Sophos

SophosLabs Blog

Want to know what Sophos experts think about the latest security issues? Daily updates from SophosLabs™ provide insight into the most interesting and widespread threats

July 2007

  • Anti-Virus vs. Commercial PackersIn the beginning, there was malware. Naturally, this was followed fairly rapidly by the development of anti-virus software. The war has raged back and forth ever since. During the course of this struggle, a...
    30 July 2007 23:32 GMT
  • Mario Strikes! A mass-mailing worm capitalising on the old Mario game reared its ugly head today in the form of W32/Romario-A. Sadly aficionados of the Mario game would find themselves in bigger trouble than the much...
    30 July 2007 06:52 GMT
  • Patching system files: Part IIIn the first part, I described how Troj/WLDrop-A and Troj/WLHack-A patched the winlogon.exe file to load malware on startup. This post is about a similar technique used by the more recent ecard.exe Trojans...
    28 July 2007 14:24 GMT
  • From the makers of . . .It’s not uncommon in malware to discover that more than one family is written by the same author or group, and it can be interesting to see where the overlaps occur. Yesterday I was looking into a...
    28 July 2007 01:27 GMT
  • No sale = No escapeI saw a few of these spammed out this afternoon… I was skeptical about this being an actual product but then, as I moved my mouse up towards the close box, up pops this little box: It seems these...
    27 July 2007 13:57 GMT
  • Patching system files: the fancy alternative to autorun keysWith current tools such as AutoRuns letting users and sysadmins see at a glance which files are set to run when a computer starts up, and Sophos’s endpoint product automatically cleaning up registry...
    27 July 2007 08:49 GMT
  • Life Isn't So BeautifulSophosLabs encountered a newly spammed out Trojan today that’s making its way to email servers around the world. The email has the following characteristics: The subject lines can be any of the...
    27 July 2007 02:18 GMT
  • Anybody want some rubber?I have been looking at the spam that I have been receiving recently. Whilst others are getting ecards I seem to be on some Russian spammers’ lists. The strangest spam I got today was this: Yes, that...
    26 July 2007 15:42 GMT
  • Updated Security Threat Report from SophosLabsToday we published our updated threat report which provides a summary of the threat landscape over the past 6 months. As we have documented on this blog over the past few months, the shift in malware has...
    25 July 2007 10:44 GMT
  • Broken spam campaignsSophosLabs often sees broken spam campaigns. The campaigns can be broken for a number of reasons, incompetence being the prime one. Here we see a mistake in the configuration of the spam tools used for...
    24 July 2007 14:17 GMT
  • Are We Winning the Battle Against Spam?With the appearance of Excel and Zip spam based stock spam, is this a sign that we are winning the battle against spam? The spammers are having to go to greater lengths to get their message through,...
    23 July 2007 16:54 GMT
  • Vulnerability in iPhone?Finding vulnerabilities for popular products is one of the best ways for a previously unknown application security company or a hacking group to get themselves known in the industry. The more popular the...
    23 July 2007 14:08 GMT
  • Spammers excel themselves - Part II: A leaf out of a malware manual?Another day, another flood of pump-n-dump scam attachment spam. We saw the same campaign yesterday using XLS attachments. Today the spammers are sending the same XLS files wrapped within ZIP cocoons. Using...
    22 July 2007 16:11 GMT
  • Spammers are now trying to excel themselves!We have just received a sudden flood of stock pump-n-dump attachment spam, this time using the XLS format instead of PDF: The scam is very familiar. We are all encouraged to buy a lot of stock from a...
    21 July 2007 16:00 GMT
  • Rubble worm shoots itself in the footI came across a new worm today which is a bit too keen to spread for its own good. In order to spread, W32/Rubble-A scans local and removable drives and replaces any files it finds with itself, stealing the...
    19 July 2007 14:44 GMT
  • Why I Hate to Love Google Earth!In each of the SophosLabs locations, we regularly have visits from customers, prospects, reporters and even television crews where we are asked either to demonstrate a latest piece of malware, or to provide...
    19 July 2007 00:44 GMT
  • Tracking spam victimsWhilst plodding through some of the spam that hit my personal mailbox this lunchtime, I came across a message that warranted closer inspection. The message was from a chap who has inundated me with spam...
    18 July 2007 15:20 GMT
  • Rehashing old tricksOver the past few weeks, spammers have started to adopt PDF files as the carrier of spammy content. In this type of spam, it is the PDF file attached that contains the actual spammy message enticing people...
    18 July 2007 08:10 GMT
  • Pwnd and pwnd againYour faithful home PC falling victim to a trojan once is bad enough, like this person’s zombied box busily spamming out stock pump ‘n’ dumps attached in what’s fast becoming every...
    16 July 2007 22:20 GMT
  • Your private and confidential message is attached In the past few weeks the new “PDF spam” trick was used exclusively in “pump-n-dump” scams. And just like it was with “image spam” last year, it was only a matter of time...
    16 July 2007 06:41 GMT
  • From Automation to ObfuscationMany of the people that create the bulk of our work do so by writing hundreds of variations on a similar theme, usually written at a high level. This takes a lot of the drudgery out of their work and...
    14 July 2007 19:08 GMT
  • Never a DuLL DayIt was a busy morning, for a weekend, but nothing out of the ordinary. In the afternoon a new variant of the Dlena family of proxy Trojans came in. It seems the author thought he would try a new trick....
    14 July 2007 16:20 GMT
  • Friday the 13th We all have seen spam before, even in different languages, but how about the following one, spam in text emoticons: Yes, nothing more and nothing less, this is what we are seeing today on Friday, the...
    14 July 2007 01:44 GMT
  • Pinch Nothing!The ‘Pinch’ (aka ‘LDPinch’) family of password stealing Trojans will be well known to most virus analysts. The family has been active for several years, and numerous variants are...
    13 July 2007 10:40 GMT
  • Hash Busting BlogsYou are likely to be familiar with the concept of 'hash busters' within spam. Hash busters are the seemingly random words or sentences located at the bottom of a spam message, used to try and bypass a...
    12 July 2007 11:43 GMT
  • Can you trust anyone?In today’s news in the UK there is a report on how firms are faring on data protection. If you believe the headlines then the answer is ‘badly’. Browsing a BBC News article I came across...
    11 July 2007 12:27 GMT
  • Going, going, gone.For a long time the business of vulnerability research has been complicated with concerns around responsible disclosure. In the perfect world, when research identifies critical vulnerabilities, the...
    9 July 2007 08:50 GMT
  • Can I trust you?Almost anybody with email (and even those without) should be well aware of 419 scam letters, so called as a reference to the passage in Nigerian criminal code dealing with fraud. Here, victims are lured...
    9 July 2007 08:11 GMT
  • Anti-spam spam?Today we have seen a number of curious messages coming from various IP ranges used by broadband providers for home market. The messages contained an advertisement for the services of Spamhaus project:...
    8 July 2007 14:20 GMT
  • Algerian hackers behind eBay phishing attack?In the regular flood of phishing emails coming to our spam traps, this one, using eBay as the target is worth the mention as it was possible to trace the attack to the possible attacker(s). The email...
    7 July 2007 16:28 GMT
  • Table mannersIn the vast landscape of spammer tricks it’s rare that we see anything genuinely new - or in this case a very new twist on a very old trick called “ascii art”. I no longer even blink at...
    6 July 2007 18:15 GMT
  • Fruity injection techniques foiled by SAV 7A few weeks ago Fraser wrote about malware that injects code into other processes in order to evade firewalls and hide what’s going on. One particular Trojan, which Sophos detects generically as...
    6 July 2007 16:24 GMT
  • If I am given a formula Last year, I analyzed an Excel Formula Macro Virus XF97/Yagnuul-A. Today, when I got in to work, what seemed to be a variant of XF97/Yagnuul-A was handed over to me by the Australian Lab. After some digging...
    6 July 2007 16:08 GMT
  • CipherPornOver the last few days SophosLabs have been seeing a strange porn campaign. An example is shown below: Subject: overnice hkbh Lesbian eho licking mhq Male's ajv Cock! qbdazy, friendly sfb Bitch egsw...
    5 July 2007 16:09 GMT
  • Even Better Protection IIIFollowing on from my previous two posts (1, 2) on the new protection features we have in the new version of the Sophos Endpoint product, I'd like to briefly discuss the new HIPS Runtime behavior ...
    5 July 2007 12:41 GMT
  • Bad Behav'iourA couple of weeks ago we blogged about how modern attacks involving multiple components can be thwarted at several links in the chain. The example used, was the infection mechanism used in MPack based...
    4 July 2007 13:56 GMT
  • Us(B)ability versus SecurityI received my copy of July’s Technet this week. After a few cups of coffee I got to the last page and was struck by the following picture (reproduced here): The article talks about the Vista’s...
    4 July 2007 11:53 GMT
  • From the: you're not foolin' anyone departmentA long time ago in a company far far away (sorry - couldn’t help it), we used to make a game of reading out 419 scam emails. It seemed their ability to completely butcher the English language knew no...
    4 July 2007 09:06 GMT
  • 4th of July EcardThe current trend of spreading malware via “Ecards” (greeting cards that can be sent and read online via email) continued in huge volumes today (As previously reported here: A not so friendly...
    4 July 2007 00:50 GMT
  • SMIL(e), you have been exploitedWeb and HTTP protocols are the most common vehicles for delivering exploits and web browsers are the most commonly targeted applications. Most of the exploits we see these days target the process space of...
    3 July 2007 16:25 GMT
  • Ecards continue to flood inThe flood of malicious Ecard spam that we first reported at the weekend has continued seemingly unabated. A variety of subject lines are used, but the theme is always “You’ve received a greeting...
    3 July 2007 08:27 GMT
  • Busy weekendIts been a fairly busy weekend in SophosLabs. In particular the greeting card campaign is a perfect example why spam, web and malware analysis has to be so integrated. There is a growing trend towards this...
    2 July 2007 09:48 GMT

Select another month

RSS feed

Atom feed

Send us your feedback

Email us at sophosblog@sophos.com to share your views, ask questions, and tell us what you think.

Send us a sample

If you have suspicious files that our software has not detected, please send us a sample for analysis.