Sophos

SophosLabs Blog

Want to know what Sophos experts think about the latest security issues? Daily updates from SophosLabs™ provide insight into the most interesting and widespread threats

May 2007

  • Hong Kong PhooeySophosLabs have seen a rise in the number of .HK domains. Being used for spam. Mainly the spam has been for Viagra and other erectile drugs. What is the reason for the rise in spam from Hong Kong?...
    31 May 2007 11:35 GMT
  • Testing times: Sophos and AV-Test.orgIf there’s one job more difficult than being an anti-virus researcher, it’s being the poor guy who has to test anti-virus software! This has been brought to light today as I looked into a recent...
    31 May 2007 11:20 GMT
  • Gone are the days of the Passive PackerPackers have traditionally been employed to reduce executable footprints by compressing the executable. They have evolved since, to prevent patching and reverse engineering of the underlying application by...
    30 May 2007 08:44 GMT
  • World of WartheftOnline gaming has been the rage since the dawn of the internet. In its infancy, online gaming was confined to a few servers and hobbyists. These days, online gaming is a multi-million dollar industry....
    30 May 2007 07:14 GMT
  • I Want A Free Key Generator And A Free Bot On My ComputerPassword crackers and key generators have long been the bane of commercial software companies because they allow users to circumvent their protection mechanisms without the need to purchase their software....
    29 May 2007 04:21 GMT
  • A Prickly ProblemAnother relatively quiet shift on the malware front, but a little more life within the spam feeds. There have been a number of phishing attacks successfully intercepted today. The usual mixture of targetted...
    28 May 2007 13:15 GMT
  • Calm before the storm?Things have been eerily quiet on the malware front this weekend. Perhaps the malware authors are taking a time out, shopping for computer parts or something. Or is there some nefarious scheming afoot in...
    27 May 2007 16:01 GMT
  • Infected, compromised? What's the difference?Readers will no doubt be familiar with the concept of categorising URLs, and how this forms an important part of security today. Classification enables users to prevent access to URLs that are known to be...
    26 May 2007 16:16 GMT
  • Sometimes bad things come in small packages Researchers at SophosLabs have released detection for Troj/Small-EJA. As the name implies, Troj/Small-EJA has a very small filesize in comparison to a lot of malware in the wild. Being small however does...
    26 May 2007 08:12 GMT
  • Pirates, Bunnies and WormsAs part of this blog, I plan on providing a weekly summary of what's been happening in SophosLabs In many ways it has been a regular week, a large number of the usual variants in malware, spammers up to...
    25 May 2007 16:09 GMT
  • Ahoy, Mateys! A Trojan For YouSophosLabs analysts released detection for a new spammed out Trojan today detected as Troj/Yar-A. The Trojan arrives in an email with either a blank subject line or one of the following: “Pirates of...
    25 May 2007 02:53 GMT
  • Phishing dilemmaPhishing websites usually have a very short life span. They appear and disappear very quickly as administrators take them off-line as soon as they are reported. It is relatively rare that the phisher,...
    24 May 2007 16:50 GMT
  • Fundamental flaw in all operating systems!My previous blog entry on the OpenOffice malware BadBunny-A and the subsequent press release caused quite a lot of interest; however, the only flaw exploited by this (and the majority of malware) is the one...
    24 May 2007 10:25 GMT
  • Not the dirty dozenSophosLabs regularly publishes information about the 'Dirty Dozen' spamming countries, but for me just as interesting is the bottom of the list. Let me explain. We collect millions of spam messages...
    24 May 2007 09:40 GMT
  • New Gatina Variant Continues To Target Filipino UsersSophosLabs encountered a new variant of the W32/Gatina family of mass-mailing worms today, detected as W32/Gatina-B. Like most mass-mailing worms, W32/Gatina-B uses social engineering to try and entice...
    24 May 2007 08:09 GMT
  • Bursted drawings?This morning SophosLabs received samples of AL/Bursted-Fam from a customer. The AL/ prefix denotes AutoCAD LISP viruses. As viruses go they are not very common. All the viruses are required to reside in the...
    23 May 2007 13:19 GMT
  • IRS Phishing ScammersI’d like to take this opportunity to remind our US customers to be on the watch for IRS phishing scams. IRS phishing scams are not really a new thing but it's that time of year again and the...
    23 May 2007 07:03 GMT
  • Who Admins You?An email found its way into the spam traps containing a link to the site ‘whoadmitsyou.com’. The domain is registered for a single year, through Domains by Proxy, which allows the registrant to...
    22 May 2007 08:18 GMT
  • A Rather Dorf RootkitThe Dorf Trojans are mounting a comeback with the appearances of Troj/Dorf-F. Troj/Dorf-G and Troj/Dorf-H. Unlike the older Dorf family of Trojans, the rootkit sys files dropped by these variants are now...
    22 May 2007 07:19 GMT
  • Do the malware authors ever get bored?Last year saw a major malware campaign when W32/Stration hit the scene. In September of 2006 the author of Stration started his campaign of writing multiple variants and releasing them on the same day. Some...
    21 May 2007 16:12 GMT
  • Recognition for malware authorsWe had an interesting dilemma over the weekend. We received a sample of a worm targeting ‘StarOffice’. It's not been seen in the wild, or likely to affect customers, but it is...
    21 May 2007 10:41 GMT
  • Video Codecs Not Working After Installation?With the advent of web media publishing, getting the proper video codecs to view movies is a constant update nightmare for users. Unfortunately this area is the perfect target for the Zlob family of...
    21 May 2007 07:55 GMT
  • Who's afraid of Canada?“Don’t be afraid of the word ‘Canadian’?” says the spammer. This is not some bizarre reference to the South Park song ‘Blame Canada’. Could the message be...
    18 May 2007 15:36 GMT
  • Blue lagoons and testing protectionI’ve returned from the testing workshop in Iceland. It was an interesting experience and was my first visit to Iceland. I thought I was going to be lucky and get an opportunity to see a little of city...
    18 May 2007 11:15 GMT
  • Anti-P2P Malware abuses victimsResearchers at SophosLabs have provided detection for a new variant of the Pirlames family of Trojans. When run Troj/Pirlames-C will search the harddrive for files with extensions including the following:...
    18 May 2007 04:29 GMT
  • Html files Glibly affectedSophosLabs has seen more malware that modifies a user’s html files in an effort to escape on to the internet. In the past we’ve seen Fujacks malware inserting a Fujif payload, though this has...
    17 May 2007 07:39 GMT
  • Not-so-stealth wormGenerally speaking, most worm authors do not want you to know that their malware is on your machine. However, the author of W32/Agent-FOW must be proud, as there is a log file left on the machine, listing...
    17 May 2007 00:16 GMT
  • Greetings from IcelandI’m currently at the International Anti-virus testing workshop hosted by Frisk (makers of F-Prot) in Reykjavik, Iceland. This may seem a strange topic for a two day conference but its actually a very...
    16 May 2007 13:33 GMT
  • Dear Scammer Part IIDid you spot the warning signs, from the previous blog entry, that suggested that the author was not legitimate? Yes? No? There were a few: Attorney at law — Is not a typical British English phrase....
    16 May 2007 09:52 GMT
  • Activate Windows to lose your moneyA novel trick used by malware authors shows how effective social engineering can be to glean personal information off unsuspecting users. Troj/Kardphis-A displays a fake message suggesting that the...
    15 May 2007 09:14 GMT
  • Malware for the masses Malware writers have traditionally been stereotyped as low-level hackers, and 15 years ago, this was probably true. Without the complex and hard-earned knowledge of the host operating system internals and a...
    15 May 2007 08:12 GMT
  • Phishing flavour of the dayPhishers are being very busy today with several new phishing campaigns. Today’s award for most targetted institution goes to Arizona Federal Credit Union. We captured emails that attempt to trick...
    14 May 2007 16:21 GMT
  • Driveby installer targets Australian bank customersCustomers are advised not to fall for the latest attempt by scammers to silently install malware on their computers. The message bears some of the typical hallmarks of fraudulent email including poor...
    14 May 2007 03:25 GMT
  • W4ck a SiteA few of the phishing attacks intercepted today targeted Poste Italiane Group (think yellow and blue). Nothing unusual there, but whilst digging a little further into one of the attacks things became a...
    12 May 2007 14:25 GMT
  • All in a bots workWe all know that IRC bots are feature-packed beasts whose payloads can vary quite widely. The hacker(s) responsible have been able them to make money in a whole host of ways over the past few years. The...
    12 May 2007 12:11 GMT
  • Laugh at George Bush, start spammingA few strange spams today. With a tempting call-to-action at the top of the message. ” See latest funny clip of George Bush novel story <link>” . Both of these spams were being...
    11 May 2007 14:39 GMT
  • Logon to malwareThe beginning: “Once upon a time, a week ago,” “There began a tale of woe.” “A multi-component Trojan, clever as can be,” “Winlogon was its target, as we shall...
    11 May 2007 13:26 GMT
  • View from the corner officeWelcome to the SophosLabs blog, the aim is to provide regular updates on malware,spam and web based threats as they happen and provide the reader with an insight into what is happening in the ‘real...
    11 May 2007 11:13 GMT
  • More Zlob activityMany of the Zlob’s we see to date, attempt to trick the user into installing it by masquerading as one or more movie or audio codecs. Unsuspecting users may attempt to install these, in an attempt to...
    11 May 2007 04:30 GMT
  • Malware for fun and profit Many of us are now aware as to the subtle shift in the nature of emerging threats, where once many viruses and Trojans were written for fun (or to prove a point), evidence strongly suggests that malware is...
    11 May 2007 04:28 GMT
  • Bypassing by using ASCII ExploitOver the last last few weeks SophosLabs have been testing new detection for malware using the ASCII Exploit. With one of our technology partners we have been scanning the murkier areas of the web for...
    10 May 2007 14:51 GMT
  • Dear ScammerNigerian or 419 scams are some of the least sophisticated scams. All they rely on is the inherent greed of their victims. Though most have simple errors in the messages e.g. a French scam referencing US...
    10 May 2007 13:37 GMT
  • Mother's DayOne of the problems with having global operations for malware and spam analysis within SophosLabs is that “holidays” like Mother’s Day can change depending on what country you live in. So...
    10 May 2007 13:16 GMT
  • Spam: Another 419Those 419 scammers never ever give up! Attached is a copy of their latest spam campaign. But it’s OK, because this time it’s from the crime prevention folks at the United Nations - that should...
    10 May 2007 07:43 GMT
  • No laughing matterReaders will no doubt have read numerous postings and articles about the use of compromised sites in malicious attacks (the de rigeur technique for malicious code delivery currently). Unfortunately there...
    9 May 2007 16:30 GMT
  • More attacks using Google brandToday we have seen another attack exploiting Google brand. An email with this text is sent to a large number of email addresses: “Gentile cliente, siamo a comunicarle che da recenti controlli nella...
    8 May 2007 11:42 GMT
  • Download Mal/GrumPk-A nowWe have just seen a lot of spam coming into our Spamtrap containing an image which links to an executable named update.exe:   Both the image and the malware are hosted on comprised servers from around...
    5 May 2007 13:36 GMT
  • You just did a BOZO thing!!!While tracking a URL seen in spam, SophosLabs came across an executable that looked like a standard piece of malware, your common-or-garden downloader. Except the payload of this executable was just a...
    4 May 2007 22:58 GMT
  • Have you seen this man?While analyzing a new worm from China one of our researchers found this picture buried inside the code. Who is he? We don’t know but he’s now immortalized in malware.
    4 May 2007 22:35 GMT
  • Zlob activity updateZlob gang is still quite active. The latest sample we received (detected as Troj/Zlob-ACE) uses several tricks to entice user to download some of the fake anti-malware programs such as Antiviruspcsuite,...
    4 May 2007 17:12 GMT
  • SpamwalkersThe oldest profession in the world is using one of the newest to promote themselves in the 21st Century. Today while looking at the SophosLabs spamfeeds I saw some Image spam advertising an online escort...
    4 May 2007 15:08 GMT
  • Downloading ShenanigansThere are many ways of delivering malicious code to the victim. One of the most common methods used currently involves using malicious scripts hosted on web sites to trigger a browser exploit in order to...
    4 May 2007 13:03 GMT
  • Signs of troubleThe lab released detection for another variant of the W32/SillyFDC family of worms today as W32/SillyFDC-AA. Like other variants in this family, the worm spreads by copying itself to removable drives...
    3 May 2007 08:46 GMT
  • Forbidden Page. Really?Readers will most likely be familiar with the concept of HTTP status codes, or at least the most common ones. For the curious, you can read this page to review the complete list and an explanation of each....
    3 May 2007 08:07 GMT
  • Return of the parasitic: Putting the virus back in malwareIn the beginning there was a scion of malware called “virus”. Now, this “virus” was initially very popular but over the years the creators started ignoring “virus”,...
    2 May 2007 16:43 GMT
  • Sober-ing May dayYesterday saw a huge outbreak of a Sober variant W3/Sober-AD which accounted for nearly 70% of all the infected email reported to SophosLabs yesterday . It almost went unnoticed though as we had already...
    2 May 2007 12:56 GMT
  • Infosec EuropeAs we posted earlier, various members of SophosLabs attended Infosec in London last week, it was a busy and exciting show as usual but also a chance to compare ‘give aways’. One of our analysts...
    2 May 2007 12:44 GMT
  • Italian JooobHot on the heels of hackers piggybacking on the sponsored links program, the Google brand is once again the target of malware. Visitors to the domain www.gooogle.bz may be given the impression the site is...
    2 May 2007 11:16 GMT

Select another month

RSS feed

Atom feed

Send us your feedback

Email us at sophosblog@sophos.com to share your views, ask questions, and tell us what you think.

Send us a sample

If you have suspicious files that our software has not detected, please send us a sample for analysis.