Articles by SophosLabs

U.S. Customs and Border Protection Scam

U.S. Customs and Border Protection Scam

Today I received a special package via email regarding cash worth the sum of USD $1.5M..Woooooo. However, I found out it is not easy to be the beneficiary of this package. Subject:      RE: A G Commissioner of U.S. Customs and Read more…

Sality Links and shortcut exploit

Shortcut exploit: protect against it with this free tool

Shortcut exploits have made the news in malware circles this month. After Stuxnet first used them, it wasn't long before other malware started exploiting the zero-day vulnerability - Sality is among their numbers. The authors of the Sality family added Read more…

From Nigeria with Love - old sk00l spam

From Nigeria with Love - old sk00l spam

Every now and then we at SophosLabs receive a sample of malware or spam that (laughs aside) shows the true inventiveness of the spammers and malware authors. During the World Cup I received some SMS spam on my phone but Read more…

Some Zbots just can't move on...

Some Zbots just can't move on ...

Zbots have been recently going through several changes in their infection method and functionality. One of the new samples though, caught my attention due to its naive evasion tricks. First the old static analysis mangle The correct offset of the Read more…

Spammed redirects using anti-emulation tricks

Spammed redirects using anti-emulation tricks

A few weeks ago Richard posted a blog about malicious HTML attachments we were seeing in spam. Well, the attacks have continued since then along much the same lines. For example: Current attachments are being blocked as Troj/JSRedir-BV. As noted Read more…

New SQL injection making the rounds?

Default image

SophosLabs has been tracking the results of what looks like a new SQL injection over the last week and updating detections to Mal/Badsrc-C to deal with it. The script tag injected is now using port 8080 like similar campaigns recently. Read more…

PDF spam phones home to Sality malware family

Europe leapfrogs Asia as top spam-relaying continent

Remember all those long distance phone calls we made? No, me neither - so if you see an email asking you that same question, don't open it. The spam messages have a subject of "phone calls" and look like this: Read more…

More attacks using compromised OpenX ad-servers

Default image

Regular SophosLabs blog readers may have read previous posts about attacks that have poisoned ads content in order to inject malicious code into legitimate web sites. This is a nasty form of attack which can reach a potentially huge audience. Read more…

Pas d'antivirus, pas de connexion à Internet

Default image

This article in Le Monde caught my eye today: Australie : pas d'antivirus, pas de connexion à  Internet. It concerns a report, published on June 21st by the Australian Standing Committee on Communications, in which the following recommendation is proposed: "... la coupure de l'accès Read more…

Guest blog: Does Apple stand at a security crossroads?

Guest blog: Does Apple stand at a security crossroads?

Ben Jupp, a Sophos technical specialist who lives and breathes all-things Mac, Linux and Unix, ponders Apple's attitude to security. Over to you Ben.. Apple gets a pretty rough press when it comes to security and to be honest I Read more…

"Who's your Verisign?" -- Malware faking digital signatures

"Who's your Verisign?" -- Malware faking digital signatures

Troj/BHO-QP is a rogue Browser Helper Object (BHO) which masquerades as a Flash Player extension from Microsoft, when in fact the BHO is a backdoor agent installed alongside QQ game automation freeware. The BHO has been seen installed as a Read more…

Guest blog: Sophos support for Windows NT 4

Guest blog: Sophos support for Windows NT 4

In this guest blog Sophos product manager Darren Teagles describes how Sophos's plans for continuing to support Windows NT 4 - long after Microsoft has officially given up on it! Over to you Darren.. Here's some good news. Sophos is Read more…

Double trouble - spam and malware payloads

Targeted Trident cyber-attack against defence company

Don't you hate spam? It's a nuisance, but not anything you really need to worry about, is it? I mean, it's not like you ran an executable, you just found yourself somewhere trying to sell you Viagra, no harm done, Read more…

Updated XProtect protects against OSX.HellRTS

Default image

You may remember in August last year SophosLabs blogged about XProtect and how it can protect you from Mac malware. Earlier, this year Graham blogged about OSX/Pinhead-B a backdoor for OSX. The update schedule for Snow Leopard has been: 10.6 Read more…

Old Heroes Don't Die, They Just Live On In Malware

Old Heroes Don't Die, They Just Live On In Malware

As virus analysts, we're used to seeing lots of inane quotes hidden in malware. These days, they can range from everything to anything. One malware author thought it funny to include Chuck Norris in his malware creations. Yes, Chuck Norris, Read more…

A.S. Roma football website infected with same malware as Jerusalem Post

A.S. Roma website infected with same malware as Jerusalem Post

Last week, I reported on (1, 2 and 3). Yesterday, I notified my colleagues in our Italian office that the website of the football (soccer) club AS Roma was infected. My colleagues contacted AS Roma yesterday and today, and were Read more…

More likejacking targets: Farmville, Sex And The City 2, Kendra Wilkinson, ...

More likejacking targets: Farmville, Sex And The City 2, Kendra Wilkinson, ...

Another week, another round of likejacking targets. Though we still haven't seen this technique being used as an attack vector to infect users, it's still an underhanded and malicious technique, and it's driving swarms of people to pages serving up Read more…

Hanging up on World Cup spam

Hanging up on World Cup spam

With all the excitement and fanfare of the World Cup as it gets underway, within SophosLabs there is naturally an expectation of soccer related spam -- and now it appears as though the spammers are cornering the mobile device network Read more…

Spam campaign: exploited Excel files

Spam campaign: exploited Excel files

We've been seeing an aggressive spam campaign (which we block) carrying malicious Excel (.xls) files, detected as Troj/DocDrop-Q, exploiting the vulnerability classified as CVE-2009-3129. The Excel file attempts to decrypt, drop and run another executable file, which copies itself to <System>\googletoolbar32.exe Read more…

Java exploits on the rise

Default image

Over the last few months we've seen a noticeable rise in the number of in-the-wild Java related exploits, some of which are pretty effective. We've been detecting most of these as Mal/WebStart-A. The typical scenario we see is a compromised Read more…