49 posts • joined 19 Aug 2007
The link works for me.
Or you can go straight to the technical paper (PDF) here: http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
10,000 or 25,000
The explanation is that currently 10,000 Unix servers are compromised by the Windigo attack, but in the entire lifetime of the campaign up to 25,000 servers have been hit.
Hope that helps
Midnight is superb.
A fantastic piece of writing by Russell T Davies (just when I thought he'd run out ideas) and a terrific piece of acting by the small cast.
I would rate it above Blink personally - although my wife thinks Midnight is the most boring episode of Who ever. Different folks, different strokes I guess.
(Glad to see Girl in the Fireplace also make an appearance)
I believe him
In over 20 years working for anti-virus companies, I never once heard about any pressure being put on us by government agencies to not detect malware.
To be honest, I can't imagine a govt agency *trusting* an anti-virus company (and the variety of nationalities employed inside a typical security lab) to keep such a request secret anyway.
Not to mention, how exactly would an anti-virus company be expected to respond if a customer (who was being spied upon by the agency) sent in a sample, and asked why we weren't detecting it when - say - F-Secure was?
So, I don't think this is happening.
Rather than nobbling the anti-virus companies, I suspect govt agencies are writing malware (just like the bad guys) and working their damndest to avoid detection (just like the bad guys). The fact that any state-sponsored malware is likely to be designed for specific targeted attacks, helps their hand of course...
Re: Pot meet kettle
I never sawed a person in half on stage at Infosec.
I did once guillotine Janet "Blue Peter" Ellis's hand off. But that was at Networks 96. And I was working for Dr Solomon's at the time.
Sophos tended to be a fair bit more corporate in its trade show presentations than Dr Solomon's, but anything that breaks the monotony of presentations about virtualization, high wire gymnastics on the Symantec booth, and dollybirds handing out USB sticks has to be a good thing I reckon.
Onel de Guzman
Point of order. Onel de Guzman, creator of the Love Bug, did his dastardly deed back in 2000 - ten years before the Naked Security blog was written. So we wouldn't have that many articles about him other than the odd retrospective piece. :)
From VirusTotal's own website:
"Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology"
In a nutshell, it ain't a real world test, as VirusTotal does not (and doesn't claim to) mimic the protection that users would experience in the real world where they may have multiple levels of protection, cloud-based lookup, runtime behavioural analysis etc etc..
Guy not wearing the mask
He's the host of one of the shows on the TV channel RT (Russia Today).
I don't think we should assume he's in any way connected with the rest of the vid.
Lest we forget..
Anyone else remember The Register's 2009 article: "'Cybercrime exceeds drug trade' myth exploded"?
It's clearly a publicity stunt
As I explain at http://nakedsecurity.sophos.com/2011/06/20/beautifulpeople this story has duped the likes of The Telegraph, The Daily Mail, The Guardian, Fox News, BBC Radio 4 and now The Register too!
It's clearly poppycock, dreamt up by BeautifulPeople's PR firm. If the Shrek virus exists, I look like Brad Pitt.
I'm not medically qualified so I can't give you a definitive answer on this one - but I feel fine, thanks.
Facebook's https option
As our letter makes clear, Facebook doesn't turn on https by default - and if you do turn it on they only use it "whenever possible".
What they mean by "whenever possible" is whenever it's convenient for them.
So not, for instance, when you visit the mobile version of their website. And not when you visit third party apps running on the Facebook platform.
It should be on, by default, all the time you're connected to Facebook. Period.
[ps. can we have a Zuck avatar?]
Don't use VirusTotal for detection comparison
VirusTotal itself says that you shouldn't use it to compare detection capabilities.
Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology, the most obvious being:
* VirusTotal AV engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioral analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
* In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Sophos has been blocking the site linked to by the script on the BBC website since 20:42 GMT on 9 February 2011, for instance. But VirusTotal doesn't test that way so it won't know that we'd pick it up as Troj/ExpJS-BO and Mal/IFrame-F.
The difficulty in detecting hoaxes is telling the difference between
"Please watch out for emails about Ed Stewart - the so-called Crackerjack virus will turn your CPU into blancmange. Forward this warning to all of your friends - we need to stamp this one out!"
"There's a new hoax doing the rounds. It warns you to watch out for emails about Ed Stewart - claiming the so-called Crackerjack virus will turn your CPU into blancmange. Please forward this advice to all of your friends - we need to stamp this one out!"
And then there's the issue that virus hoaxes can spread via newspapers, fax, Radio 2, etc. or even as publicity stunts. (Read the story of the Irina hoax virus publicity stunt here: http://virusbusters.itcs.umich.edu//hoaxes/irina.html )
It must have been almost ten years ago. I was in a car, and Ed Stewart was pontificating on Radio 2 about some computer virus or other.
My ears pricked up, and I realised he was telling his loyal band of listeners a load of old nonsense - and was actually reading out a virus hoax.
I called the station, to try to get them to put out a correction, but they must have thought I was a nutter.
Which I probably was. For listening to Ed Stewart.
Need to correct that headline - it DOESN'T bypass virtually all AV
KHOBE can't be described as a way that malware can be installed on computers.
What Matousec describes is a way of "doing something more" **if** the malicious code manages to get past your anti-virus software in the first place.
In other words, KHOBE is only an issue if anti-virus products such as miss the malware. And that's one of the reasons, of course, why security vendors offer a layered approach using a variety of protection technologies.
How can that be bypassing?
There's a good write-up on this by my Sophos colleague Paul Ducklin:
Google is your friend..
Check out the image of the spam on the upset blogger's post.
The offending spam comment includes the commenter's name. Google his name, and you should be able to find out the name of the agency he works for pretty easily.
Sophos is no longer working with the company.
Rent-a-quote Graham's right here!
I'm right here - who do you think was the "spokesman" who spoke to The Register? :-)
My opinion - as you read in the article - is that what happened is appalling, and something that we're all mortified about here at Sophos.
We're not in the business of adding to the spam problem, and we are terribly sorry to those bloggers who received these inane messages from the marketing agency we hired.
Still no evidence that the Facebook app was malicious
Hi, I thought I'd just post a follow-up.
We've still seen no evidence that the Fan Check Facebook app which has got everyone scared witless is malicious. We can't be specific about what precisely "Fan Check" does to Facebook users as we're unable to access it.
What isn't in doubt, however, is that the bad guys have set up websites which have been optimised to appear high in Google search results for people hunting for info on Fan Check, but are designed to spread a fake anti-virus application instead.
So, even if it's true that the Facebook app is harmless - there is still a danger out there, that many Fan Check-fearing people are being directed to.
Graham Cluley, Sophos
Video of malware blocked by YouTube
For reasons best known to YouTube they've deemed the video of the malware attack "inappropriate content".
If you want to watch what the malware does, you can check it out at http://vimeo.com/5662308
Tim, I think you've interpreted how this works the wrong way because Pareto just posted a picture of the Windows payload on their blog.
The malware served up is different depending on whether you visit the site using Windows or Mac OS X.
We have a video demonstrating what happens if you visit on a Mac over at
We're seeing more and more of these two-pronged attacks - working out if you're visiting via Windows or a Mac, and serving up the appropriate flavour of malware.
What makes you think it only works on Internet Explorer?
We tried it on IE, Safari and Firefox using Windows and Mac OS X computers.
The attack is based around social engineering rather than a flaw in a browser - so any user with a hunger for porn may find themselves tempted into downloading the codec.
Klingon response to The Register
The page has been updated to mention The Register
(and some further explanations at http://www.sophos.com/blogs/gc/g/2009/05/19/klingon-antivirus-facts/ )
Some more information
That's a mightily impressive six times more infections than the tried and trusted malicious Iframe attack of Mal/Iframe-F.
I'd recommend that surfers check their protection is up-to-date and fighting this one.
*If* Mikeyy Mooney did make a sincere effort to warn Twitter (quite a big "if" to my mind, as it hasn't been suggested before) and they ignored him then his response should never have been to unleash the worm.
*If* they had ignored him, a better thing would have been to have gone to a security journalist, demonstrated the flaw to the journo, and allowed the journo (without publishing details of how to reproduce it) to write about it. You can be sure that would get the attention of Twitter's powers-that-be.
But the fact is that there's no suggestion that Mikeyy has ever contacted Twitter to work out a responsible way of disclosing the flaw. Instead he endangered many innocent Twitter users and disrupted the business.
And guess what the *latest* Mikeyy worm says
In case anyone missed it, shortly after it was revealed that Mikeyy had been offered this job, a new worm was spreading around Twitter.
One of its messages?
"I work for exqSoft Solutions now - http://www.exqsoft.com/ - mikeyy"
Not a good sign. The CEO of exqSoft says he did not ask for the worm to be written and has been unable to contact his latest recruit to ask if he is the originator.
The link is still there
Well, in the form of PDFs about the Technical Advisory Board anyway.
Thanks to the wonder of PDFs they are available as clickable hotlinks for anyone who is bored of technical advice..
Re: Cameron Colley's question about Gigabyte, the notorious female virus writer (real name Kim Vanvaeck)
She got arrested in Belgium in 2004 (http://www.sophos.com/pressoffice/news/articles/2004/02/va_gigabyte.html ) but ultimately was let off the hook by the cops with little more than a smacked wrist and a promise not to cause trouble again. As far as I know she followed their advice
I know a guy who met Gigabyte, and told me she was a rather cute-looking blonde. Bizarrely I was once invited to a security conference to sing a karaoke duet with her, but probably wisely turned down the opportunity..
Will USA want to extradite BBC reporter?
Do we know where the compromised PCs are based in the world?
What if some of those botnet computers were in the US military? The Pentagon? NASA?
Will the USA try and extradite the BBC's Spencer Kelly just like Gary McKinnon?
I'm running a poll on my blog if anyone wants to give their opinion on whether the Beeb were justified or not in what they did.
Graham Cluley, Sophos
And the malware authors are close behind..
It looks like the bad guys are up to their trick of jumping on the bandwagon again.
We're seeing evidence that websites containing malware are showing up in search engine results when people hunt for PIFTS. Sophos is picking up some of these sites as Mal/BadRef-A.
The Mal/BadRef-A script redirects to another malicious script (Troj/Reffor-A) which then itself redirects to a page detected as Mal/FakeAvJs-A.
That page leads to a fake anti-virus scan (scareware) designed to frighten you out of your hard earned cash.
Graham Cluley, Sophos
Why we don't install an anti-Conficker on those websites
I'm afraid that it would be against the law - under the Computer Misuse Act - for us to change the visiting infected computers without the owners' permission.
A new strain
Yes, there was a malware attack spammed out in the summer which was similar in its use of the airline ticket disguise (I refer to it in my blog entry on the Sophos website at http://www.sophos.com/blogs/gc/g/2008/12/04/email-malware-flying-high/), but this is a new campaign which has some new characteristics - and is spreading different malware.
Why are they using such a similar cloak of disguise? Well, a simple reason - it worked before, so they're banking that it will work again. :(
This isn't about believing that you've been sent air tickets you never ordered, but believing that either an airline has screwed up or (most likely) that someone else has used your credit card to make a purchase. Naturally people get so affronted that they open the attached file without thinking of the possible security consequences.
Who should have found the infection?
@Anonymous coward and @Steen Hive
I do believe it is impractical for the millions of websites out there to check every advertising link served up to them by a third party advertising company to check if it is legitimate. Can you imagine the resources required to do that? Sure, it would be nice if it happened - but is it realistic to expect it?
Didn't The Register itself serve up a malicious banner advert four years ago? As I recall, they responded the right way (as I would hope the Daily Mail would do) by pulling the ads and presumably asking tough questions and perhaps breaking the relationship with the advertising network.
The ad networks need to do a much better job of weeding out the malicious adverts - this is not necessarily easy to do of course.
The addition point I made to The Register, but which got left out of the report I think, is that everyone browsing the web needs to defend themselves. Many websites deliver ads via third parties, and most are not checking them for malicious links. If you have a decent anti-virus solution on your computer then that can help reduce the threat to you.
After all, that's how it all started...
It's time to go back to basics with Doctor Who.
When the show started in 1963 it starred a doddery old white-haired man and his granddaughter as his assistant.
Andrew Sachs, anyone?
Another Paris Hilton?
What I'm curious about is how was Sarah Palin's email account broken into?
Was her PC compromised with spyware? Did she carelessly connect to an unencrypted Wi-Fi hotspot? Did she choose a dictionary word for her password ("aardvark") that was easy for the hackers to crack?
Or did she fall for a similar trick as the one that caught out a certain Miss Paris Hilton back in 2005. If I recall correctly, Paris's mistake was making the name of her pet chihuahua (Tinkerbell) the secret question/answer to reset her Sidekick's password. Uh-oh.
I made a video comparing Sarah Palin's plight with Paris Hilton's experiences, which Register readers might like: http://www.sophos.com/blogs/gc/g/2008/09/18/paris-hilton-sarah-palin-video/
The SQL attacks *always* have been hitting the big sites as well as the little ones.
These attacks are automated - it's not as though BusinessWeek was specifically targeted. The bad guys use search engines to find vulnerable sites (big or small) and zap! infect them with their malicious scripts.
(Paris, in honour of The Reg bringing back the old icons)
11% of people who came to Sophos's website
The poll was run on our website. According to the marketroids, the typical make-up of people who come to our website are IT specialists and system administrators (as we don't have a consumer product).
I expect they know the difference between spam and "legitimate" marketing emails - but who knows..
We've published links and more information on the Sophos Spam Pledge page at http://www.sophos.com/pledge
Sophos's 95 percent spam stat @Gordon Fecyk
Sophos's figure of 95% of email is spam comes from our spam filtering software and appliances at companies worldwide. We count the amount of legitimate email they receive, and we count the amount of spam they receive. And then do the maths to get a percentage.
Of course, individuals may have varying experiences.
11 percent of people admit to having bought from spam
We polled 390 people in November 2007. 11% said that they had bought goods advertised via spam.
Hope that helps.
Why 30 years of spam? Because it works..
The sad truth of the matter is that we are blighted with spam because it works for the bad guys.
We may all roll our eyes at yet-another-letter-from-NIgeria, the endless waves of fake Rolex offers, weight loss pills, and unwanted mortgage loans.. but the only reason these things get sent is because *some* people *occasionally* respond to spam and make a purchase.
What we really need to do is educate more people to NEVER buy, try or reply to spam. The dudes at SophosLabs put a little video together today hoping to raise awareness of the need to never buy goods advertised via spam:
Maybe the readers of The Register are immune from the lure of spam emails, but can we say the same of everyone in our family? Is it our Aunty Hilda's innocent clicking and purchasing of penny stocks what is perpetuating the spam problem?
Re: Where was Cluley at Infosec?
I was there! Booth F130. You should have dropped by and claimed your free t-shirt and blue slushie.
By the way, I'm grateful for John at The Register for writing up this story - it appears to have stirred Facebook into action zapping some of the other offending material about me and my family up there.
More nice screenshots
If you liked The Reg's screenshots of this incident you can check out more on the Sophos blog here: http://www.sophos.com/security/blog/2008/03/1199.html
(no toolbars present :) ) We also show some evidence that this isn't the first time the bad guys have tried this kind of scam.
Graham Cluley, Sophos
The nom de plume
Just so you know, the "x"'s in the name "GxxxxBxxxxxx" are our way of hiding the real pseudonym he used.
Apache web servers hosting malware
Yes, Sophos's research found that 48.7% of the compromised websites were running Apache. The next closest was IIS 6 which was used on 40.6% of the websites hosting malicious code. There is a danger that people may think that just by avoiding Microsoft software they're immune from attack - which is clearly nonsense.
The full report is available from http://www.sophos.com/securityreport2008 if anyone is interested. You have to fill in a form to get at the PDF with the meat of the report, but you can always say you're Donald Duck if you're paranoid we're going to do something ghastly with your details...
Graham Cluley, Senior technology consultant, Sophos
Charles-A Rovira writes that you have to be a moron to install malware onto your Macintosh.
The financially-motivated malware that we have seen so far for the Macintosh typically disguises itself as a Codec to allow the Mac user to view a video. So the user *does* have a good reason to install the program that the website is telling him to download, and *does* have a good reason to tell his Mac that "Yes, carry on.. this is okay with me" if it brings up any security concerns about installing the code.
It's all about social engineering. It's the human element which is the big vulnerability - not which OS you're running. Mac users need to accept they are just as vulnerable to social engineering as their PC cousins if they're going to have a fighting chance at reducing the likelihood of attacks against Mac.
But there's an opportunity for Mac users right now to send a message to the bad guys that it's not worth looking for money on Apple computers. If enough people resist the social engineering, and don't fall for the tricks being pulled by the hackers to lure them into downloading Mac malware, then chances are that the cybergangs will return to their Windows roots and leave the Mac community alone.
It's like throwing chips at seagulls - if you keep giving them chips they'll come back for more. Don't get infected, don't be fooled into behaving unsafely, and you should be able to keep Macs as the much safer place that it currently is compared to Windows.
Graham Cluley, senior technology consultant, Sophos
Not the first, and sadly probably won't be the last..
Last September webpages of the US Consulate General in St Petersburg were compromised by hackers. On that occasion cybercriminals planted the Mal/ObfJS-C malicious code, that then attempted to download further malware from a remote server.
As is the norm these days, it was all a ruse to steal business and personal data from unwary visitors. More info was posted on the Sophos blog at http://www.sophos.com/news/2007/09/consulate.html
With something like 6000 new webpages discovered each day carrying malicious code (and over 80% of those being legit websites that the bad guys have hacked) it's becoming clear that you can't trust *anyone* these days to have a squeaky clean site.
I think it's time for the website owners and webhosts to take some responsibility for the security and patching of their sites, rather than just hoping that Joe Public will ensure that their browser and visiting computer are properly defended.
They shrank it the wrong way
Who cares if the MacBook Air is so skinny? The Asus EEE wins for me because it's smaller - that's what I want from a subnotebook. Something that can fit in my satchel without poking out of the top.
I don't need a big screen or a full-size keyboard. I just need something quick and dirty to get me on the net to read my email, browse the web, and ignore Zombie invitations on Facebook.
The fact that it only costs 200 quid is a big bonus too. I bought one for my IT-luddite mother-in-law for Christmas at Toys R Us and she's over the moon. I know another senior citizen who has bought an Asus EEE after seeing it too.
I think once people see the Asus EEE in action, and realise it's a powerful and useful bit of kit for a neat price they'll find the price hard to resist.
Yes, the MacBook Air will look sexy as hell - but I wish they'd made it with a smaller screen and keyboard so it would have been a true subnotebook.
Good advice for better privacy and security on Facebook
Some good tips there to start people in the right direction on Facebook. The problem is much more of a human one than a technological one -- Facebook have put controls in place, it's just that people aren't using them. Sigh..
Sophos has published some step-by-step advice on how to set your privacy settings on Facebook which may be of use to many readers concerned about identity theft online:
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Feature Be your own Big Brother: Monitoring your manor, the easy way
- Boffins say they've got Lithium batteries the wrong way around
- In a spin: Samsung accuses LG exec of washing machine SABOTAGE
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer