Articles by James Wyke

About James Wyke

James Wyke is a Senior Threat Researcher with SophosLabs UK

Information-stealing 'Vawtrak' malware evolves, becomes more evasive

Skull. Image courtesy of Shutterstock.

SophosLabs has recently observed some cunning changes made by the authors of the dangerous banking malware 'Vawtrak'.

James Wyke explains.

Duping the machine - the cunning malware that throws off researchers

Malware. Image courtesy of Shutterstock

Traditionally, when malware detects that it is not running in a genuine victim setting, it will simply exit immediately. But there's a certain subset of malware families that are more cunning when they detect an analysis environment...

"Gameover" malware returns from the dead...

In early June 2014, a internationally co-ordinated law enforcement effort against the criminals behind the infamous Gameover malware pretty much wiped out their botnet altogether.

Bad news - it looks as though Gameover is back...

Notorious "Gameover" malware gets itself a kernel-mode rootkit...


The Gameover botnet gang has been trying new techniques lately: most recently comes the introduction of a kernel-mode rootkit called Necurs, making the malware harder to find and remove.

Senior Researcher James Wyke of SophosLabs investigates...

Have we seen the end of the ZeroAccess botnet?


Since Microsoft took positive action against the ZeroAccess botnet at the beginning of December, SophosLabs has been paying close attention to see if the owners would attempt to revitalise the botnet and return it to profitability.

James Wyke looks into what happened...

ZeroAccess malware revisited - new version yet more devious


Guess what? The authors of the infamous ZeroAccess malware have pushed out another update, and this time they're using some interesting techniques to stay alive longer.

James Wyke of SophosLabs explains...

Was Microsoft's takedown of Citadel effective?

Was Microsoft's takedown of Citadel effective?

Last week, Microsoft took aim at more than 1,400 Citadel botnets by sinkholing their command and control infrastructure.

What was the actual effect of this takedown? SophosLabs takes a look...

Point of sale devices and Canadian banks targeted by Citadel malware variant

Point of sale devices and Canadian banks targeted by Citadel malware variant

A new variant of the prevalent Citadel crimeware kit has been discovered to target Point of Sale (POS) devices. Find out more, in this analysis from SophosLabs expert James Wyke.

The Citadel crimeware kit - under the microscope

The Citadel crimeware kit - under the microscope

Ever since the source code of Zeus/Zbot leaked in May 2011, many new variants have appeared.

One particularly prevalent example is Citadel.

James Wyke of SophosLabs puts it under the microscope....

Over 9 million PCs infected - ZeroAccess botnet uncovered


ZeroAccess is a hugely widespread malware threat that has plagued individuals and enterprises for years. It has evolved over time to cater for new architectures and new versions of Windows.

And it can earn its creators in excess of $100,000 per day. Find out more in our new technical paper.

Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode

Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode

The ZeroAccess rootkit, which hijacks PCs and recruits them into a botnet, has undergone a significant revision - SophosLabs researcher James Wyke reveals.

Digging Deeper on the TechCrunch Zbot

Digging Deeper on the TechCrunch Zbot

Last week the website belonging to TechCrunch Europe had malicious code planted on it, the payload of which was a variant of Zbot - Troj/Zbot-YP. There are several interesting aspects of this variant that are worth exploring in a little Read more…

Why won't my sample run?

'OMG!! This Mother Went to Jail' Facebook scam spreads virally

Here at SophosLabs we have recently been seeing samples of Zbot (also known as the Zeus crimeware kit) that refuse to execute on any of our testing machines. Often when this happens it is because the sample is corrupt or will Read more…

Fake Car Tax Malware

Default image

Sometimes malware authors make it really easy to spot a scam. Today's email attachment campaign is a fake car tax update. Apparently the "Ministry of Transport"  has made some sort of change to my car tax and details are in the attached Read more…

Miscellaneous Poisoning Blasts Off

Miscellaneous Poisoning Blasts Off

 Search terms for the recent shuttle launch and the Southern Entertainment Rap awards are currently the targets of SEO poisoning campaigns.    Unprotected users who take the bait will become infected with FakeAV.   Searching for combinations of these and other popular trend Read more…

Tiger's play too rough on Valentines Day

Image (1) search1.jpg for post 25140

While most sane people around the world are enjoying a romantic Valentine's Day today, we at SophosLabs remain vigilant on the front line of the war against malware. This year, Valentines Day coincides with the Chinese New Year as well Read more…

Tiger still hot stuff

Tiger still hot stuff

Despite talk of Tiger Woods' sponsors "limiting his role" in their advertising campaigns, he is still very much hot stuff when it comes to search engine queries which means he's still a viable target for the malware writers. We can Read more…

There's Malware on Elm Street this Halloween ... with pumpkins!

Image (2) halloweenpumpkingame.jpg for post 24587

  It appears that this Halloween the malware writers preferred choice of infection vector is by using SEO (Search Engine Optimization) techniques to poison popular search terms. We at SophosLabs have seen relatively few email campaigns that exploit Halloween this year, but there have been Read more…

Your Funds Will Be Transfered

Image (1) fundtrans.jpg for post 24195

This morning while monitoring our spam traps I was greeted with the following proposition:   Added to the suspiciously poor spelling and grammar, the message also has an attachment named "WU Money Sent.exe." By this point any sane person would have Read more…

You don't have a job? Get a Govt Grant

You don't have a job? Get a Govt Grant

While monitoring SophosLabs' spam traps this morning I came across a proposition with the following subject: You don't have a job? Get a Govt Grant   Several things stand out from this email that make me think it is something other than Read more…