Articles by SophosLabs

Anatomy of a targeted attack - SophosLabs explores an Adobe zero-day "malware experiment"

SophosLabs was contacted recently to help investigate malware from an unusual sort of targeted attack.

What our researchers found was intriguing, to say the least, so we thought we'd share our discoveries with you...

Data security breach at the North Pole! Santa's Naughty/Nice list compromised

Santa's data security breach

Reports from the North Pole have confirmed that Santa's Naughty/Nice list has been compromised.

The list is said to contain the name, stocking address and naughty/nice score (the child equivalent of a credit rating) of every child on earth.

Choose your Fake Anti-Virus?

Image (1) 2a.jpg for post 20061

Today, at SophosLabs, we encountered another interesting rogue security software variant, Troj/FakeAV-BTN. When run, Troj/FakeAV-BTN poses as Microsoft Security Essentials Alert and detects only one file as "Unknown Win32/Trojan". When user wants to remove this fake threat, this malware offers Read more…

Cat 'n Mouse with spammed HTML redirects

Cat 'n Mouse with spammed HTML redirects.

The attackers behind the spammed HTML redirects I blogged about last week have been busy over the last few days. In an ongoing attempt to evade detection they have continually tweaked and changed the manner in which the redirect is Read more…

Mal/PDFJs-Y: PDFs using getField

Mal/PDFJs-Y: PDFs using getField

This week I have been putting the finishing touches to my presentation for the Virus Bulletin Conference in Vancouver later this month. While doing the research I have collected a large corpus of PDF files; the results of analyzing these Read more…

License to code: should security companies be the artiber of good or bad code

License to code

None of us would want to be operated on by an unlicensed surgeon so why should we put trust in software applications written by unlicensed, uncertified programmers? Apple have seemingly taken the high-road by requiring programmers to register as Apple Read more…

Somerset County Council website victim of Blackhat SEO and malware injection

Somerset County Council website victim of Blackhat SEO and malware injection

Sophos users over the past few months may have noticed that they haven't been able to access parts of the Somerset Information Exchange (SiX) due to instances of Mal/Badsrc-C on the site. The problems for the SiX microsite, hosted on Read more…

Infected Phish targeting Commonwealth Bank of Australia

Image (1) infected-phish.jpg for post 20060

This week we've seen more phishing spam targeting the Commonwealth Bank of Australia, an institution that many scammers have aimed at in the past. The emails have a subject of "Update your Commonwealth Bank" and look like this: The text Read more…

September 2010 Patch Tuesday

September Patch Tuesday

There are 9 new releases in this month's Microsoft patch release. Four of these are ranked by Microsoft as Critical; due to lack of exploitation in the wild, none have been ranked higher than Medium by SophosLabs. Today also brings Read more…

The correct CV (or malware masquerading as a CV...)

Default image

Today we have observed some messages which at first glance appeared to be somebody trying to correct their mistakes on the CV they sent out. All messages had the same body text that read as follows: Thank you for the Read more…

How much malware does SophosLabs detect?

To infinity and beyond

SophosLabs has discovered a technique in anti-virus marketing, which we detect as Spin/BigNumber-P. Typical behaviour involves phrases such as "Product detects X viruses!", where X is a large, rather exact-sounding number. Some variants involve high-tech numerical displays updated in real-time Read more…

Encryption with no separate external key

Default image

Most typical modern malware variants tend to hide critical parts of their functionality (strings, URLs/IPs of its dodgy servers, etc.) using some form of encryption. In most cases only trivial algorithms are used. However, these suffice as the intention is Read more…

Phish net stockings, or spammer attempt at a phish?

Phish net stockings?

An interesting phish was just escalated to me for analysis.  Well, ironic more than interesting. Looking at the following phish: The message is a typical phish with clues to its nefarious origins. Dear Valued Customer, Your New Online Statement Summary Read more…

You're Not That Well Financed, Are You?

You're Not That Well Financed, Are You?

Every once in a while, I get the odd spam message that really makes me want to laugh. Take this one for instance. The spam message says that if I ever want to get a home loan, just feel free Read more…

PerlBot: A reason to run anti-virus on Linux?

PerlBot: A reason to run anti-virus on Linux?

This morning I noticed that SANS were talking about a Perl bot that has been reported on various Unix systems. I went looking for this file and noticed that a colleague had already updated the identity for Mal/PerlBot-A to detect Read more…

Educating the masses about internet security

Guest blog: Educating the masses about internet security

Chris Pace from Sophos's sales engineering department has sneaked his way onto my blog to mention a couple of free tools we've made available to help educate your workforce about online security threats. Tell us all about it Chris.. Have Read more…

Critical Adobe Acrobat APSB10-17 Vulnerability Patch

Critical Adobe Acrobat APSB10-17 Vulnerability Patch

Adobe Systems has sent out a critical Security Advisory for Adobe Reader and Acrobat. This advisory is related to the security vulnerability CVE-2010-2862. For more information, please refer to this Sophos knowledgebase article. For further information and where to obtain Read more…

New obfuscation technique using JavaScript in legitimate sites

Image (1) words1.jpg for post 20059

Or at least their length. Earlier this week I came across some rather interesting JavaScript injected into legitimate sites. The obfuscation method was new (to me at least) and piqued my interest. The payload itself is predictable and dull - Read more…

Poetry in spam

Default image

Hi! I saw your ad on Craigs List I am going make this response short and sweet. If you are interested to make a bit of money on the net, then check-out this web-site called: [censored]reseller.info So it is not Read more…

August 2010 Patch Tuesday

Default image

There are 14 new releases in this month's Microsoft patch release. Many of these are remote code execution bugs. Although we haven't seen malware spreading via these bugs, it's certainly a good idea to patch proactively. For the full details Read more…