatively obscure file formats. Heuristic detection of such files requires non-standard file parsing which entails possible consequences for scanning performance and stability, and, perforce, there is an increased risk of misdetections as well.

In terms of common “in the wild” threats the Carnivore feature in K7 products provides generic protection against active attempts to exploit several popular applications, such as certain browsers and document readers, not necessarily from Microsoft.

Exploitation of vulnerabilities, especially in standard Windows OS applications, is a clear and present danger which ought to be taken very seriously. To counter this threat, there is no substitute for applying the relevant security updates, and we strongly recommend that this is done on a regular basis. The provision of detection for exploits, whether via Carnivore or via real-time scanning, is seen simply as an additional safety net, and not as a substitute for applying patches. Note, K7 products also have the functionality to identify certain vulnerable applications extant on the computer so that the relevant Microsoft patch may be applied as appropriate.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

A quick look at the source code for the page shows an encoded binary file embedded in a VBScript:

Visiting this site with a poorly configured Internet Explorer browser will lead to the above script being rendered. The encoded file in turn is decoded and a malicious file named svchost.exe is dropped onto the user’s computer and is executed.

The malicious executable is an infamous file infector named Win32.Ramnet and detection for this executable has been around for more than a year now. This seems to suggest that the machine hosting the website has either little or no security solution in place.

With the holiday season in full swing, online shoppers are requested not to let their guard down. While you may be on holiday, the miscreants aren’t.

K7 Security products don’t just detect and delete the malicious file, but also prevent access to the hacked site:

Lokesh Kumar
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed