Oh dear. SophosLabs has upset some malware authors

Whilst dealing with the daily deluge of malicious files, it is nice for those of us working in SophosLabs to occasionally come across something amusing which can make us smile.


Sometimes even insults can be amusing (even complimentary), as we have previously noted.

Messages to Sophos (sorry, Sofos) within malicious code could be regarded as confirmation that the defences we are putting up are aggravating the criminals.

Earlier this week, a new message appeared in one of the active exploit kits:

Message added into the JavaScript of exploit kit landing page

This translates to:

Dear Sofos, what do you need from me? I do not understand. Please f*** off! ThankYou!

The exploit kit in question has been active for several months now, and Sophos products block it as Mal/ExpJS-AL.

As usual, compromised websites are responsible for driving traffic to the sites hosting the exploit kit. So even the most careful browsing could still expose you to such threats.

In the past 24 hours for example, pricing up some Angry Birds merchandise or checking out the latest shawl worn by Kate Middleton would have been enough to expose you to legitimate websites that have been injected with malicious JavaScript that kick starts the drive-by download chain.

See here for an excellent video describing exactly how drive by downloads work.

Hat-tip: Thanks to @kafeine who brought the message to our attention, and @ekwatcher for the sample.