http://feeds.sophos.com/en/rss2_0-sophos-sophoslabs-blog.xml The SophosLabs blog that appears on sophos.com en © Copyright 1997-2008, Sophos Plc Tue, 13 May 2008 11:23:30 GMT 30 http://www.sophos.com/security/blog/2008/05/1402.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1402.html?_log_from=rss Whilst investigating some of the domains used as the target for the malicious script tag added to web pages in recent SQL injection attacks, one of them stood out as potentially interesting. A DNS lookup for the domain returned 8 IP addresses, distributed across IP space, all most probably compromised home machines. Thanks to the increased [...] Tue, 13 May 2008 11:23:30 GMT http://www.sophos.com/security/blog/2008/05/1324.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1324.html?_log_from=rss With the SAV7 release Sophos introduced the Sus/ detection class (Suspicious files), designed to cater for the more paranoid among us by utilizing looser-style generic identities. These looser identities detect characteristics that are deemed questionable enough to warrant concern but may not actually be of a malicious nature. The reporting of suspicious files are off by [...] Tue, 13 May 2008 08:44:12 GMT http://www.sophos.com/security/blog/2008/05/1401.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1401.html?_log_from=rss Oh how we sail, in this wonderful place where vision is obscured, and they have no face yet the winds blow strong, and they never relent the storm of spam that we all are sent. The spam fiends currently propagating en masse have added a poetic touch to their efforts to be man’s saviour. Now, adverts for virility medication [...] Mon, 12 May 2008 16:41:24 GMT http://www.sophos.com/security/blog/2008/05/1398.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1398.html?_log_from=rss A classic case of impudent opportunism, more and more malware are now using standard Microsoft Windows Operating System files to do their bidding. Last year there were examples of malware modifying WINLOGON.EXE, a critical system file, to load a malicious DLL. The entrypoint code is modified to call LoadLibraryA on the Trojan DLL and then execution [...] Sun, 11 May 2008 15:50:06 GMT http://www.sophos.com/security/blog/2008/05/1397.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1397.html?_log_from=rss Last week several SophosLabs staff attended the 2nd International CARO workshop to discuss packers and obfuscators and how the anti-malware industry is dealing with them. It was interesting to see the various approaches being explored and employed by vendors in dealing with hard-to-do packer and obfuscator technology in the anti-malware arena. Sophos has been actively detecting a [...] Sat, 10 May 2008 06:50:51 GMT http://www.sophos.com/security/blog/2008/05/1385.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1385.html?_log_from=rss Since I last blogged about a recent spate of aggressive SQL injection attacks [1], we have seen continued activity, with sites across the globe being hit. Amongst the casualties are numerous well known brands. This lunchtime I decided to pull together some data on the sites we have seen hit in these attacks since late [...] Fri, 09 May 2008 16:13:18 GMT http://www.sophos.com/security/blog/2008/05/1360.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1360.html?_log_from=rss Mr Swizzor had a problem. He knew that anti-malware engine heuristics thought that GUI applications without windows and buttons and text boxes were worrisome, because creating a GUI application without a GUI is a bit silly. But if he put windows and buttons and text boxes in his Trojan, those nasty anti-virus companies might decide that [...] Fri, 09 May 2008 13:08:09 GMT http://www.sophos.com/security/blog/2008/05/1377.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1377.html?_log_from=rss A couple of days ago McAfee posted an interesting blog entry detailing the aggressive use of fake MP3 files to trick victims into installing a potentially unwanted application (PUA). The article gathered some press, not least because the fake MP3 files were assigned a threat level of ‘medium’ for McAfee’s home users. Users are likely to [...] Thu, 08 May 2008 15:09:50 GMT http://www.sophos.com/security/blog/2008/05/1372.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1372.html?_log_from=rss With the newer and ever more popular generation of games consoles it’s not just about playing the game anymore, it’s also about having the ability to browse the net from the comfort of your sofa in-between games or whenever takes your fancy. Whether or not this form of surfing will ever become as popular as browsing [...] Thu, 08 May 2008 07:28:47 GMT http://www.sophos.com/security/blog/2008/05/1369.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1369.html?_log_from=rss The 17th annual EICAR conference is being held in Laval, France. Despite our worries about getting there it was actually quite an easy journey. French rail system is excellent. This year SophosLabs have presented a couple of papers, both documenting research we did at the begining of the year. Boris and I presented our work on [...] Tue, 06 May 2008 07:42:42 GMT http://www.sophos.com/security/blog/2008/05/1364.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1364.html?_log_from=rss Today sees the 30th anniversary of the first ever spam message. The message was sent by Gary Thuerk, an over-enthusiastic sales and marketing representative of DEC, to all 393 users of ARPANET (which later became the internet as we know it today). In those 30 years, spam has progressed from a minor nuisance to a significant problem of bandwidth, users’ [...] Thu, 01 May 2008 08:19:16 GMT http://www.sophos.com/security/blog/2008/05/1365.html?_log_from=rss http://www.sophos.com/security/blog/2008/05/1365.html?_log_from=rss It may not have been a Rocket Scientist but the report on The Register that a NASA employee was conned into installing malware, should be a wake-up call that it could happen to anyone in any company. Though the malware was not named, looking at the DOJ press release raises a few concerns: “As a result [...] Thu, 01 May 2008 07:39:42 GMT http://www.sophos.com/security/blog/2008/04/1363.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1363.html?_log_from=rss Yesterday saw the release of Grand Theft Auto IV (GTA IV), arguably the most eagerly awaited game of the year. Never ones to drag their feet, spammers are already hoping to catch gamers out with the offer of a free copy of the game for PS3. Heck, they’re even throwing in a Playstation 3 as [...] Wed, 30 Apr 2008 14:40:27 GMT http://www.sophos.com/security/blog/2008/04/1361.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1361.html?_log_from=rss Over the weekend the Spyware Sucks blog talked about Yahoo! serving up poisoned adverts via one of their websites. Subsequent posts suggested that Sandi Hardmeier had not received a favorable resolution after informing Yahoo! of this issue. On Monday The Register highlighted this issue. Currently, the malicious adverts are still on Yahoo! servers and can be [...] Wed, 30 Apr 2008 14:03:07 GMT http://www.sophos.com/security/blog/2008/04/1359.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1359.html?_log_from=rss Many people with even a vague interest in security will be aware of Defcon. The Vegas-based hacker conference is held as a yearly event where security experts and enthusiasts alike are able to present and attend lectures addressing various issues in modern IT security. In addition to all-night parties, no-holds gambling and other Vegas orientated activities [...] Mon, 28 Apr 2008 16:21:53 GMT http://www.sophos.com/security/blog/2008/04/1358.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1358.html?_log_from=rss I read an interesting paper this morning written by folks at the University of Mannheim and Institut Eurecom. In the paper they present results of research in which they monitored the P2P botnet of Storm, with a view to understanding, measuring and potentially being able to disrupt it [1]. The work was presented in the [...] Mon, 28 Apr 2008 09:22:47 GMT http://www.sophos.com/security/blog/2008/04/1355.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1355.html?_log_from=rss Even in an otherwise quiet Saturday there are several phishing campaigns worth mentioning. The first is a campaign targeting Abbey UK bank. This is a standard but well orchestrated and sustained spamming using several newly created domains. A botnet (or few) is used to send emails that vary both the Abbby owned domain name [...] Sat, 26 Apr 2008 15:11:28 GMT http://www.sophos.com/security/blog/2008/04/1350.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1350.html?_log_from=rss With all the excitement of my vacation and Infosec, the fact that the SophosLabs blog is now one year old escaped me. I posted the first entry on April 19th last year following a malware attack using the tragedy at Virginia Tech. Since then we have posted over 700 articles on a wide range of topics, everything from [...] Fri, 25 Apr 2008 16:02:25 GMT http://www.sophos.com/security/blog/2008/04/1348.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1348.html?_log_from=rss With no end of malware these days aggressively targeting peoples’ finances and personal data it was a surprise this morning to see a simple VBS script worm, apparently written with the sole aim of airing a personal grievance. VBS/AutoRun-DQ displays the following picture: Writing something like this just to express annoyance with an individual is an interesting, [...] Fri, 25 Apr 2008 15:58:59 GMT http://www.sophos.com/security/blog/2008/04/1346.html?_log_from=rss http://www.sophos.com/security/blog/2008/04/1346.html?_log_from=rss The internet is a great place for fraudsters to con naive computers users by appealing to their fears and desires. Fake/fraudulent anti-malware (anti-virus, anti-spyware etc.) applications have been around for a long time and we see a regular influx of new variants.  More recently we’ve seen a variation on this theme that targets current fears over [...] Fri, 25 Apr 2008 08:18:50 GMT