These are quick first looks and trend and threats

Written by the security and AV professionals from team K7, meant for the general audience
These are usually articles that go into internals of a virus or deal with security issues
Senior managers speak on areas of interest to them, inside and outside the industry

Posts Tagged ‘Security’

Perestroika in the Malware World?

Friday, January 14th, 2011

In a consumer economy where the customer is king, we often find that product material is tailor-made for a target market. Even a good product could fail to impress if the information available on it is not effectively communicated. The Internet is no different on this aspect. For example, most consumer websites redirect a user to a localised version of the site, based on the visitor’s geographic location.

Malware authors have been quick to implement this idea in their social engineering techniques. It is now common to see spam and malicious sites use local languages to spread regional malware. Some driveby downloads, for example, deliver custom malware based on the user’s geo-location.

However some malware authors do not bother to make the extra effort. At K7TCL we recently saw an example of ransomware which appears to have come from Russia. The malware holds the computer to ransom by locking the user out. Access to the computer is denied until the victim enters a serial number, which needs to be requested from the attacker for a price. Shown below is the screenshot of the ransom message:

The point is that though the sample was accessed from an IP address originating from India, and from a site serving English content, the malware displays the ransom message in Cyrillic text. Most non-Russians are unlikely to be able to understand the ransom message, and will not even be able to decipher the text using online tools since the machine is locked out.

How does one resolve this situation? One solution could be to consult a Russian friend, and have sufficient funds in your bank account. A far better solution would be to use up-to-date Anti-Virus software. Detection and cleaning for this malware is available in K7 Total Security as Riskware ( 0015e4f01).

Lokesh Kumar
Collection Manager, K7TCL

A Perl of Wisdom

Friday, January 7th, 2011

It is no secret that over the last few years complicated malware have been on the rise. Authors of such malware make a great effort to ensure that their code and its associated payload remain hidden on the infected machine. Stuxnet, for example, was the first malware to include a Programmable Logic Controller rootkit, and had the capability to hide its changes via reprogramming the PLC. Complex malware have become so common that we forget it is still possible to write really simple malware which are capable of as much exacting damage as that for a complicated one.

Last week we at the K7 Threat Control Lab (K7TCL) spotted one such malware. It is a very simple perl script converted into a windows executable using perl2exe. When executed, the malware collects documents from the infected machines and uploads them to the author’s FTP site. Perhaps not as impressive as Stuxnet, but it does the business.

Decompiling the executable gives us the perl script and the user credentials used to upload the stolen files. Just out of curiosity I decided to follow the malware trail back to the FTP site, and I was in for quite a surprise. The FTP site was not just full of stolen documents, but some came from what appeared to be world renowned financial institutions.

This malware is detected by K7 Security products as Trojan (001ECA471). Such malware spread using social engineering techniques, masquerading as something beneficial. Distribution channels tend to include IRC, peer-to-peer networks, newsgroup postings, email, etc. Users are advised to exercise caution while downloading files from untrusted sources.

Lokesh Kumar
Collection Manager, K7TCL

VB Seminar 2010

Thursday, November 25th, 2010

I spoke at the VB 2010 Seminar in London on ways that Social Engineering can affect your business’ users.

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:


Andrew Lee
CTO K7 Computing

Pump-and-dump scamster pleads guilty

Thursday, October 21st, 2010

An Arizona man, James Bragg, recently pleaded guilty of conspriacy to commit securities fraud, and now faces a large fine and possible prison term for the pump-and-dump scams he perpetrated using botnets and spam.

Pump-and-dump scams involve hyping the value of a cheap/worthless stock by advertising it heavily over the internet using spam. Typically, the stock is bought by the attacker who then sends out the mails to hype the stock, which creates buying interest, and then the attacker sells all their stock, cashing in on the falsely inflated value.

In this case, the defendant had allegedly hired people to use botnets to distribute his messages. The botnets were also used to compromise private accounts so that these could be used to buy up large amounts of the stocks in question. He also faces charges from sending spam.

Full story is here

Andrew Lee
CTO, K7 Computing

Why a malcode conference is a bad idea

Tuesday, August 31st, 2010

There seems to be an idea, fostered almost entirely by non malware experts, that writing malicious software is a necessary part of defending against it. This is a nonsense, long debunked by serious researchers, and yet it not only continues to rear its ugly head, but, as InfoWorld reports (, has now spawned a conference.

The MalCode conference, to be held in Pune, India (maybe because India seems to have no legislation against such software?) is supposedly there to provide a platform for security researchers to meet malware writers and learn from them.

This, apart from being wildly optimistic that any actual learning will take place (unless it is potential malcoders learning to write more malcode), is a breathtakingly ignorant statement.

Let’s just think about this for a second – malware is very often extremely buggy, often failing to run, it might only run on a single platform, and if using an exploit to spread, relies fully on those platforms that expose the vulnerability.
Most malware uses pretty much similar techniques to spread and run, and in reality the most ‘difficult’ part of analysis is in getting through the packing techniques that are used – and much of that can be automated.

Antivirus software (or Anti-malware software to be more complete) on the other hand, is some of the most complex you can imagine.

  • It must work on a range of platforms, at a very low level where it must avoid interfering with or crashing other processes.
  • It must intercept every single file system call, and be able to search through the memory and network traffic of a machine.
  • It must be able to examine every piece of code that gets loaded, and in less time than it takes you to blink your eye, it must decide whether that code is (or is a possibly altered version of) one of millions of pieces of malware.

Not only that, it must do all of this without affecting the performance of the system, without causing interference to the user, and it must do it in such a way that if the code is legitimate (think of how many billions of pieces of code there are in the world) that code must be allowed to run, and if not, must be prevented from running.

Further, it is the only type of commercial software in the world that is updated so frequently; sometimes as often as every 5 minutes. These updates must not disrupt the system (though inevitably, they sometimes do, which is part of the reason we have technical support departments), must be as accurate as the rest of the software, and must work well with the rest of the system.

Far from being a group of people desperate to know how malware writers work, anti-malware researchers number some of the worlds most skilled reverse engineers, cryptographers, software analysts, software designers and programmers.

Not only that, but anyone who thinks that the several hundreds of thousands of new malware samples we see every day (often many of these are just auto-generated, slightly altered versions of the same things) are not enough of a ‘research platform’ for any self-respecting Anti-malware company, is truly delusional.

We have enough malware, we know how to detect it just fine, and the last thing we want is more being written, and certainly the last thing we need to waste time on is going to a conference with people who are part of the problem rather than part of the solution. Security researchers are not necessarily Anti-malware experts, and vice-versa, it’s good to remember that.

Our industry, in the last 25 years or so, has developed some of the most complex software on the planet, and has done so within a strict code of conduct – NO legitimate anti-virus researcher has ever needed to write a virus. Indeed, to openly do so would be grounds for dismissal and would make such a person unemployable within the wider industry. On the few occasions where malware writers have been inadvertently employed, as soon as the employer has found out about the malware writing, the employee has been dismissed.

Quite simply put, it is never necessary to write malicious software to be able to defend against it. Indeed, any developer working for K7 Computing who wrote such terribly poor code as exists in much malware wouldn’t last long at the company anyway. We employ, and need, highly skilled, hard working and dedicated developers, not sloppy kids with nothing better to do than write malware.

These are just a few reasons why this conference is such a bad idea, but there is one reason it is a good idea ; maybe it’s a great opportunity for law enforcement to go and round up the malware writers stupid enough to turn up, and put them out of our harm’s way.

Andrew Lee
CTO K7 Computing

San Francisco network administator faces five years in jail

Friday, April 30th, 2010

A former San Francisco network administrator faces up to five years in jail after being found guilty of tampering with the city government’s computer network. (more…)

Smartphone users warned to protect data from fraudsters

Wednesday, March 31st, 2010

Smartphone users are being warned to safeguard their data after a UK government survey revealed that 67% were not taking precautions to protect information held on their handset. (more…)

Accused Palin email hacker blames malware on PC

Thursday, December 10th, 2009

Lawyers defending the hacker accused of breaking into Sarah Palin’s Yahoo email account claim that his PC had been infected with spyware. (more…)

Stay safe using WiFi networks

Tuesday, October 20th, 2009

Wherever we go, it seems that our ability to access public wireless, or WiFi, networks is increasing by the day. (more…)

Bloggers advised to upgrade after WordPress security threat

Tuesday, September 8th, 2009

Bloggers and site owners using the WordPress content management system are being advised to upgrade to the latest version of the software after a worm was found to be affecting downloaded versions of the system. (more…)