Malware in the morning (a day in SophosLabs)

Last Friday (June 15th) my day illustrated what my boss, Mark Harris (Director of SophosLabs) has frequently said is unique to Sophos “One Lab, multiple locations.”

That morning, I was assigned the analysis of an HTML page submitted by a customer who believed it to be suspicious. Analysis revealed it to indeed be malicious and I wrote detection. After passing review and QA checks, the detection was queued for publishing.

Within SophosLabs we use rota systems to manage the workflow across a global team of analysts. Despite people having specialties, we believe it is important that everyone should be able to do any of the tasks required for providing protection for customers. On this morning in question, I was also tasked with the job of publishing detections. All those ready for publishing were duly published. At this point, I thought nothing more about the detection I wrote for the malicious HTML file.

After lunch, just before I was rota’d to do a session of spam analysis, I saw something interesting in the incoming data queues. Users of our web security appliance (WS1000) can choose to send back to Sophos reports of malware detected. Within this data I noticed two reports of the malware that I had written detection for earlier that day. With my interest piqued I began a deeper analysis of what was happening.

Anyway, enough preamble let’s get down to the analysis:-

The suspicious HTML sample that was received early on Friday morning did not come with any accompanying data or information to indicate where it was from, or how important it was. Detection as JS/Dload-F was written and published. The malicious web pages, detected as JS/Dload-F, are actually very cheeky in that they use several different methods for downloading the ultimate malware.

  1. malicious code targetting several browser vulnerabilities in order to silently download the malware.
  2. three other pages are loaded (via iframe tags) to target other browser vulnerabilities, again, to silently download the same malware. These pages are now caught as Mal/JSShell-C.
  3. Finally, if all else fails the page encourages the user to download the malware manually!


The target file (Win32 binary) that is downloaded in these attacks is changing frequently, but at the time of writing, it is being detected by a tweak to our generic detection of Mal/EncPk-E.

How do users initially visit the malicious site? Via a spam campaign. All the domains, so far, are “.HK” domains (see earlier post on misuse of these domains). The spam message are actually quite diverse and these dodgy domains are being used in multiple campaigns.