Sophos Cloud Optix
Sometimes things can get a little personal between those who write malware, and those whose job it is to protect against it.
Researchers, such as those who work at SophosLabs, may devote significant effort into probing a specific attack, kit or family of malware. Typically the knowledge they acquire is used in writing generic detections such that customers are protected from that threat.
And detection is the last thing the attacker wants. After all, detection means no profit.
So ensues the cat-and-mouse game between the attacker and the researchers, where polymorphism is the attacker’s weapon of choice (used in order to evade detection).
Perhaps the most rewarding thing about working for a security company is to think about our efforts thwarting attacks. Sometimes, we see evidence of this in the attacker’s behaviour – they may completely switch tactics, effectively accepting defeat in their battle against our protection.
Occasionally we annoy them to such an extent that they vent their anger within the malware itself!
For example, our generic detection on the landing page for a popular exploit kit annoyed the authors to such an extent that, earlier in the year, they temporarily renamed the filename of their landing page.
How charming.
Similar expressions of annoyance have been seen on some scareware (fake anti-virus) landing pages. Search engine optimisation (SEO) is being used to redirect users to these pages, where they are tricked into installing scareware.
The landing page mimics a system scan, using simple JavaScript to fake the file scanning progress. Historically, the filenames used have been embedded within the script as a simple array.
Then, presumably frustrated by our Mal/FakeAvJs-A detection, the attackers split the array up, using “interesting” variable names:
Sometimes, reversed 🙂
Sometimes, they like to hide the message a little 🙂
This week I noticed that they have now started to obfuscate that part of the script, using a common, commercial obfuscation tool:
Sigh. Mal/FakeAvJs-A remains.
Messages like this from attackers are encouraging. We should take them as a compliment. It is nice to know that we’re having an impact disrupting their criminal business.
Man making ‘loser’ sign, blowing raspberry image from Shutterstock.
There's no better testament to the fact that Sophos is making a difference. Huzzahs!
agreed!!!!
Awesome 😀 This is what makes me work even harder to get those lowlifers!
thanks. i count on you guys alot
Good one Sophos! Keep up the great works 🙂
THIS is why I moved our company to Sophos!! You guys rock!
I love starting off a Monday morning with a hearty chuckle. You keep pissing off those hackers, Sophos!
Great work Sophos. Love reading Naked Security even though I am not involved in IT security – other than on my stand-alone iMac 🙂
Sophos your awesome
Sophos. you are the only one who didn’t abandon older Macs. I love your anti-virus software.
i was skeptical of sophos, but the software is great, and they have nice writers. i read them everyday.
Its shocking how many people don’t have even the most basic av software installed. Facebook spam is getting worse as well. Keep fighting the good fight!
Ok, what is up whit all these pictures all over facebook indicating “if you know this like” and there will be 45,000.00 + likes. Looks like a scam to me.
Glenn, if it’s not now, it soon will be.
35 years in IT and I can tell you sophos is the best, hands down, both in protection and management. Support is rarely needed but great when I do.
More like molestors.
Sophos posts aren’t coming through my news feed anymore. Why’s that?