I recently presented my paper Want My Autograph? The use and abuse of digital signatures by malware at Virus Bulletin 2010. I will refrain from delving into the gory details of digital signatures heuristics that strongly indicate malware — those interested can refer to the paper for that information. I will however highlight one of [...] [...more]
Today, at SophosLabs, we encountered another interesting rogue security software variant, Troj/FakeAV-BTN. When run, Troj/FakeAV-BTN poses as Microsoft Security Essentials Alert and detects only one file as “Unknown Win32/Trojan”. When user wants to remove this fake threat, this malware offers “Scan online” option. One of the interesting part of this rogue application is that the page displays [...] [...more]
The attackers behind the spammed HTML redirects I blogged about last week have been busy over the last few days. In an ongoing attempt to evade detection they have continually tweaked and changed the manner in which the redirect is being hidden. In this post I will take a quick look at the evolution of [...] [...more]
This week I have been putting the finishing touches to my presentation for the Virus Bulletin Conference in Vancouver later this month. While doing the research I have collected a large corpus of PDF files; the results of analyzing these files form the bulk of my presentation. In these last few days before the conference [...] [...more]
In what seems to be a fitting close to the week, today we have seen further waves of mass-spammed JavaScript redirects. Fairly typical social engineering is used in the email messages to entice the user into opening the attachment. Double-clicking the attachment will load the HTML file in the default browser and (depending on the browser security [...] [...more]
Sophos users over the past few months may have noticed that they haven’t been able to access parts of the Somerset Information Exchange (SiX) due to instances of Mal/Badsrc-C on the site. The problems for the SiX microsite, hosted on somerset.gov.uk, is larger than just malicious SCRIPT tags on pages. The site also has injected Blackhat [...] [...more]
This week we’ve seen more phishing spam targeting the Commonwealth Bank of Australia, an institution that many scammers have aimed at in the past. The emails have a subject of “Update your Commonwealth Bank” and look like this: The text is standard scaremongering. Opening with “Customer ID : 000-5432-654386-PSI” does make the email look more official, and [...] [...more]
Last week the website belonging to TechCrunch Europe had malicious code planted on it, the payload of which was a variant of Zbot - Troj/Zbot-YP. There are several interesting aspects of this variant that are worth exploring in a little more detail. Firstly, the version of Zbot (aka Zeus) in use is not the latest version 2 but [...] [...more]
Just a quick update that we are seeing reports of an old-school mass-mailing worm doing the rounds currently. The emails it sends contain a link that pretends to point to a PDF, but it in fact points to a VisualBasic PE executable. So it has nothing to do with the latest Adobe 0-day we mentioned [...] [...more]
Just a quick update on the latest Adobe zero-day vulnerability (APSA10-02) that has come to light this week. You may well have already watched the video Chet posted yesterday. We have also published an advisory page for this vulnerability as well. As mentioned in Chet’s post and the advisory, detection for this threat was provided in [...] [...more]
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | ||||
