In this section

• Home
• Security
• SophosLabs blog
• 2008
• 01

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

7 January 2008 09:12 GMT

Adding detections

The bad guys love trying to give security companies the runaround. Normally we have the game of cat and mouse as they try to evade detection, but sometimes they take a different approach. With Web attacks, several tricks are often used to hinder analysis, including:

• IP tracking. When the same IP address requests content more than once, the request is denied, redirected or the content changed to a ‘funny’ or offensive message.
• Dummy payload. The bulk of current web attacks attempt to exploit the client in order to download and execute some Win32 malware. Occasionally we see attack sites where the Win32 file installed is not malicious - the payload has been temporarily switched with some legitimate file (normally some Windows application) in order to hinder automated analysis.

Just before Christmas, we saw the dummy payload trick being used at an attack site (detected as Mal/ObfJS-A) hosted in Singapore.

Since the payload was undetected it was escalated to the lab for further attention. Unfortunately for the bad guys, we do not simply assume it is malicious and checksum it. Just as well, the file in this case is a Russian version of Windows calc:

I assume at some point they will change it to something malicious. In the meantime, we have blocked access to the malicious site, and will continue to monitor the payload URL to be ready if they do.

Fraser Howard, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot