Sophos

SophosLabs Blog

Want to know what Sophos experts think about the latest security issues? Daily updates from SophosLabs™ provide insight into the most interesting and widespread threats

June 2007

  • A not so friendly EcardSophosLabs analysts today encountered a new spam campaign that contains an embedded Trojan within the HTML message. The original variant was first brought to our attention a few days ago and caught by...
    30 June 2007 04:17 GMT
  • All this work and no gainMany attacks these days involve several stages with malicious functionality contained in different files, often downloaded from compromised web pages. One of the crucial pieces in a multi-stage attack is a...
    29 June 2007 15:17 GMT
  • From Russia with Love?I'm going to document some research I'm doing so that I can use it as evidence to convince my fiancee that what I'm doing is really work. Let me explain, a few weeks ago, I noticed a spam campaign...
    29 June 2007 13:51 GMT
  • Name your poisonARP poisoning is by no means a new trick when it comes to network attacks however it is seldom employed by your typical malware, which is why it caught my attention. The malware detected as Troj/Sniffer-P...
    29 June 2007 10:17 GMT
  • Hashish-eaterThe original meaning of the the word assassin was from the Arabic meaning an eater of hashish. This particular ‘assassin’ looks to have been consuming a fair amount of something if they believe...
    29 June 2007 08:53 GMT
  • Free iPhones?Only a few hours left before Apple iPhone arrives in stores, but why bother if you can get one “FOR FREE”?! A variety of spam campaigns playing on the iPhone hype have been arriving on our traps...
    29 June 2007 02:18 GMT
  • Harry Potter and the USB Device of DoomWhile analysing a trivial sample written using AutoIt, we received the following bad news. Oh no! But don’t worry, he is still alive, living happily along with other users on your computer…....
    28 June 2007 15:17 GMT
  • Turkish DelightToday SophosLabs received a new worm from the field which was quite similar to the W32/SillyFD family, but different enough to make it a new family. Detection has been added as W32/Amca-A. The worm is...
    28 June 2007 14:23 GMT
  • Variants versus Persistent CampaignsIt was not too long ago that each unique variant of a threat would be assigned a variant letter (-A, -B, -C etc) and a description. Recent times are a whole lot different. Certain families (and I can think...
    28 June 2007 12:18 GMT
  • Read all about it Malware authors use many tricks to lure users into executing code. The following is one we haven’t seen for a long while: Were you to follow the link you would be taken to a web page containing...
    27 June 2007 12:45 GMT
  • Wormongers - The Curse of Autorun.infIn an age in which boot sector viruses are almost extinct, a new force to reckon with is emerging. This Summer, behold, the revitalised threat of the USB worm. Lurking on your USB device, it uses...
    27 June 2007 11:18 GMT
  • Even Better Protection IIFollowing on from my last post on the new features and functionality in Sophos Endpoint Security and Control, another new feature is buffer overrun protection. Buffer overruns are probably the most common...
    27 June 2007 10:47 GMT
  • Bogus Microsoft Security BulletinA highly targeted fake Microsoft Security Bulletin is being spammed out today. The campaign is attempting to appear as a notification for a new “0-day vulnerability” for Microsoft Outlook, but...
    27 June 2007 00:53 GMT
  • Phishing *is* a global problemDespite the apparent focus on threats relevant to English speaking countries, spam and phishing attacks are a truly global problem. Here is an example of a phish targeting a less widely spoken language:...
    26 June 2007 10:37 GMT
  • A database, a spammer and a botnet all walked into a bar We all love those funny stories about the incompetence of spammers, and if I were given a dollar every time I saw one of their broken campaigns, I probably wouldn’t be writing this now. Fortunately,...
    26 June 2007 06:37 GMT
  • Spam in many flavorsToday was an interesting day as far as spam goes. Normally when we see a stock pump-and-dump campaign, it will be in a single form, whether that is stock in a text/plain message, or in an attached image....
    25 June 2007 23:45 GMT
  • Not so funny to Shockwave video usersSophosLabs analysts encountered a new Trojan variant, Troj/Agent-FWO that came bundled with a non-malicious but humorous Shockwave video created by Italian cartoon animator, Bruno Bozzetto. The popular...
    24 June 2007 21:49 GMT
  • Multi-lingual IM messages, Bittorrent-seeding, bot-harvesting and dumb ironyWith so much malware following similar templates, W32/Impard-A has some functionality that is mildly noteworthy. It’s controlled by a remote user over IRC, and is capable of sending itself via AIM and...
    23 June 2007 05:13 GMT
  • Do Phishers == Hackers?Today, I spotted a spam campaign that directed unsuspecting users to a phishing site, which is perhaps not that unusual… Upon following the link, I was taken to… : However, the root domain...
    22 June 2007 14:21 GMT
  • Mal/ObfJS-C: Where? When?For the past 7 weeks SophosLabs have been tracking an attack targeting sites all over the world. In the attack, legitimate sites have been compromised so that they serve up a malicious JavaScript...
    22 June 2007 11:42 GMT
  • Even better protectionYesterday we released the latest version of Sophos Endpoint Security and Control. This latest version contains a host of new features and functionality that I'm very excited about because it adds a whole...
    21 June 2007 11:58 GMT
  • A personalized spam too farSpammer’s have been personalizing spam for many years. This morning I saw an amusing case where the spammer shouldn’t have personalized it. The spammer obviously has acquired an address to send...
    21 June 2007 11:42 GMT
  • Where there is smoke Recently, SophosLabs have noted that the the German stock market (Börse) has been targeted by stock pump’n'dump spammers (1, 2, …). Today, we saw a new twist to pump’n'dumps - a PDF...
    21 June 2007 09:54 GMT
  • Is Vista secure?I've recently returned from the annual get together of security vendors with Microsoft. A lot of what was discussed is under non disclosure agreement so I can't discuss specifics, but it was interesting...
    20 June 2007 11:35 GMT
  • You are the weakest link, goodbye! “A chain is only as strong as the weakest link“. Breaking a link will break the chain. Modern malware often uses complex infection mechanisms to attack the Endpoint. Detection of any component...
    20 June 2007 11:25 GMT
  • Evasion through InjectionFor a long time now malware has been using process injection as part of its infection or payload mechanisms. There are various reasons why the bad guys use process injection in their malware, including:...
    19 June 2007 10:09 GMT
  • Malware in the morning (a day in SophosLabs)Last Friday (June 15th) my day illustrated what my boss, Mark Harris (Director of SophosLabs) has frequently said is unique to Sophos “One Lab, multiple locations.” That morning, I was assigned...
    18 June 2007 14:33 GMT
  • SMS for profitSophosLabs experts have identified a new Trojan that targets Symbian mobile devices, specifically Nokia Series 60 devices. Once installed, Troj/Viver sends an SMS message every 15 seconds to a predefined...
    18 June 2007 14:21 GMT
  • The little spammer that couldn'tI guess we all make mistakes from time to time and it really does pay to check your work. It might save you from embarassing little errors, like say, spamming out your ratware (spamming software) config...
    18 June 2007 09:03 GMT
  • Yours, Secretary of State for Health. Part IIIn one of my earlier posts I asked if you would like to play ‘the spot the errors game’. How many errors did you spot? Spelling. Patricia Hewitt is a highly educated person (including sojourns...
    15 June 2007 11:32 GMT
  • Site AuthenticationFor several years users have been bombarded with warnings about rogue web sites set up to steal their credentials. Threats from phishing attacks through to spoofed sites have spawned the creation of several...
    15 June 2007 10:25 GMT
  • Yahoo! exploit attack used in PUA installEarlier this month, reports of a vulnerability in an ActiveX component of the Yahoo! Webcam view utilities was reported (see previous blog post). The issue was swiftly fixed and an update made available for...
    14 June 2007 13:15 GMT
  • Everything but the kitchen sinkThe phrase “Everything but the kitchen sink” describes the following spam very well. ------------------------------------------------------------------------- Yahoo NEWS !!! Britney Spears...
    14 June 2007 12:06 GMT
  • A Marriage Of Spam And TrojanToday SophosLabs analysts encountered a variety of stock/medicine spam messages containing an embedded link to a malware hosted on a remote website. The embedded link to the malware is already being...
    14 June 2007 08:05 GMT
  • Shoot the MessengerSpammer controlled boxes are performing double duty. This is not surprising given the volume of spam out there these days. These compromised machines, sometimes called botnets are doing both the job of...
    13 June 2007 22:15 GMT
  • The Death of AV?Recently news on the wires suggesting that “AV is dead” and that “whitelisting technologies” are taking over. Henry Ford said “history is more or less bunk”. The...
    13 June 2007 11:22 GMT
  • New Phish In AfricaScammers are not limiting their targets to the financial institutions only in America, Europe or Asia-Pacific. Today SophosLabs analysts encountered a new phishing attempt targeting a bank in South Africa....
    13 June 2007 06:24 GMT
  • Message boards are not yet deadOnce upon a time in the internet (~10 years ago) message boards were all the rage. In the age of Web 2.0 they were thought to have gone to the place in the ether where old Websites go. Unfortunately, for...
    11 June 2007 10:43 GMT
  • A day in the lifeIn an effort to give all you readers an understanding of a typical day at SophosLabs let me relate in detail todays efforts. The first thing I tackled was a group of three seperate maliciously crafted...
    9 June 2007 16:34 GMT
  • New Yahoo! Messenger Exploits in the Wild!Two vulnerabilities have been discovered in ActiveX Controls that could allow an attacker to execute arbitrary code or crash systems running Yahoo! Messenger. Sophos recommends that administrators block...
    9 June 2007 00:51 GMT
  • NCD - interesting file similarity metricOne of the important areas of malware research is the ability to estimate similarity between files. Every month we receive thousands of files and use different methods to sort files into groups and extract...
    8 June 2007 16:44 GMT
  • TW3Another week and another summary. There's been very much and international feel to the labs this week. We've had Russian denial of service tools, German phishing Trojans and stock spam, Malaysian worms...
    8 June 2007 10:47 GMT
  • Yours, Secretary of State for HealthSophosLabs has seen an amusing Nigerian scam recently that claims to be from a Minister in HM Government. In one of my previous posts we played the ’spot the errors game’. Below is the text of...
    8 June 2007 10:37 GMT
  • Do Some Light Reading whilst I take over your ComputerSit down at your computer, relax, check your email…. open the attached Powerpoint presentation, casually read through the article contained within… don’t worry… take your...
    8 June 2007 08:02 GMT
  • First Stock Spam - Now PayPal PhishingIt appears that German spammers have run into the same creativity block that’s currently got a hold of Hollywood. For Hollywood it was “Pirates of the Caribbean 3″ and “Spiderman...
    7 June 2007 22:04 GMT
  • My Computer Just Had Something South East Asian For Dinner Tonight And It Includes Takeaway TooSophosLabs analysts encountered an unusual worm today in the form of W32/Baysur-A. Once a computer infected with the W32/Baysur-A worm is restarted, the following message appears on logon: The worm is...
    7 June 2007 06:55 GMT
  • German Stock SpamWhether it be in text or image format, stock spam in English is nothing new. However, over the past few months SophosLabs has noticed a surge in German stock spam which initially started purely as text...
    6 June 2007 21:53 GMT
  • Fat virusesViruses - true viruses that is - seem to have been making a belated comeback recently, though in most cases they follow a simple and well known structure which often involves modifying the original file in...
    6 June 2007 09:13 GMT
  • A handy DoS attack toolI don’t like your internet site, so I’ll saturate your machine with ridiculous amounts of external requests and break your capability to respond to legitimate traffic; a typical DoS attack....
    6 June 2007 00:46 GMT
  • Another major site compromise (part II)In the previous part of this post I highlighted the compromising of a large Italian web site. Pages were modified (addition of a malicious Javascript) in order to silently load malicious content from a...
    5 June 2007 15:17 GMT
  • Too good to be true?A Sophos employee today received the following in an email: Dear all, Marks & Spencers, in conjunction with Persimmon Homes, are giving away free vouchers. Marks & Spencers are trying word-of-mouth...
    5 June 2007 11:34 GMT
  • Another major site compromiseOvernight SophosLabs became aware of another fairly major Italian website that has been compromised. Alarm bells rang upon the homepage of the site being blocked by Sophos as Mal/ObfJS-A. After confirming...
    5 June 2007 09:48 GMT
  • Endless phish targetsWith widespread adoption of accurate spam filters, improved public awareness, and most big financial institutions implementing improved online security features, scammers are being forced to adjust their...
    5 June 2007 00:54 GMT
  • Perfidious Porn Promoting Paris Pushes PsymeTPG sites (Thumbnail Porn Galleries) are one of the ubiquitous parts of the worldwide web’s dark underbelly. Using pornographic keywords to help boost their rankings on search engines, these free porn...
    4 June 2007 13:23 GMT
  • OpportunitiesMy last blog entry was just before I went on vacation and before the holiday weekend. As is the tradition in the UK, the bank holiday Monday was cold and wet and I predicted that it would be busy. I turned...
    4 June 2007 13:05 GMT
  • Evolution of the Brazilian banker trojansBrazilian banker trojans are essentially password stealing trojans that come in two main flavours. Both monitor the sites you visit in a web browser for certain Internet Banking web addresses. The first...
    4 June 2007 07:28 GMT
  • Analysis of a Web AttackConsumers are increasingly being warned of web-based malicious attacks and the increased threat they pose to everyday surfing. In this blog entry I intend to illustrate one such attack. Aside from being...
    1 June 2007 09:55 GMT

Select another month

RSS feed

Atom feed

Send us your feedback

Email us at sophosblog@sophos.com to share your views, ask questions, and tell us what you think.

Send us a sample

If you have suspicious files that our software has not detected, please send us a sample for analysis.