SophosLabs Blog

Want to know what Sophos experts think about the latest security issues? Daily updates from SophosLabs™ provide insight into the most interesting and widespread threats

2007
2008
2009

November 2008

Malicious Battlefield Following on from yesterday’s Pirates of Cape COD blog, we’ve seen more combat related malware this morning. Not quite such a well known name this time as the Call of Duty series, but...
30 November 2008 12:12 GMT
Pirates of Cape COD A reliable source has informed me that one of the hottest new games these days is “Call of Duty 5″ which retails at 30 pounds per license. However there exists a website from which one may buy...
29 November 2008 12:45 GMT
A Confick of interestEarlier this week we witnessed the release of a new propagation technique that exploits a recent Microsoft vulnerability in the Windows Server Service. W32/Confick-A uses this security loop-hole to...
28 November 2008 13:09 GMT
Snickerdoodles and FakeAVEarlier this week we became aware of YAFAT (yet another fake alert trojan family), this time being distributed via drive-by installs from compromised web sites. Vulnerable sites are having web pages stuffed...
27 November 2008 11:25 GMT
Spam is up by 200%. Rustock botnet revival to blame.Two weeks ago we wrote about a significant drop in spam volumes caused by the shutdown of McColo hosting. There was no doubt that spam traffic will get back to its previous levels (if not higher)...
26 November 2008 04:58 GMT
Facebook, Fake AV and FriendsWe’ve seen an increasing amount of Facebook worms over recent months, and the last few variants have started to reference other social networking sites, including MySpace. I saw the move to a broader...
26 November 2008 02:10 GMT
New spin on OSX/RSPlug Mac malwareWe will soon add detection for a new Mac Trojan, nicely described by Jose Nazario of Arbor Networks. It will be detected as OSX/Jahlav-A. The Trojan comes as a key generator application MacAccess in a...
25 November 2008 17:20 GMT
Spam is down for most but will go up for someAs we have been saying on our blog recently spam volumes have been down for some. Others may be seeing an increase in spam though, especially for those individuals and companies whose contact details were...
24 November 2008 13:34 GMT
McColo shutdown lightens malware loadNot only has the take down of McColo last week (link, link) caused a massive drop in worldwide spam levels, but it would also appear to have resulted in a big drop in the level of malware being spammed out...
22 November 2008 14:56 GMT
Phishing gangs capitalize on upcoming UK government tax breaksThis Saturday started quietly as expected so I had a chance to look at the BBC news headlines. One of the today’s headlines indicates that the UK Chancellor, Alistair Darling, is spending weekend...
22 November 2008 11:50 GMT
An example of astute Social EngineeringW32/Autorun-NQ is a prime example of astute social engineering. When I ran this malware on my test machine, it presented me with the following display window: A what? What would an aircraft blackbox...
22 November 2008 00:22 GMT
Spam Websites - More Google Earth Fun!As regular readers will know, Google Earth is a great tool for visualizing some of the things we do in the labs and the way the threat is changing. Plotting compromised machines sending out spam; flying...
20 November 2008 17:51 GMT
Trust me, I'm the head and upper neck of a doctorSpammers seem keener than ever to customise their messaging and value propositions to the differences in their various target markets. Nowhere is this clearer than in the pharmaceutical spam sites and their...
20 November 2008 17:22 GMT
Cylons Vs Anti-VirusIt’s not often that anything I do outside of work makes me think of SophosLabs, but having currently been introduced (somewhat late) to the reimagined Battlestar Galactica series, I have to confess to...
20 November 2008 11:54 GMT
Now about that new Mac OS X Trojan Over the last week there has been quite a bit of press about a new Mac OS X Trojan. Secure as it is, generally speaking, OSX is not bullet-proof, much to the despair of Mac enthusiasts like myself. Symantec...
19 November 2008 01:44 GMT
McColo up again, down againWhile the take-down of McColo received a lot of attention in the last few days, it seems not everyone was listening: the company came back online yesterday for a while thanks to TeliaSonera AB, a Swedish...
16 November 2008 20:40 GMT
Inadvertently Shady There have already been several blogs about the common use of third-party runtime packers by malware. These runtime packers are wrappers around files which make them look different on disk but allow them...
15 November 2008 15:20 GMT
Are scammers leaving subtle clues? Today we saw the following Google AdWords phishing scam in our spam traps: A legitimate link is displayed in the mail body as http://adwords.google.com/select/Login. However, as with most phishing emails...
14 November 2008 16:27 GMT
The main manIn Billy’s post early he mentioned that the malware Mal/EncPk-EQ could call home. During the analysis of this malware we have seen several different domains used for this call home. With a slightly...
13 November 2008 15:33 GMT
Daft (de)buggers I’ve been looking at a bunch of rootkits that seem to be doing the rounds at the moment. Fortunately for our customers, we detect all this malware (and components they drop) as Mal/EncPk-EQ but...
13 November 2008 13:47 GMT
Alleged Silicon Valley spam source taken down; global spam volume drops 75%A critical piece of at least one spam gang’s cyber-crime infrastructure was allegedly taken down Tuesday following a four-month-long investigation by the Washington Post, leading to what multiple...
12 November 2008 23:38 GMT
November Microsoft Security BulletinThere are only 2 vulnerabilities patched in this month’s Microsoft Security Bulletin. MS08-068 addresses a relatively old, publically disclosed vulnerability in SMB protocol which allows an attacker...
12 November 2008 11:59 GMT
AMTSO conference generates new documentsRecently Sophos had the priviledge of hosting the latest AMTSO conference. Two days were spent at Sophos Headquarters and over 40 vendors, testers and journalists agreed the formal release of two documents....
11 November 2008 16:05 GMT
Cliff-Jumping CodeI’m always on the look-out for interesting code techniques used by malware, so thought I’d share this experience from last week. A file came in flagged as a probable fake anti-virus (so much of...
11 November 2008 02:18 GMT
'Tis The Season To Be JollyAs is customary every year, SophosLabs analysts brace themselves for the onslaught of various malware/spam campaigns during the Christmas period. This year, someone has gotten off to an early start by...
10 November 2008 07:13 GMT
More Portuguese banking malware spamRemember the spoof Symantec application spammed out to Portugese users we blogged about yesterday? Well, today I have noticed the same attack continuing, though the attackers have changed the spam message...
8 November 2008 14:35 GMT
Does your emulator stack up ?I recently came across a new anti-emulation tactic for unpackers that I thought might be worth sharing. This one is a new angle on a previous technique, to use the error code returned from a Windows API...
8 November 2008 01:51 GMT
The Code is dead. Long live the Code!Three years ago internet banking Trojans, along with their associated downloader Trojans, began to proliferate: samples started flooding in by the thousands. The poor way to deal with these would be to wait...
7 November 2008 14:07 GMT
Spammed banking malware masquerading as Symantec softwareEarlier this morning, we noticed Portuguese spam messages attempting to dupe victims into downloading and installing a fake Symantec product. The spam messages were constructed using two images hosted on...
7 November 2008 11:02 GMT
Beware Barack's bogus banking TrojanAfter yesterday’s Barack themed malware spam attack, it was no surprise this morning to find BarackOb.exe first in the queue for analysis. President Elect Obama is definitely the hottest name in...
6 November 2008 09:54 GMT
Fake WordPress steals dataYesterday evening amid the researching the Barack related malware (1, 2) our friends at The Register pointed out an interesting article on Craig Murphy’s blog. Craig talks about how when he logged in...
6 November 2008 09:41 GMT
Obama searching malware As if the torrent of malicious spam starring the Senator of Illinois wasn’t enough, those searching the internet earlier today for details of President Elect Barack Obama’s victory could have...
5 November 2008 17:37 GMT
Barack Obama exploited in malware spam attackMany Americans will have woken up today with a headache - either from celebrating the victory of Barack Obama or drowning their sorrows at John McCain’s loss of the White House. One thing is clear...
5 November 2008 16:04 GMT
Sality goes for brokeWe’ve seen continued activity from our old file-infector Sality, and a few weeks ago we saw a variant with some new tricks up its sleeve … but at the price of stability. The author used to keep...
5 November 2008 02:41 GMT
Abusing Magic for fun and profitSo called “Magic” numbers evolved from the UNIX operating system and now play a regular role in (amongst others) identifying particular file types. The doctoring of these magic numbers may...
4 November 2008 08:07 GMT
MS08-067 - follow up and videoIt is unusually quiet on the MS08-067 front, despite a number of stable and public exploits freely available. As expected, experienced security researchers like Alexander Sotirov published a very good...
3 November 2008 16:56 GMT
Are You Being Served Malware?As I mentioned in last week, one of the first things I do each morning to review the internal labs dashboard to see what is happening. Today I was greeted with yet another email attachment outbreak. Seeing...
3 November 2008 13:46 GMT
A long week with a recurring threadSophosLabs analysts do get to do other things besides analyze malware, in the last month or so I have been spending more time on other projects. This last week (Monday to Saturday) I have been analyzing...
1 November 2008 16:02 GMT

Select another month

RSS feed

SophosLabs blog

Atom feed

SophosLabs blog

Send us your feedback

Email us at sophosblog@sophos.com to share your views, ask questions, and tell us what you think.

Send us a sample

If you have suspicious files that our software has not detected, please send us a sample for analysis.