General

(get it in RSS or Atom)

How large is a piece of Malware?

How large is a piece of Malware?

Q. What is the average size of a typical malware file? Of course there is no definitive answer to this question, and different kinds of malware can have vastly different sizes, but for those wanting an answer I ran a Read more…

Why won't my sample run?

'OMG!! This Mother Went to Jail' Facebook scam spreads virally

Here at SophosLabs we have recently been seeing samples of Zbot (also known as the Zeus crimeware kit) that refuse to execute on any of our testing machines. Often when this happens it is because the sample is corrupt or will Read more…

Malware exploiting x86 machine code redundancy

Malware exploiting x86 machine code redundancy

Every anti-virus product on the market in these days is furnished with an emulator which provides a safe sandbox for running executables files, before they get loaded and executed in the proper environment. By definition an emulator will never be Read more…

"The chase is better than the catch", perhaps not always

Default image

AntiVirus users may not be aware just how much effort malware authors put into their creations. The main aims from that side of the fence are to design malware that: - will avoid any existing detections when first released - Read more…

Spammed redirects using anti-emulation tricks

Spammed redirects using anti-emulation tricks

A few weeks ago Richard posted a blog about malicious HTML attachments we were seeing in spam. Well, the attacks have continued since then along much the same lines. For example: Current attachments are being blocked as Troj/JSRedir-BV. As noted Read more…

Fake Car Tax Malware

Default image

Sometimes malware authors make it really easy to spot a scam. Today's email attachment campaign is a fake car tax update. Apparently the "Ministry of Transport"  has made some sort of change to my car tax and details are in the attached Read more…

SEO techniques and malware: Don't move or I'll redirect!

Don't move - or I'll redirect!

Search engine optimisation (SEO) techniques have received a fair of attention recently, thanks mostly to their use in fake AV distribution. In this blog, I will describe an interesting piece of JavaScript I came across whilst investigating some SEO pages. Read more…

Pas d'antivirus, pas de connexion à Internet

Default image

This article in Le Monde caught my eye today: Australie : pas d'antivirus, pas de connexion à  Internet. It concerns a report, published on June 21st by the Australian Standing Committee on Communications, in which the following recommendation is proposed: "... la coupure de l'accès Read more…

"Who's your Verisign?" -- Malware faking digital signatures

"Who's your Verisign?" -- Malware faking digital signatures

Troj/BHO-QP is a rogue Browser Helper Object (BHO) which masquerades as a Flash Player extension from Microsoft, when in fact the BHO is a backdoor agent installed alongside QQ game automation freeware. The BHO has been seen installed as a Read more…

Anatomy of a Symbian Malware

Anatomy of a Symbian Malware

Yesterday, I found a sample of Symbian malware while I was working on generic stuff. This kind of malware is quite difficult to spot, so today we are going to analyze this sample, which targets Symbian based smartphones. This malware Read more…

"Pentagon" delivers Zbot via "DHS"

"Pentagon" delivers Zbot via "DHS"

We're currently seeing a limited-volume run of spam messages linking to a zip file containing Zbot/Zeus malware. The messages purport to be from the Department of Homeland Security, the Pentagon, or the Transportation Security Administration. The subjects of the spam Read more…

Old Heroes Don't Die, They Just Live On In Malware

Old Heroes Don't Die, They Just Live On In Malware

As virus analysts, we're used to seeing lots of inane quotes hidden in malware. These days, they can range from everything to anything. One malware author thought it funny to include Chuck Norris in his malware creations. Yes, Chuck Norris, Read more…

Style Sheet Messaging

Style Sheet Messaging

It seems our friends over at ESET NOD32 have received a message that most people wouldn't even notice. While doing some digging into SEO poisoned pages I was looking at the source code of the main FakeAV portal pages and Read more…

Hanging up on World Cup spam

Hanging up on World Cup spam

With all the excitement and fanfare of the World Cup as it gets underway, within SophosLabs there is naturally an expectation of soccer related spam -- and now it appears as though the spammers are cornering the mobile device network Read more…

June 2010 Patch Tuesday - have you updated your computers?

Default image

This month Microsoft has released ten vulnerability updates, some of which they have labelled as "critical". The June updates include: MS10-033 - Vulnerability in media decompression libraries could allow remote code execution. MS10-038 - Multiple vulnerabilities in Microsoft Excel which Read more…

Mitigations for Adobe vulnerability: CVE-2010-1297

Default image

Since receiving samples of the latest Adobe vulnerability SophosLabs analysts have been working on protecting our customers. Detection for the PDF file known to exploit this vulnerability has been added as Troj/SWFDlr-S. The payload installed by this file is proactively Read more…

Jerusalem Post website serving malware

Jerusalem Post website serving malware

A couple of posts on Twitter brought to my attention earlier today that the website of the Jerusalem Post is serving up malware to unsuspecting visitors. Initially, I suspected that the malware was loaded via a compromised advert stream or Read more…

Good software made to do bad things by malicious authors

Good software doing bad things

Writing malware is not hard, a conclusion supported by the tens of thousands of samples SophosLabs (and I'm sure other vendors) receive on a daily basis. Analysts and even machines are starting to get quite good at spotting such creations Read more…

Sue BP for damages resulting from the oil spill?

Default image

SophosLabs global network of spamtraps are now seeing "snow-shoe spam" promoting litigation services against British Petroleum (BP) relating to the Gulf of Mexico Oil Spill disaster. They are targeting anyone who may be negatively affected by the oil spill, and Read more…

CARO Workshop 2010 - Day Two

Image (1) malware-unique-samples.png for post 25480

Billy blogged yesterday about the first day of this year's CARO conference. He has since developed a nervous tick whenever the words "exponential", "growth" and "samples" are used in the same sentence. Luckily, today's talks were much more upbeat. Instead Read more…