Sophos sucks? Being insulted by malware authors can be the best reward

Filed Under: Featured, Malware, SophosLabs

Sometimes things can get a little personal between those who write malware, and those whose job it is to protect against it.

Loser sign, blowing raspberries. Image from Shutterstock

Researchers, such as those who work at SophosLabs, may devote significant effort into probing a specific attack, kit or family of malware. Typically the knowledge they acquire is used in writing generic detections such that customers are protected from that threat.

And detection is the last thing the attacker wants. After all, detection means no profit.

So ensues the cat-and-mouse game between the attacker and the researchers, where polymorphism is the attacker's weapon of choice (used in order to evade detection).

Perhaps the most rewarding thing about working for a security company is to think about our efforts thwarting attacks. Sometimes, we see evidence of this in the attacker's behaviour - they may completely switch tactics, effectively accepting defeat in their battle against our protection.

Occasionally we annoy them to such an extent that they vent their anger within the malware itself!

For example, our generic detection on the landing page for a popular exploit kit annoyed the authors to such an extent that, earlier in the year, they temporarily renamed the filename of their landing page.

How charming.

Similar expressions of annoyance have been seen on some scareware (fake anti-virus) landing pages. Search engine optimisation (SEO) is being used to redirect users to these pages, where they are tricked into installing scareware.

The landing page mimics a system scan, using simple JavaScript to fake the file scanning progress. Historically, the filenames used have been embedded within the script as a simple array.

Then, presumably frustrated by our Mal/FakeAvJs-A detection, the attackers split the array up, using "interesting" variable names:

Sometimes, reversed :)

Sometimes, they like to hide the message a little :)

This week I noticed that they have now started to obfuscate that part of the script, using a common, commercial obfuscation tool:

Sigh. Mal/FakeAvJs-A remains.

Messages like this from attackers are encouraging. We should take them as a compliment. It is nice to know that we're having an impact disrupting their criminal business.

Man making 'loser' sign, blowing raspberry image from Shutterstock.

, , , ,

You might like

17 Responses to Sophos sucks? Being insulted by malware authors can be the best reward

  1. Nigel · 735 days ago

    There's no better testament to the fact that Sophos is making a difference. Huzzahs!

  2. drba · 735 days ago

    Awesome :D This is what makes me work even harder to get those lowlifers!

  3. Rich Sarino · 734 days ago

    thanks. i count on you guys alot

  4. Teksquisite · 734 days ago

    Good one Sophos! Keep up the great works :)

  5. kkirschenmann · 732 days ago

    THIS is why I moved our company to Sophos!! You guys rock!

  6. Dee B. · 732 days ago

    I love starting off a Monday morning with a hearty chuckle. You keep pissing off those hackers, Sophos!

  7. Aitchjayem · 731 days ago

    Great work Sophos. Love reading Naked Security even though I am not involved in IT security - other than on my stand-alone iMac :)

  8. Sam Green · 710 days ago

    Sophos your awesome

  9. Carolyn Baggoo · 710 days ago

    Sophos. you are the only one who didn't abandon older Macs. I love your anti-virus software.

  10. Ken Riley · 710 days ago

    i was skeptical of sophos, but the software is great, and they have nice writers. i read them everyday.

  11. David Machin · 710 days ago

    Its shocking how many people don't have even the most basic av software installed. Facebook spam is getting worse as well. Keep fighting the good fight!

  12. Glenn Russ · 710 days ago

    Ok, what is up whit all these pictures all over facebook indicating "if you know this like" and there will be 45,000.00 + likes. Looks like a scam to me.

  13. Christine Blair · 710 days ago

    Glenn, if it's not now, it soon will be.

  14. Shelly Steingraber Ratliff · 710 days ago

    35 years in IT and I can tell you sophos is the best, hands down, both in protection and management. Support is rarely needed but great when I do.

  15. David Inutiq · 710 days ago

    More like molestors.

  16. Polly Sauer Tomlinson · 710 days ago

    Sophos posts aren't coming through my news feed anymore. Why's that?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.