Archive | K7 Blog RSS for this section

New K7 Enterprise Asset Management

K7 Computing is proud to announce new feature included in released update for K7 Enterprise Security – endpoint security that provides Asset Management reporting for IT administrators.

K7 Enterprise Security now includes enterprise management feature, that are reaching beyond ordinary endpoint security:

  • Award Winning K7 Antivirus Engine
  • WEB access security
  • Media access security
  • Application management
  • Firewall and surf control
  • Group Policy management

Detail information for new Asset Management functionality:

  1. Hardware Tab added under Computer View

K7 ES Asset ManagementK7 ES Asset Management

  1. If any hardware changes detected in any of the endpoints we can populate the comparison report, which is before and after the change, with the changes highlighted.
  2. In the Summary and Detailed Report its now added ‘Hardware Asset’ option and relevant filters.

K7 ES Asset Management

  1. Hardware changes will be informed to Administrator by Dashboard notification & e-mail notification immediately.

K7 ES Asset Management alarm

K7 ES Asset Management reportNew feature is included in current K7 ES installation file and will be rolled out in upcoming K7 Enterprise Security software updates.

For free trial visit:

K7 Computing Ireland: http://www.k7computing.ie/download-antivirus/enterprise-trial/

K7 Computing UK: http://www.k7computing.co.uk/download-antivirus/enterprise-trial/

Surge in Grabbing Unauthorized Access

Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.

Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.

We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.

From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.

Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.

The following is a list of commonly exploited Windows components:

The Group Policy Service
Windows kernel-mode driver (Win32k.sys)
Cryptography Next Generation kernel-mode driver (cng.sys)
WebDAV kernel-mode driver (mrxdav.sys)
TS WebProxy Windows component
Windows User Profile Service (ProfSvc)
Microsoft IME
TypeFilterLevel Checks
Windows audio service component
Windows TCP/IP stack (tcpip.sys, tcpip6.sys)
Kerberos KDC
FASTFAT system driver, FAT32 disk partitions
Message Queuing service
.NET Framework
Windows Task Scheduler
Windows Installer service
DirectShow
Ancillary Function Driver
On-Screen Keyboard
ShellExecute API
TypeFilterLevel checks
Group Policy preferences
NDProxy component
Local Remote Procedure Call
Windows audio port-class driver (portcls.sys)
Hyper-V
USB drivers
Windows App Container
DirectX graphics kernel subsystem (dxgkrnl.sys)
Service Control Manager (SCM)
NT Virtual DOS Machine (Ntvdm.exe)
asynchronous RPC requests handling (Rpcss.dll)
TrueType font files handling
Windows Print Spooler (Win32spl.dl)
NTFS kernel-mode driver (ntfs.sys)
Windows CSRSS (cmd.exe)
Remote Desktop ActiveX control (mstscax.dll)
Windows USB drivers

We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.

Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:

  1. METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
  2. Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!

Sometimes it is simply not possible to patch a vulnerability.

Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an  Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.

Image courtesy of: tompattersontalks.blogspot.in

Priyal Viroja, Vulnerability Researcher, K7TCL
Re-published by K7 Computing Ireland

K7 Computing webistes:

K7 Computing Ireland: www.k7computing.ie, K7 Computing UK: www.k7computing.co.uk

Exorcising CTB Locker from your Computer: What you Need to Know

Ransomware, a type of malware which holds your files to ransom by encrypting them and then demanding a ransom for their “release”, i.e. by decryption, is nothing new. Cyber criminals make a lot of money by extorting funds from victims all over the world.

CTB Locker Encrypted File message

CTB Locker Encrypted Files message

CTB Locker Encrypted File

CTB Locker Encrypted File

CTB_Locker_TS_Detection1

CTB Locker Total Security Detection

CTB_Locker_Main_Screen_DE CTB_Locker_Main_Screen_IT CTB_Locker_Main_Screen_NE CTB_Locker_Req_Priv_Key CTB_Locker_Test_Decrypt_Files CTB_Locker_Test_Decryption

The latest family of widely distributed ransomware is called CTB Locker. In this blog we have decided to provide information about CTB Locker in the form of an FAQ so that our customers and the general public globally may be well-informed about the dangers of this malware family, learn how to avoid it, and be reassured about our robust response to it.

FAQ

  • How do you prevent your computer from becoming infected by CTB Locker?

Let’s begin with this question as it is the most important one to keep your computer safe. Prevention is always better than cure.

The initial spreading vector for CTB Locker is a spam email with enticing content which uses social engineering techniques to convince the potential victim to unzip a ZIP archive attachment (extension ‘.zip’) and execute its embedded file.

 

This embedded file, which is currently around 40KB in size, may have misleading extensions such as ‘.scr’ in order to masquerade as a screensaver application. This file is the downloader component for CTB Locker’s main payload, which then does the actual file encryption and makes ransom demands. We urge you to be vigilant against such spam emails as it is very first line of defence against CTB Locker as well as a host of other malware families which also use the same old time-tested technique to spread.

If an email comes from an unknown or unexpected source containing an attachment or a website link requesting you to open the attachment or click on the link, please exercise extreme caution. We would suggest simply deleting such emails if they are not already quarantined by your spam filter.

The spam emails tend to be targeted at English-speaking countries and at least 3 European countries given that the malware payload provides its ransom messages in German, Dutch and Italian.

CTB_Locker_Main_Screen_NE

CTB Locker Main Streen Dutch

CTB_Locker_Main_Screen_DE

CTB Locker Main Streen Deutch

 

CTB_Locker_Main_Screen_IT

CTB Locker Main Streen Italian

 

This ransomware is not targeted at Indian users per se but given the ubiquitous nature of spam there will be “collateral damage” resulting in not just Indian victims but also many other hapless victims in other non-target countries.

  • What should you do when you discover your computer is infected with CTB Locker?

If you have seen messages demanding a ransom as shown above, it is likely that many, if not all, of your personal files such as Microsoft Office documents, PDF, TXT, ZIP and even ‘C’ source code files will be in an encrypted state, i.e. appear to contain random binary junk. Files encrypted by CTB Locker will have filenames such as yourfile.ext.<7 random lowercase letters>, e.g. 253667.PDF.iryrzpi

CTB Locker executable files

CTB Locker executable files

 

 

Executable files, e.g. EXE, DLL, OCX, etc, and files with extensions unknown to the malware will not be touched.

First and foremost, we would request that you do not attempt to pay the ransom to get your files back. Even if the cyber criminals do actually decrypt your files, the money they get from you will only serve to encourage them to continue their nefarious practices, investing R&D in enhancing their capabilities and global reach. Cyber criminals must be stripped of their Return on Investment incentive to create malware.

Once you have decided not to pay the ransom we would recommend removing the malware immediately. This can be done most easily by:

  1. updating your product
  2. rebooting into Safemode
  3. performing an on-demand scan on your computer
  4. removing the detected components. Note, the main CTB Locker payload is detected as ‘Trojan ( 0049d83b1 )’ and its downloader component is detected as ‘Trojan-Downloader ( 00499db21 )’

 

CTB_Locker_TS_Detection1

CTB Locker detected by K7 Total Security

 

  • Is it possible to decrypt files encrypted by CTB Locker?

The malware itself demonstrates that files can be decrypted by randomly choosing 5 samples to decrypt.

CTB_Locker_Test_Decrypt_Files

 

However, the malware uses a high-grade encryption algorithm with a key which is unique to your computer, rendering it effectively impossible to force a decryption en masse.

 

CTB_Locker_Req_Priv_Key

  • How to restore files encrypted by CTB Locker?

It may not be possible to restore all files encrypted by CTB Locker. However, if your Windows operating system supports System Restore it is possible to recover the contents of many of your folders to a recent restore point before the infection took place.

The most reliable solution, though, is to restore your critical files from regular backups. If you don’t backup your important files regularly then we urge you to start doing so ASAP. Apart from a CTB Locker infection, there are numerous other factors which could render your files irrecoverable in the future, including a hard disk failure. Note, it may also be possible to use deep forensics tools to recover some critical files if they still exist on sectors on the hard disk, but this is not an alternative to regular backups.

  • Will paying the ransom actually decrypt your files?

We refuse to pay any ransom so we are unable to confirm whether payment will actually result in your files being released. Once again, we would request you to not attempt to pay the ransom for the reasons mentioned earlier.

  • Why did K7 not detect and remove CTB Locker?

At K7 Threat Control Lab we are constantly monitoring and acting against CTB Locker infections, including coding robust generic detection for all components of CTB Locker. However, the cyber criminals behind the CTB Locker family have been investing considerable resources in morphing, i.e. changing the appearance of, all their components and spam emails such that they may sometimes be able to get past security scanners, not just K7’s, albeit for a very short period of time. We at K7, and our colleagues at other security companies, are working hard to stay ahead of CTB Locker in order to protect all our customers across the planet.

Samir Mody
Senior Manager, K7TCL

Re-published by K7 Computing Ireland and K7 Computing UK

Free 30 day trial for K7 antivirus security software available at: K7 Computing Ireland or K7 Computing UK

Editor of World-Renowned Security Magazine Appreciates K7 Speakers

November 7th, 2014

In a nice gesture, the editor of the acclaimed Virus Bulletin magazine has blogged about the presentation of our reserve speaker duo who were meant to present a paper and a short demo, in the event of an absent speaker at the 2014 Virus Bulletin International Conference held recently in Seattle, USA.

VB2014 has already been discussed, highlighting the presentation by K7’s Gregory Panakkal. Nevertheless, this post is dedicated to the reserve speakers from K7 Threat Control Lab, Samir Mody, Senior Manager and V.Dhanalakshmi, Senior Threat Researcher.

Their paper, “Early launch Android malware: your phone is 0wned”, demonstrates the difficulties in
removing an active Android ransomware, “’Koler/Simple Locker”, infection that prevents a user from
uninstalling it. It also proposes a new framework which Google could induct to help mobile security vendors defeat Android malware strategies.

View the full presentation and demo at K7 YouTube channel.

Archana Sangili
Content Writer

K7 Computing Ireland: www.k7computing.ie

K7 Computing UK: www.k7computing.co.uk

QR Code security

Recent years have seen an increase in the use of QR Codes in marketing and promotions to quickly link people with advertisements as well as software downloads.

 
With the increase in smart devices with QR code scanning facilities, it’s no wonder firms are using QR codes as a means to quickly and conveniently connect people with the resources they are trying to market. 
 
Another reason for their popularity is the mystery they present. Until scanned, no one knows what they are or what information they might reveal; a link, a statement, a download. Our curiosity is the reason we scan these codes when we see them, and by harnessing this curiosity, they are a powerful tool in the marketing and promotions toolkit.

QR Code

This is the problem that we in K7 would like to point out, but most of the user are not aware of: QR codes can be used to carry any information out there. Good, bad, neutral, useless, harmful, tricky, basically anything what ever you can think of and are able to squeeze in to this image. It can be actually pretty large: over 4294 characters (source Wikipedia). But that’s not important how much information it can have, important is what information it holds and will be transferred to your phone after you scan this code.

It can be a link to a website or direct link to download an application. If you are not aware of what exactly it is, it can link to malware or phishing website, to trojan and bogus application. You think that it’s easy to spot the difference. Let say if the link shows up as: “your_winning_ipad.apple.boguswebsite.com” that you will know it’s fake and you won’t click on it. OK. Smart move, this is definitely a fake and bogus looking link. But what if the QR code information contain shortened website link using website shortening tools like any free out there that looks at the end like this: http://goo.gl/RenvT .(shortened by using goo.gl service). So what do you do now? Only way for you to find out is to click on it,  because you are curious.

This article can be used as a pretty easy guide for cybercriminals now, but I guess they already thought about this and used it in many occasions.

What Stickeris actually more dangerous is QR Code Masquerade. Way how to include dangerous content in the QR code by replacing the original QR code image. What  it is? Let say you are a respected and known company and your campaign on your website, in magazine, in the bus station, subway or inside the bus contains QR code that you would like your potential clients to click at so they are entered in to competition for a prices to win. Great tool to spread brand awareness and promote new products or service.

But what “IF” somebody get in to the publishing prior the print and by tiny amendment changes the QR code image, or if somebody places sticker with another QR code over your add in the bus, bus station or subway. What happens then? Your potential customers will be scanning something else, and you will be exposed not only to potential embarrassment by easy link switch to let say “porn website page” or “joke picture”, but potentially to malware or phishing website that can keep storing customers details and therefore affect your reputation and bring to you potential lawsuits from the users of your QR code. And you won’t be able to verify which QR code is the wrong one. Or which media was exposed, because they all looks pretty much the same. If somebody amends the QR code on your website, how long it will take you to figure that out? I guess you will find out with the first phone call from the angry user.

Conclusion?

Check what you are scanning if you are the user. If you trust the company that provided QR code you are about to scan, go ahead. But if you don’t like the content of the page you are redirected to, get out of it.  What if it’s a link to application? Check the application’s comment board and see what other users have to say about it.

If you are the company that is planning to deploy QR code, I guess be aware of the consequences it may cause. Try to put QR code in the places that you are sure won’t be able to replace or modify. Try to have the campaign only for certain time period, so the time for exposure is not indefinite. This will make sure that your QR code won’t be able to misuses after the campaign is over and you will know that the codes are gone after that.
K7 Computing UK and Ireland

Prepared by Jan Zeleznak

www.k7computing.co.uk | www.k7computing.ie

Java C00l Blend Exploit

Over the New Year period 0-day exploits have been rampaging around. In our threat control lab we have looked into hits for the recently discovered 0-day that exploits a vulnerability (CVE-2013-0422) in the latest version of JAVA (1.7 update 10).

Our records imply that an exploit, from cool exploit kit, has been on the hunt from January 8th this year, if not before. Example file names seen so far are 2233.jar, 2332.jar and some randomised ones, downloaded from different domains that serve the exploit and other malware.

The 0-day under discussion, on successful execution on a victim’s machine, exploits the vulnerability in the java environment and downloads a Windows executable file, which currently happens to be a Ransomware Trojan in most of the occurrences.

Fortunately, K7 users are pro-actively shielded from this 0-day attack by the Carnivore technology embedded in K7 security products. Here is a screenshot that depicts K7 security products blocking an attempt to exploit the vulnerability.

exploit

exploit

V.Dhanalakshmi
Malware Analyst, K7TCL

Tesco Fake Vouchers Facebook Scam

Recently a friend of mine shared a post on Facebook with the offer of a free Tesco Voucher offer. I was curious why he would do that, as I don’t find the very “cool” factor in sharing Tesco vouchers. Then I read that you can get a €250 voucher from Tesco just by sharing the post.

Nice! but way good to be true I thought. And I was right.

tescoa

The problem in the first place is the domain where you are redirected: “tescoa.net”, where is the extra “a” from? This domain is registered by some James Smith from Albanian  through GoDaddy. How original.

So I was looking more in to the scam and found that the messages you see are actually looped graphics that constantly show more available vouchers. The main point is therefore to spread this message through sharing and liking among facebook users. Other than that, I was not going to dig more in to it as I don’t like to expose my facebook profile and friends in to scams like this.

So I have created fake facebook account and clicked through. What happened than?

I did all they asked me for, I shared it, I comment on it and I liked it. That last step which is to  “like” sent me to Win an Ipad survey form:

Tesco Scam 2Hm, So I clicked continue, and after choosing the right option I was asked for my phone number and then to enter Pin that I was suppose to receive:

Tesco scam 3

That’s it, I thought to myself. I don’t have any fake phone number and I won’t definitely give them mine. For a obvious reasons. One especially – what users tend to do when are clicking through the offers, is to click-click through as fast as possible to go to the point without reading the small print. Which actually on this page stated:

“Pointixed is a subscription based competition service. Pointixed costs €12 per week, €2 x 6 SMS + a one off joining fee of €8. 18+ only. Helpline Netsize 0818 245 646. Email: helpdeskir@netsize.com To unsubscribe, text STOP to 57582. Normal operator charges apply. The competition period is 1st OCtober 2012 until 30th April 2013. The final day to enter this competition is the 31th March and any entries received after that date will be included in the next competition. One prize is given away each competition period at a maximum value of €500. A user can win a maximum of one prize per competition period.”

No, thank you.

Conclusion?

  • Just don’t trust offers that are too good to be through at the first instance.
  • Check the domain name before you go the pages – when you go with mouse above the link, your browser shows in the right bottom corner where it is pointing to, or when you are already there, see where it is: tesco is not tescoa in this case (www.tesco.net is not http://www.tescoa.net and as well tesco domain is not on .net but  http://www.tesco.com)
  • Don’t sign for anything with your facebook profile if you don’t want to take responsibility for it or are willing to face consequences
  • And if you fell for any offer like this – remove it from your profile so your friends won’t see it and can’t spread it further – click at your name on the top of the facebook  page, and delete the post.

Article prepared by

Jan Zeleznak

K7 Computing UK and Ireland

Carnivore Has a 0-Tolerance Policy, IE is protected by K7

The current unpatched Microsoft Internet Explorer (6, 7, 8, 9) vulnerability was being actively exploited in the wild even before it was assigned a CVE. 0-day indeed. Microsoft is due to release an Out-Of-Band patch for this exploit shortly, but unfortunately some damage has already been done via targeted attacks currently emanating from China. All of this follows in the wake of the Java vulnerability written about recently.

As MAPP partners we were privy to extra information from Microsoft about how to go about detecting attempts to exploit the vulnerability. However it turns out that the Carnivore technology embedded in K7 security products already blocked any attempt to exploit this vulnerability, as it did in the Java vulnerability case a few weeks back.

Here is an attempt to exploit the currently unpatched Use-After-Free Internet Explorer vulnerability:

 Carnivore

K7 Ultimate security result

 

No patches were required, no HTML/JavaScript heuristic detection, no nothing. Note, that is not to say that you do not need to install patches. Please install the patches, especially OS-related ones, as soon as possible.

Targeted attacks are becoming more and more prevalent, and a common feature of these is the use of exploits, some of them ’0-day’, to deliver the malicious payloads. Carnivore provides an early warning and blocking safety mechanism whether the modus operandi involves a browser, a document, or something else in the future. Carnivore may not be perfect, but it certainly is a powerful maintainer of border security.

Samir Mody
Senior Manager, K7TCL

for free K7 antivirus trial visit:

www.k7computing.co.uk | www.k7computing.ie

The Oracle May Foresee a Storm in a Coffee Cup

Let’s wake up and smell the coffee.

There have been several security write-upsabout the recent 0-day java vulnerability CVE-2012-4681. Oracle itself only issued a bulletinrecently, but the vulnerability has been right royally exploited in the wild by cyber criminals in Russia and China (well, no surprises there).

 

It has been a turbulent week or so, with the same exploit code first being used in a targeted attack, and later being commercially incorporated in bog standard exploit kits. Indeed, a fair amount of bad news.

Fortunately, Oracle has now provided the security update to patch the vulnerability. We recommend applying this ASAP if you are running java. Note, however, that K7′s Carnivore technology was already blocking attempts to exploit CVE-2012-4681, right from day zero. Further more, many of the known bad URLs were already blocked by K7′s SiteBlocker, generics playing a part. Finally, the exploit JARs and the associated binaries have been tackled in a proactive fashion. This means the K7 fortress around the user has kept things safe and secure.

 

Samir Mody
Senior Manager, K7TCL