Press Releases

Browse our press release archive

30 Aug 2006

Vicky's sex partner graphic email points to malicious Trojan horse

Malware attack steals tricks from image spammers

Experts at SophosLabs™ have warned that hackers are stealing the tricks used by image spammers to infect computer users with malicious code.

Experts based in Sydney, one of Sophos's global network of virus, spyware and spam analysis centers, have discovered email messages are being sent to Australian computer users claiming to come from a young woman visiting the country. Unusually, the malicious emails contain no text, but an embedded graphical image telling users to visit a website.

Part of the text in the image reads:

Hi, My name is Vicky Willington, I'm just a college girl who just arrived in Australia and looking for a sex partner. All what I need is a good man, you must be serious and honest, let me know if you wish to meet.

You may see my pics at my web page: <url removed>

Click here for a larger version

The email message consists of an image, directing users to a malicious website.

The website referred to in the email contains a soft porn image and a link to the Troj/Dloadr-AMA Trojan horse.

"This malware attack is particularly interesting because it borrows techniques commonly used by spammers. The message body is image only - whereas Trojans are more commonly distributed as text only or text with embedded images," said Graham Cluley, senior technology consultant at Sophos. "The image in the email contains random noise to sidestep signature-based detection - a technique normally seen in medical or stock spam campaigns. Also, the subject matter is similar to 'pretty girl' spam campaigns that we see - but normally they send text spam rather than image spam, and urge the recipient to reply via email rather than visit a website."

Throughout 2006, Sophos experts have reported a rise in spam containing embedded images, which has risen sharply from 18.2 percent in January to over 35 percent today. By using images instead of text, messages are able to avoid detection by some anti-spam filters that rely on the analysis of textual spam content.

Sophos experts note that the emails do not contain a hyperlink to the malicious website, but require the user to type in the url by hand.

"Because these emails solely consist of a graphical image there is no link for the user to click on," explained Cluley. "You can't visit this website by accident, you have to want to find out more about Vicky and enter the website url manually. Some might believe that those foolhardy enough to look for a sex partner on the web get everything they deserve. The best defense remains to protect yourself with up-to-date security products and a healthy dose of skepticism about unsolicited email."

Sophos's anti-virus products were automatically updated to protect against the Troj/Dloadr-AMA Trojan horse at 08:31 GMT on 23 August 2006.

Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as secure their desktop and servers with automatically updated protection.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.