SophosLabs Blog

Want to know what Sophos experts think about the latest security issues? Daily updates from SophosLabs™ provide insight into the most interesting and widespread threats

2007
2008

August 2007

Banking on SecurityOvernight, news on the wires has indicated that a major bank has had its website compromised by hackers. We wouldn’t normally “name and shame” the site that has been hit, but as others...
31 August 2007 11:23 GMT
OMG, check out the new video!No, it’s not a video of your favorite singer in a hot new music video, it’s actually an ecard malware variant. The ecard campaign resumes where it left off over the weekend, except this time...
29 August 2007 22:46 GMT
And they say lightning never strikes twice Yesterday the news sites picked up on the story of a possible rootkit on a Sony USB fingerprint device. Those of us who were in the business two years ago remember the last time this happened on a music CD...
29 August 2007 14:30 GMT
PDF spam no more?Over approximately the past 2 months, PDF spam has exploded from a little used technique to making up close to 30% of all spam being sent during its peak (averaged daily). Due to spammers adjusting their...
29 August 2007 00:50 GMT
Phishy snail mailA few months ago on one of the many mailing lists I am on, I was asked to participate in a survey. The mailing list was one of those provided by the Anti-Phishing Working Group (APWG) a “global...
28 August 2007 14:28 GMT
Easy as 1, 2, 3!Everyday at SophosLabs, we see multitudes of malware samples that have been created with malware ‘toolkits’. Using one of these toolkits is as simple as choosing the required functionality...
28 August 2007 05:47 GMT
Lack of careYIt has been a pretty quiet day today, not surprising given that it is a bank holiday weekend in the UK. One of the phishing attacks seen was vaguely amusing. The phish email used the old trick of a...
26 August 2007 16:31 GMT
Another ecard twistIn the last hour, another huge ‘ecard’ spamming run has been detected by SophosLabs. Aside from the usual ecard-related social engineering, some of the messages now masquerade as links to...
25 August 2007 11:45 GMT
Not a server side issue?In a post the other day, I discussed issues around responsibility when sites are compromised. The case I described involved a financial services company, with a reasonably active web site (500 or so...
25 August 2007 09:11 GMT
Return to SenderOver the past few days our ‘ecard’ (also known as Storm, Nuwar or Zhetalin) author has been changing his tactics. Having moved away from ‘eCards’ to offers of pornography to joining...
24 August 2007 10:50 GMT
Detection vs ProtectionI recently wrote about a comparative test of Linux products and how such a limited test set was not representative. In the past few days AV-Test.org have released their latest set of results. The...
23 August 2007 10:30 GMT
Web hosting responsibilitiesOver the past few weeks, SophosLabs have been monitoring an attack on several sites, compromising pages with a malicious script (pro-actively detected as Mal/ObfJS-C) that silently loads malicious content...
22 August 2007 16:21 GMT
Spot the DifferencePiggybacking on known and trusted brands is something we have discussed before on the blog. Today, SophosLabs saw another example. Can you spot the legitimate site from the two screen shots below? The...
22 August 2007 11:37 GMT
Morphing ecardsAs Hurricane Dean hits the coast of South America there seems to be no end to the ecard storm. Though the spammers are changing the mails they are failing to permanently sidestep SophosLabs’s...
21 August 2007 16:36 GMT
If you go down to the book store today If you go down to the book store today you’ll be in for a surprise. There is a new book to help to help you fight the malware problem. You may say that that’s not a surprise, as there seem to be...
21 August 2007 13:58 GMT
Mistaken identity of a security programAbout a month ago we received a report of an alleged security program designed to protect computers against malicious programs that use USB memory sticks to spread. A good example of malware that spreads...
18 August 2007 16:33 GMT
All your Bank are belong to usBanker Trojans are rife and popular with the ‘easy money’ crowd of malware authors, though stealing banking information is not without its hazards. It takes a very smart (or a very stupid)...
18 August 2007 08:04 GMT
Clockwork WednesdaysOranges aside, every Wednesday, mid-afternoon UK time, for the past several weeks, an annoying Trojan mass spamming campaign has manifested itself causing consternation amongst many. As Fortune would have...
17 August 2007 16:30 GMT
Spot the Spam - AnswersLast week I set a challenge to spot the type of spam, just from the subject lines and it is time to reveal the answers 1. “Re : ADVANCED POWER MANAGEMENT” = A watch spam campaign. 2....
17 August 2007 09:02 GMT
A sandwich virusOne of the simplest methods of file infection is to put the virus at the start of the file, leaving the host at the end. A less common way is to put the host first and save the virus at the end. ...
16 August 2007 11:05 GMT
Thanks for the name checkSophosLabs are informing that “a malware writer has been infecting thousands of computers by hiding a new Trojan variant in a cartoon video” (see Troj/Agent-FWO ). At least that is that is what...
15 August 2007 16:22 GMT
Cynical, Suicidal, Pathetic, DerangedThe worm W32/Kukoo-A was written by someone who is ostensibly screaming out for help. The author claims to wish for a visit from the Grim Reaper with a certain pathos in the choice of words: However, the...
14 August 2007 17:34 GMT
Get a domain - get infectedClearly shopping around for wedding venues is not the only activity to get you in trouble nowadays. Over the past few days SophosLabs have detected yet another slew of web pages that have been compromised...
14 August 2007 16:21 GMT
Missing from Iceland..You may remember a couple of months ago, I attended a conference on testing of anti-virus products in Reykjavik, Iceland. One person that was obviously missing from the event was the author of a comparative...
13 August 2007 16:11 GMT
A modern Joe Job?This morning on our spamtraps SophosLabs saw a large number of spam messages with similar subjects: Best hosting for CP Hosting Stable rus hosting Anonym hosting Looking into the email it just had a GIF...
13 August 2007 09:33 GMT
P^l[e]a*(s){e} B.(u)_y N{}o+wA fair amount of undetected spam hit my home mailbox over the weekend (and it wasn’t P|FDF either). The campaign involved stock spam, with various enticing subject lines, and heavily ASCII...
13 August 2007 07:52 GMT
Ecard campaigns continue over the weekendThe ecard campaigns that Mark discussed in a recent post continued over the weekend, with a few new outbreaks (W32/Dref-AM, W32/Dref-AO and Troj/Dorf-O). This time the executable code for every campaign is...
12 August 2007 16:32 GMT
Mutating spam campaignA few days ago we saw a Massive spam campaign advertising shares in Prime Time Group Inc . Today we saw the campaign mutate slightly. There were three major mutations: Two of the mutations were to do...
10 August 2007 14:36 GMT
Ecard talesI’ve mentioned a number of times over the past few days and weeks that the ecard campaigns are still continuing. The actual campaign has evolved since it was first seen back in June. For example, the...
10 August 2007 13:40 GMT
Naked Shorts!It would appear that my blog yesterday on the ‘blip’ in spam rates caused a bit of a stir yesterday. In particular the company that are the target of this particular campaign, Prime Time Group,...
9 August 2007 15:43 GMT
'WELCOME TO NEXT GENERATION VIRRI TECHNOLOGY' At SophosLabs the question often arises as to why so many people would dedicate so much of their time authoring malware. In a sample we recently received, we get a glimpse into the mindset of a budding...
9 August 2007 08:09 GMT
Tomb Raider Strikes BackLast week we blogged about the mass-spamming of a Trojan masquerading as pornographic pictures of various female celebrities. During the analysis of that Trojan, we noticed some similarities with some other...
8 August 2007 16:47 GMT
Massive spam campaignYesterday we saw a massive spike in spam coming into our traps. Around 4.40pm BST (8.40am PST) a large PDF stock pump-and-dump campaign started which increased the spam seen at customers’ gateways by...
8 August 2007 11:00 GMT
Black Hat conference: Hardware virtualization rootkitsHardware-assisted virtualization rootkits have been a much debated computer security subject since details of two proof of concept hardware virtualization rootkits were presented last year at the Black Hat...
8 August 2007 00:05 GMT
Get married - get infectedPlanning for a weddings can be a stressful time with so many things to organize: the dress, the food, the venue and of course the groom :-) Looking at data reported back to SophosLabs from one of our...
7 August 2007 16:20 GMT
Challenge: Spot the spamWhilst reviewing the current set of spam I took a small sample of subject lines and decided I would set a challenge. The following are real subject lines of spam messages received in the past few days. 1....
7 August 2007 10:10 GMT
Winds of changeIframes are used on many websites legitimately, however, there are many websites where iframes are used maliciously as seen by the rise is Mal/Iframe detections. Many legitimate iframes have similar...
6 August 2007 08:19 GMT
Black Hat conference impressionsBlack Hat USA is one of the biggest conferences dedicated to computer security. This year, the conference is even bigger than last year, with an estimated 5000+ delegates from all over the world and nine...
3 August 2007 16:36 GMT
Hidden poetryToday’s worm W32/KillAV-DX makes a nuisance of itself in the usual ways - leaving copies all over your hard disk and USB drives, disabling antivirus software and leaving the computer close to...
3 August 2007 13:33 GMT
Takeaway malware and spamDo you fancy a Thai meal tonight? Do you live in Germany? If the answer to both these questions is yes then beware! While analyzing spam today I notice a large Viagra campaign: Looking at the link it was a...
3 August 2007 13:27 GMT
So who can you trust?As criminals get better at what they do best, it’s becoming harder and harder to tell if an application is trustworthy or not. To protect oneself, adhering to the following best practices can help....
2 August 2007 22:30 GMT
Nude celebrity photos? Not so shocking.Over the past couple of hours we have seen a new mass-spamming of a downloader Trojan (added as Troj/Dloadr-BCP) masquerading as pornographic pictures of various female celebrities. The email messages...
2 August 2007 13:09 GMT
Germany callingEarly this morning I noticed a report suggesting that a fairly popular UK site had been compromised. Nothing particularly unusual there given recent trends. I set about confirming the report - the site was...
1 August 2007 10:51 GMT
Archive confusionSophosLabs have been monitoring the various new file formats used in spam recently. Today I saw a strange example of a different file format. An email message with no message body, just an attachment that...
1 August 2007 10:35 GMT
A Bot Enhancement SophosLabs encountered a new variant of a botnet worm today with the discovery of W32/Rbot-GSN . While the worm still contains the usual zombie functionality of a typical botnet in that it can spread via...
1 August 2007 04:44 GMT

Select another month

RSS feed

SophosLabs blog

Atom feed

SophosLabs blog

Send us your feedback

Email us at sophosblog@sophos.com to share your views, ask questions, and tell us what you think.

Send us a sample

If you have suspicious files that our software has not detected, please send us a sample for analysis.