Locky Ransomware extends its family with YKCOL

Locky Variant - YKCOL

A new variant of Locky Ransomware has been discovered and has been spreading through a Spam Campaign with the Subject Line “Status of Invoice”. Moreover, the attachments are compressed using 7z, rather than using the .zip extension, which can easily be uncompressed by normal users.

Ykcol also tries to delete the Shadow Volume Copy so as to refrain the user from recovering the encrypted files. However, there would be instances when deletion of Shadow Volume files fails and victims would be lucky enough to recover from this attack.

MS Windows natively provides the users with the ability to extract files from .zip archives, while the users have to install 7z in order to extract from 7z archives. Due to this, it seems the impact of this particular campaign of Locky Ransomware would not have a major impact.

Extension: .ykcol (reverse of the word Locky Ransomware)

Filename Format: [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars]

Unfortunately, as of this time, it is not possible to decrypt .ykcol for free.

Prevention Measures:

• Administrators should block all executable files from being transmitted via emails.
• Administrators should isolate the affected system in the Network.
• The administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
• Install and Configure eScan with all security modules active.

1. eScan Real-Time Monitoring
2. eScan Proactive protection
3. eScan Firewall IDS/IPS Intrusion prevention
• Users shouldn’t enable macros in documents.
• Organizations should deploy and maintain a backup solution.
• Most important, Organizations should implement MailScan at the Gateway Level for email servers, to contain the spread of suspicious attachments.

Read more on Locky Ransomware – Other variants

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , | Leave a comment

CAA makes it mandatory to verify SSL issued

Certification Authourity Authourization
CAA – Certification Authority Authorization

As on September 8th 2017, it is now mandatory for the Certifying Authorities to verify the CAA record before issuing the SSL Certificate as directed by Certification Authority Authorization. The sole purpose is to tackle the menace of Fraudulent SSL Certificate generation. CAA standard has been defined in RFC6844

What is CAA?

Certification Authority Authorization(CAA) is an Industry Standard, which allows the Domain Owners to specify which Certifying Authorities (CA) is allowed to issue certificates for their domains. The intention of this is to allow the CAs to avoid mis-issuing of certificates and is an added checking/verification process in their Certificate Issuing Procedures.

Before any certificate is issued, the CA would verify the CAA record to check for its own existence in it and would block any request in case they are not listed.

How to use CAA?

The Domain owner has to publish Certification Authority Authorization(CAA) records the Domain’s DNS specifying the

  1. List of CAs authorized to issue SSL certificates for that domain.
  2. Policies for the entire domain or for specific hosts
  3. Single-Name Certificates, Wildcard Certificates or both can also be mentioned.

Why use CAA?

There have been numerous instances in the past wherein, Certifying Authorities were hacked and fraudulent certificates were issued. Furthermore, in our previous blog-posts too we had raised concerns about the lack of verification and decentralized structure of the CAs which allowed any CA to blatantly issue SSL Certificates on behalf of any domain. Due to this issue, it was of utmost importance to provide a control and verification method of the domain owners to provide and share information with the CAs so that CAs themselves are aware whether or not they are allowed to issue the certificate or not.

It is now the prerogative of the Domain Owners to provide CAA information in case they are using Certificate and it would be the responsibility of the CAs to validate each and every request.

List of DNS Servers Implementing CAA

Although, Certification Authority Authorization(CAA) is fairly new Standard hence, there are very few DNS Servers which provide support for the addition of CAA records.

BIND Yes Prior to version 9.9.6 use RFC 3597 syntax
Knot DNS ≥2.2.0
ldns ≥1.6.17
NSD Yes Prior to version 4.0.1 use RFC 3597 syntax
OpenDNSSEC Yes With ldns ≥1.6.17
PowerDNS ≥4.0.0 Versions 4.0.3 and below are buggy when DNSSEC is enabled.
Simple DNS Plus ≥6.0
tinydns Yes Use generic record syntax
Windows Server 2016 Yes Use RFC 3597 syntax

Domain Owners may check with their respective Domain Registration Service Providers whether they provide addition of CAA records in their DNS Configuration Panel.

In order to create CAA Record, domain owners may visit https://sslmate.com/caa/

How to Verify CAA?

The two of the most popular tools used for looking up DNS records are “dig” and “nslookup”, and both these tools use the “type257” as the query parameter for the CAA.

$ dig google.com type257

google.com. 86399 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
google.com. 86399 IN TYPE257 \# 15 00056973737565706B692E676F6F67

c:\> nslookup
> set q=type257
> google.com
Non-authoritative answer:
google.com rdata_257 = \# 19 0005697373756573796D616E7465632E636F6D
google.com rdata_257 = \# 15 00056973737565706B692E676F6F67

However, these tools are yet to implement CAA record lookup, hence with these tools, you may summarize that there exists a CAA record.

One may visit our domain tools section to lookup for CAA records

Eg: google.com

google.com.	86399	IN CAA 0 issue "pki.goog"

A complicated CAA Record by hboeck.de

hboeck.de.	3599	IN CAA 0 issue "letsencrypt.org"
hboeck.de.	3599	IN CAA 0 issuewild ";"
hboeck.de.	3599	IN CAA 0 iodef "https://int21.de/caa/"
hboeck.de.	3599	IN CAA 0 iodef "mailto:hanno@hboeck.de"

Threat Attack Scenarios

With the implementation of CAA the footprint of the attack surface reduces and shifts towards the addition of CAA records by the Domain Owners

  1. Non-Compliance of adding CAA Records in the DNS by Domain Owners
  2. Compromised DNS Panel of the Domain Owner

Fraudulent Digital Certificates – A different Perspective

Fake Google SSL Certificates – Courtesy NIC

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , | Leave a comment

Role of mobile and its security in our cashless economy

role of mobile security in cashless economy

Digital India drive by Government of India bears the objective of more online activities in every sphere to boost the cashless economy. Thereafter, even small retailers and shop owners started transacting through cashless models like Paytm. While the voice for the cashless economy is raised, major transactions are done through credit/debit cards or other digital methods like POS (point-of-sales) machines, digital wallets, etc. and minimize the circulation of liquid currency. Smart phones are taking bigger roles in order to carry the initiative towards accomplishment.


Let us review the advantages of the cashless economy:

  • Respite from queues for depositing your money, paying bills, booking tickets, etc. and thus eases our life by saving lots of our time and energy
  • Increase of digital activities might minimize abundance and circulation of fake hard cash
  • Easy to keep a track of multiple financial and banking accounts anytime
  • Lower risk of losing money in case of theft even while traveling since you can block your card remotely; for cash, you can never get it back
  • Easy to keep a proper and regular track of your money spent and helps to have a budget discipline


Every system or initiative has its problem areas, the cashless economy is no exception:

  • Too much dependency on debit/ credit cards and connectivity.
  • Digitization might cut down lots of jobs.
  • Increase in cyber crimes and online banking frauds
  • Rise of mobile malware and banking Trojans

Role of mobiles in Cashless Economy

According to a recent report from Economic Times, urban India is fast reaching the saturation point with 51% market penetration while rural India with 16% is the future market for growth. It also added that the users in urban India grew at 9%, while growth in rural India is almost three times at 26%. These numbers clearly indicate that smart phones are gradually making inroads into our economy

Today it is almost impossible to imagine our life without smart phones. Now mobile apps steer our daily activities in every aspect starting from official communication to entertainment. Popular mobile brands are now moving towards mobile-first strategy around their products. For instance, brands like Quikr, Olx, Uber, Flipkart etc. now promote their presence on mobile devices first. Due to easily reach and availability of 3G and 4G networks, banks, and payment gateway companies are taking advantage of these high-speed networks to extend their payment infrastructure.

Popular Methods for Conducting Mobile Cashless Transactions

Cashless mobile payments are operated under banking and financial regulation through mobile devices. The wave of digital transformation gave a push to this technology and earned wide recognition till date. Here are few popular models of mobile payments:

  • Mobile Wallets

Mobile Wallets help customers make one step payments through smart phone because the user’s card details are securely stored in the cloud. A customer just has to enter his/ her card information once. Some popular players in this space are PayTM, Mobikwik, Apple Pay, Google Wallet, Paypal, Square Wallet etc.

  • Mobile Banking Apps

Today, major (almost all backs) banks are offering mobile banking apps on Android, iOS, and Windows mobile platforms. Not only that, it enables customers to keep track of their balance, transaction history, money transfer details. In fact, the bank representatives now encourage customers to go for mobile banking for its user-friendliness. These banking apps allow paying utility bills and generating OTP for online purchases. Even these apps help to locate banks or ATMs, change PINs etc.

  • Carrier Billing

Customers can purchase on a mobile app using carrier billing. On the basis of the two-factor authentication process, which involves PIN and OTP, carrier billing charges purchases to the consumer’s account. It does not involve credit/ debit cards and thus it’s a safe alternative payment method.

  • Contactless Payment

A customer can put his/ her credit card details in the smart phone (like Apple Pay) with the help of Contactless Payment. It is safely stored on the embedded smart chip for future use. Once the customer wants to buy at any store, he/she simply hold up the phone to the mobile payment reader at POS terminal. Using NFC or RFID the device/card establishes a connection with the POS and does a secured transaction.

  • Payment Gateways

The payment gateway is an e-commerce service that processes credit/ debit card payments for online purchases. Payment gateways ease online transactions by transferring key information between payment portals like web-enabled mobile devices or websites and the front end processor or the banks. Payment gateways serve a crucial role in e-commerce transaction process and authorizing the payments between merchant and customer.

Security Challenges

In spite of being user-friendly, there are vulnerabilities too in these cashless mobile transactions which can be exploited by cyber criminals and result in disruption of services, money laundering and loss of revenue. Let us check some possible vulnerabilities below:

  • Rogue Public WiFi

People have the general tendency of avoiding mobile data if public WiFi hotspots are available at any place. However, the security level of free public WiFi is not the same as home WiFi, additionally, the possibility of criminals implementing a Rogue WiFi device to capture the traffic cannot be ruled out. Furthermore, the possibility of getting infected by a Mobile Malware also exists when using such rogue networks, hence to avoid such possibility, there should be reputed anti-malware software installed on the phone.

  • Android Repackaging Attack

With more than 95% market share, Android had the biggest market share in 2016-17. Considering the fact that the trend will continue, a common security threat of repackaging attack might also maximize. Repackaged apps are nothing but infected versions of popular apps. After downloading any popular Android app, the hackers obtain the codes with the help of reverse engineering. Then those codes (sometimes malicious) are added, repackaged and released. This requires a signature database and Zero day threats can never be detected with this. Repackaged apps are the one of the major reason of infected Android apps and restrain the users from multiple Android malware.

  • Installing Malicious Apps

When the user installs any third-party app without checking its authenticity, there is a very high possibility of the device getting compromised and confidential user data being leaked. Thus it is always recommended to install apps from trusted hosting platforms and the app’s instructions and reviews should be read properly before installing it.

  • Use of simple password and not using Multi-Factor Authentication

Weak passwords and PINs usage influence online attacks. That is why mobile vendors are implementing multi-factor authentication mechanisms which require more than one identity credential. It combines two or more independent credentials, such as what the user knows (i.e., password or PIN), what the user has (i.e., security token) and what the user is (i.e., biometric verification). The goal of multi-factor authentication is to create a layered defense and make it more difficult for attackers to perform an unauthorized access.

  • Lost or Stolen Mobile Devices

Since mobile devices are prone to theft, it is advisable to implement Anti-Theft app, moreover, the users should always reset and wipe to factory defaults before selling the device.


With the rise in the usability of smart phones, it is quite obvious that smart phones are going to play a crucial role in giving digitization a push. At the same time, mobile security software companies are
1: Launching new Security Products for Android, iOS and Windows phones.
2: Private and Government sectors along with BFSI are offering consumers new and innovative mobile solutions for online transactions

In a nutshell, the growth of mobile devices used in India plays a major role in the country’s cashless economy. By 2019, the number of mobile and mobile internet users is expected to cross 730 million or more and give birth to a new revolution.

Read more – Blog eScan

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , | Leave a comment

Critical flaw in Apache Struts – Who should read this?


Who should read this All Struts 2 developers and Apache Struts users
Impact of vulnerability A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialize XML requests
Maximum security rating Critical
Recommendation Upgrade to Struts 2.5.13 or Struts 2.3.34
Affected Software Struts 2.1.2 – Struts 2.3.33, Struts 2.5 – Struts 2.5.12
CVE Identifier CVE-2017-9805

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It is basically used to build complex web-applications and it also allows easy maintainability and is easily extensible. Hence numerous organizations use Apache Struts prefer to use this web-application development framework. Furthermore, a quick look into the “PoweredBy Struts” pages showcases the popularity of Apache Struts for development. (https://wiki.apache.org/struts/PoweredBy)

The Vulnerability – Apache Struts

Apache Struts suffers from a Remote Code Execution (RCE) vulnerability, which is simpler terms means that when exploited the attacker can execute commands on the web server and take complete control of the Web-Server. Since the Struts Web-Applications are Internet facing, the risk of losing control of the server is immense.

The vulnerability is specifically related to Struts REST Plugin, when it uses XML for exchanging data between the Clients and the Server. The main functionality of the REST plugin lies in the interpretation of incoming request URL’s according to the RESTful rules and uses serialization to convert the data structures or object into a stream of bytes for ease in storing or transmitting, which can then be reconstructed. It is during the process of reconstruction that XStream handler, that can lead to RCE. Although a patch has been provided to patch this vulnerability, and since this impacts the serialization, the developers will now have to rebuild and retest their entire applications, before deploying the same into


Although a patch has been provided to patch this vulnerability, and since this impacts the serialization, the developers will now have to rebuild and retest their entire applications, before deploying the same into a production environment. Alternatively, organizations which are using Apache Struts, but not using the REST Plugin should disable the plugin as to reduce the attack surface.

Vulnerabilities which do not affect the development life-cycle of any third application are the easiest to patch, but with this vulnerability, this is not the case.

The Metasploit module which exploits this vulnerability has also been made available, which ups the risk factor multifold, as the hackers may use it the way it is or may modify the exploit code to suit their needs.

Read more – eScan Blog

Posted in eScan 11, eScan 14, Security | Tagged , , , , | Leave a comment