Sophos sucks? Being insulted by malware authors can be the best reward

Sophos sucks? Being insulted by malware authors can be the best reward

Sometimes things can get a little personal between those who write malware, and those whose job it is to protect against it.

Loser sign, blowing raspberries. Image from Shutterstock

Researchers, such as those who work at SophosLabs, may devote significant effort into probing a specific attack, kit or family of malware. Typically the knowledge they acquire is used in writing generic detections such that customers are protected from that threat.

And detection is the last thing the attacker wants. After all, detection means no profit.

So ensues the cat-and-mouse game between the attacker and the researchers, where polymorphism is the attacker’s weapon of choice (used in order to evade detection).

Perhaps the most rewarding thing about working for a security company is to think about our efforts thwarting attacks. Sometimes, we see evidence of this in the attacker’s behaviour – they may completely switch tactics, effectively accepting defeat in their battle against our protection.

Occasionally we annoy them to such an extent that they vent their anger within the malware itself!

For example, our generic detection on the landing page for a popular exploit kit annoyed the authors to such an extent that, earlier in the year, they temporarily renamed the filename of their landing page.

How charming.

Similar expressions of annoyance have been seen on some scareware (fake anti-virus) landing pages. Search engine optimisation (SEO) is being used to redirect users to these pages, where they are tricked into installing scareware.

The landing page mimics a system scan, using simple JavaScript to fake the file scanning progress. Historically, the filenames used have been embedded within the script as a simple array.

Then, presumably frustrated by our Mal/FakeAvJs-A detection, the attackers split the array up, using “interesting” variable names:

Sometimes, reversed :)

Sometimes, they like to hide the message a little :)

This week I noticed that they have now started to obfuscate that part of the script, using a common, commercial obfuscation tool:

Sigh. Mal/FakeAvJs-A remains.

Messages like this from attackers are encouraging. We should take them as a compliment. It is nice to know that we’re having an impact disrupting their criminal business.

Man making ‘loser’ sign, blowing raspberry image from Shutterstock.