Technical Papers

Here you will find a range of papers aimed at system administrators and security specialists on a variety of topical issues. Some of these papers have been presented at security seminars and technical conferences around the world.

SophosLabs 2018 Malware Forecast

In this report, we review malicious activity SophosLabs analyzed and protected customers against in 2017 and use the findings to predict what might happen in 2018.

Your handy guide to machine learning at Sophos

Sophos data scientists have written several articles about how machine learning works, how it will be applied to Sophos, and what that will mean for customers. This is a handy guide to that content.

Machine Learning: How to Build a Better Threat Detection Model

A look at how Sophos develops its machine learning models. Here, we explain the concepts and show the development and evaluation of a toy model meant to solve the very real problem of detecting malicious URLs.

Ransomware as a Service (RaaS): Deconstructing Philadelphia

Kits available on the Dark Web allow the least technically savvy among us to do evil. Philadelphia is one of the slickest, most chilling examples.

CVE-2017-0199: life of an exploit

The normal lifecycle of an Office exploit starts with the initial use in targeted attacks. Then, at some point, the information leaks out and cybercrime groups start using it more widely. Offensive security researchers then start experimenting with AV evasion, and the exploit finally ends up in underground exploit builders. Normally this cycle can take a few months. In the case of the CVE-2017-0199 Word exploit, we have observed this in a much more accelerated time scale.

BetaBot Configuration Data Extraction

This paper explores the inner workings of Betabot, including capabilities of the associated botnet server components and technical detail on how to extract and decrypt configuration data.

Looking ahead: SophosLabs malware forecast for 2017

Attackers set their sights on the Internet of Things, Android and MacOS devices in this look ahead for 2017.

AKBuilder – the crowdsourced exploit kit

Document exploitation remains a favorite attack technique for distributing malicious content because it is easier to trick victims into opening document attachments than executables. Exploited documents have the added benefit of not requiring victims to manually enable macros, as is often the case for VBA downloaders. As of this writing in late 2016, the most popular of the Office exploit builders is a tool called AKBuilder. This paper delves into the evolution, internal working and end effects of this toolkit.

Ancalog – the vintage exploit builder

Document exploitation is a popular method of distributing malware in the malware community. Even though it was never the most prevalent infection vector, document exploitation has been on the rise for the last few years, hiding in the shadow of the more seasonal VBA or JavaScript downloaders. This technical paper explores why we're seeing more document exploitation malware in the wild, as well as the long-standing popularity of the document exploitation generator Ancalog, which is widely commercially available, and its various applications in cybercrime.

Cryptomining malware on NAS servers

A couple of years ago, coin mining was a bubbling story. There were many threats that used infected machines to mine cryptocurrencies at the expense of the victim. The idea was perfect from the criminal's point of view, but as time went on the average PC was no longer powerful enough to mine even a single coin. It was time to give up on this type of attack and turn the attention to other ways to make money, like ransomware. Recently a new malware family has found a way to use PCs efficiently to mine new types of cryptocurrency. In this paper we examine this new trend.

Is it time for CVE-2012-0158 to retire?

For many years the top Office vulnerability was CVE-2012-0158, which dominated our Office exploit prevalence charts; however, the past weeks have shown an interesting reorganization in the document exploitation scene. The four-year-old classic exploit appears to have been dethroned by two newer vulnerabilities. In this paper we take a look at what’s happened and why things have changed.

CVE-2012-0158: Anatomy of a prolific exploit

Arguably one of the most exploited vulnerabilities of the last decade, the story behind CVE-2012-0158's longevity is one of constant adaptation. In this paper we dissect all aspects of the vulnerability: how it works, why it's been so popular, how it's changed form, who it's commonly utilized against and what the future holds for it.

Vawtrak v2

This paper provides a technical analysis of the most recent variant of the banking malware Vawtrak, which we dub "version 2." We describe alterations to the code, such as changed encryption, increased obfuscation and modularization. We give a breakdown of the financial institutions and other organizations that are currently targeted. And we also present data gathered from a sinkhole of a Vawtrak version 1 command and control server.

2015 Q4 Exploit Stats

In our research we examined the attack reports related to Microsoft Office documents to figure out which exploits are the most common and what malware they are most actively distributing. CVE-2012-0158 has been topping our document exploit charts for many years. It seems that nothing endangers the reign of this dinosaur, even though challengers have appeared over recent years.

Office Exploit Generators

Cybercriminals have realized that Microsoft Office documents offer an excellent way to spread their malware, as users wrongly consider them safe. As a result, recently we have seen a resurgence in document malware. Office exploit generators play a crucial role, making Office exploitation available to common cybercriminals. In this paper, we look at some of the most impactful Office exploit generators. 

The Current State of Ransomware

This paper gives an insight into the current state of ransomware, and presents a detailed analysis of the four most prevalent variants – CryptoWall, TorrentLocker, CTB-Locker and TeslaCrypt – as well as an analysis of more obscure variants that employ novel or interesting techniques.

Will Android Trojan, Worm or Rootkit Survive in SEAndroid and Containerization?

Android 5.0 is trying to set itself up as a safe corporate mobile operating system by touting SEAndroid and containerization. The enforcements of SEAndroid and containerization have been changing the way OEMs and Security vendors respond to security issues. This paper by Rowland Yu and William Lee will prove that, even with these security enhancements, you can still be infected; still have data stolen; still have corporate data leaked; or experience exploration of kernel vulnerabilities. Presented at the Virus Bulletin 2015 conference.

Breaking the Bank(er): Automated Configuration Data Extraction for Banking Malware

In this paper presented at Virus Bulletin 2015, James Wyke explores how we can provide more holistic protection against the new families of banking Trojans such as Vawtrak and Dyreza. He explains our sandboxed-based system for automatically extracting and storing valuable data, in a scalable way.

Effectively Testing APT Defenses

In this paper presented at Virus Bulletin 2015, Gabor Szappanos addresses some of the challenges related to the testing of APT protection software suites and devices. He first looks at the subjective and confused range of definitions of what an APT even comprises. He then looks at some of the objections raised to testers' measurements of APT protection efficacy in light of these definitions. Finally, he offers some simple guidelines for those who are attempting to construct or interpret tests of APT protection.

Cross-Platform Mobile Malware: Write Once, Run Everywhere

Presented at the Virus Bulletin 2015 conference, this paper by William Lee and Xinran Wu describes the feasibility of new cross-platform mobile malware, analyzes the package structures of such malware, discusses the technical issues and suggests a solution to the problem.

Microsoft Word Intruder Revealed

This paper describes the mechanics of the Microsoft Word Intruder (MWI) malware creation kit that was used by dozens of cybercrime groups in a series of campaigns between May and August 2015. It explains the history of malware creation kits, how they work, and dives into the infection mechanism of the MWI generator, pointing out the key characteristics differentiating the MWI samples from other exploited malicious documents.

A Closer Look at the Angler Exploit Kit

Since the demise of the Blackhole exploit kit in October 2013, when its alleged operators were arrested, other exploit kits have certainly flourished and shared the marketplace. In this research paper we take a close look at Angler, which first appeared in late 2013 and since then has grown significantly in popularity and in 2015 became dominant.

PlugX Goes to the Registry (and India)

The notorious PlugX APT group is continuing to evolve and launch campaigns, most recently a five-month-long campaign targeting organizations in India. PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk – according to this new technical paper from SophosLabs Principal Researcher Gabor Szappanos. Although not unique to PlugX, this backdoor approach is still uncommon and limited to a few relatively sophisticated malware families.

Exploit This: Evaluating the Exploit Skills of Malware Groups

Many highly effective hacking groups associated with malware and advanced persistent threats (APTs) appear to lack an understanding of the technical exploits they use. They also fail to adequately test their exploits for effectiveness before unleashing them on their victims. Gabor Szappanos of SophosLabs Hungary evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit — a sophisticated attack against a specific version of Microsoft Office. Gabor details how none of the groups he analyzed were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack.

Vawtrak - International Crimeware-as-a-Service

In this paper we will highlight the main infection vectors for Vawtrak. We will describe how it gains control on an infected machine and what functionality it is capable of. We will then demonstrate how that functionality is being used, what organisations are being targeted and how the mechanisms that are employed vary between targeted banks and targeted geographies. Finally we will show how the Vawtrak botnet is apparently being used as part of a Crimeware-as-a-Service (CaaS) business model where the output of the botnet can be adjusted on demand, with financial data effectively being stolen to order.

The Rotten Tomato Campaign

This technical paper by SophosLabs Principal Researcher Gabor Szappanos explores the malware campaign called Rotten Tomato, in reference to the Tomato Garden campaign - and because some of the samples were rotten in the sense that they were not effectively executed - and shows how several different groups used the same zero-day Microsoft Word exploit. The term "used" means that they somehow get hold of a document that exploited the vulnerability, and then left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end.

Telemetry Database Query Performance Review

This document is an overview of work done to attempt to rank some commonly used analytically-focused database technologies against our currently used infrastructure and traditional data storage approaches. We will attempt to improve our current systems based on the work done here which will enable us to make an informed decision as to which technology to adopt in the future.

Back Channels and Bitcoins: ZeroAccess' Secret C&C Communications

In this paper, presented at the Virus Bulletin 2013 conference in Berlin, SophosLabs researcher James Wyke examines the secret communications channels used to administer the ZeroAccess botnet.

Between an RTF and OLE2 Place: An Analysis of CVE-2012-0158 Samples

In this paper, presented at the Virus Bulletin 2013 conference in Berlin, independent researcher Paul Baccas documents some pitfalls of the file formats that make detection problematic, with particular attention placed on high-profile attacks using Microsoft vulnerability CVE-2012-0158. Baccas used tools based on the proprietary Sophos Virus Description Language (VDL) in this research.

GinMaster: A Case Study in Android Malware

This paper by SophosLabs researcher Rowland Yu, presented at the Virus Bulletin 2013 conference in Berlin, gives an overview of three generations of the GinMaster family, examines their core malicious functionality, tracks their evolution from source code, and presents notable techniques utilized by specific variants.

Classifying PUAs in the Mobile Environment

This paper by SophosLabs researchers Vanja Svajcer and Sean McDonald introduces a structured PUA taxonomy for mobile apps, which can be applied both by security vendors and by mobile app developers. It was presented at the Virus Bulletin 2013 conference in Berlin.

Trapping Unknown Malware in a Context Web

In this paper, SophosLabs researchers Numaan Huq and Peter Szabo demonstrate combining URL information, e.g., keywords, patterns, paths, etc., with file properties to create web-context detections (WCD). It was presented at the Virus Bulletin 2013 conference in Berlin.

Ransomware: Next-Generation Fake Antivirus

Ransomware may often be compared to fake antivirus in the way it operates and the motivation behind it. However, fake antivirus plays on the security fears and calls for the user to take actions in self-preservation, whereas ransomware works either as extortion or punishment. This paper describes in detail our findings about the motivations, strategies and techniques utilized in creating and propagating ransomware.

Inside a Black Hole: Part 2

The first part of this paper concluded in the deobfuscation of the server code which, while not complete, was still sufficient for a general understanding of the operation. It enabled us to follow the procession of the events both from the client and server side. The client side events we have already documented in detail. This paper attempts to fill in the missing server side piece.

Inside a Black Hole

Without exception the most actively deployed exploit kit in the past year was the Blackhole exploit kit. Now that the much heralded 2.0 version of the kit is out, it is safe to gradually release information about the previous 1.x version. The first portion of this paper will concentrate on the stolen 1.0.2 version of the exploit kit. A more comprehensive version of this material was published in the October issue of the Virus Bulletin magazine.

The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain

Since our last paper on ZeroAccess the authors have made significant changes. In this paper we will examine those changes and take a closer look at the ZeroAccess botnet itself, exploring its size, functionality and purpose. We will explain in detail how the peer-to-peer protocol works, what network traffic is created, and how the bot phones home during installation. Then we will examine the plugin files that the botnet downloads: what these files are, what they do and how they work.

Exploring the Blackhole Exploit Kit

This paper lifts the lid on the Blackhole kit, describing how it works and detailing the various components that are used to exploit victim machines infecting them with malware.


In this paper we will explore the ZeroAccess threat; from the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload. We examine how ZeroAccess works and what its ultimate goal is.

Fake Antivirus: Journey from Trojan to a Persistent Threat

 In this paper, we study the evolution of FakeAV over the last three-and-a-half years. We analyze the major FakeAV events, infection vectors and some important anti-emulation/anti-reverse engineering (RE) tricks used by FakeAV packers.

A time-based analysis of Rich Text Format manipulations: a deeper analysis of the RTF exploit CVE-2010-3333 

This paper explores the continued distribution of the exploit CVE-2010-3333. By examining the differences seen the paper will explore the reasons for the continued prevalence.

Popureb - A small rootkit with a big reputation

New rootkits always garner attention from the malware research community and often panic among end-users. This paper dissects the workings of Popureb and explains how to safely restore affected computers to their original state.

What is Zeus? 

This paper will explore the various components of the Zeus kit from the Builder through to the configuration file; examine in detail the functionality and behaviour of the Zbot binary; and assess emerging and future trends in the Zeus world. 

Want my autograph? The use and abuse of digital signatures by malware

This paper discusses the abuses of digital signatures and possible approaches to turn the criminals' investment in their fraudulent reputation into additional protection mechanisms.

This paper was presented at Virus Bulletin in Vancouver, 2010

Finding rules for heuristic detection of malicious PDFs: With analysis of embedded exploit code

This paper, presented at Virus Bulletin 2010 in Vancouver, shows tips and tricks to help with classification and detection of malicious PDFs.

This paper was presented at Virus Bulletin in Vancouver, 2010

Malware with your Mocha? Obfuscation and antiemulation tricks in malicious JavaScript

Fraser Howard of SophosLabs describes the tactics that attackers use to hide malicious JavaScript from detection and analysis.

Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware

Fraser Howard and Onur Komili of SophosLabs describe in this paper recent research by SophosLabs into how attackers are using blackhat Search Engine Optimization (SEO) techniques to stuff legitimate websites with content designed to rank highly in search engine results, yet redirect users to malicious sites.

The Partnerka — What is it, and why should you care?

In this paper Dmitry Samosseiko of SophosLabs Canada discusses and analyzes the Russian 'partnerka' networks, their economic model, and their relation to spam and malware. It will reveal some ‘insider’ statistics and information, show the tools used for ‘black SEO’ (search engine optimizations), and explain its terminology and techniques. This technical paper also discusses how traditional email spam evolved into a complex web-based industry, creating new challenges for law enforcement, user education and for security labs.

This paper was presented at the Virus Bulletin Conference in Geneva, 2009.

Affiliate web-based malware

This paper will attempt to show some straightforward affiliate networks, with more detailed analysis of some affiliate malware delivery systems.

This paper was presented at Virus Bulletin in 2008.

10 steps to better secure your Mac laptop from physical data theft

This paper describes the steps that Mac users can take to improve the physical security of their laptops — away from the safety of the corporate environment with its security controls and into new environments with new risks and threats — discussing the context and benefits of each change.

Securing websites

In this updated paper Fraser Howard, principal virus researcher at Sophos, discusses some of the common ways that web servers are attacked, the reasons why they are targeted, and details various techniques in which they — and the websites they host — can be protected.

Modern web attacks

In this paper, Fraser Howard, principal virus researcher at Sophos, explores how modern malware uses the web to infect victims. The increased use of compromised websites in attacks is discussed and illustrated with examples of real attacks. Finally, methods to defend against such attacks are discussed.

The game goes on: An analysis of modern spam techniques

This paper analyses the many modern anti-anti-spam techniques, with statistical reports and real-life examples. Methods of combating these often highly effective and 'popular' spam techniques are explored.

This paper was presented at the VB Conference 2006

Can strong authentication sort out phishing and fraud?

Leading anti-malware expert, Paul Ducklin, addresses the following questions: can strong authentication (especially so-called two factor authentication) sort out phishing and fraud? Will smarter technology leave us safe from organized crime, or are there aspects of phishing and on-line fraud which will allow the bad guys to keep stealing from unfortunate victims no matter what we do?

This paper was presented at the VB Conference 2006

The challenge of detecting and removing installed threats

In this paper, Jason Bruce, Detection Development Manager at SophosLabs, discusses scanning techniques for detecting and removing threats that have been installed on computers, with a focus on the difficulties faced in removing threats that are comprised of many installed components. Jason concludes by highlighting that the measure of success of threat removal is not always as clear cut as the measures used in the detection tests the industry has become used to.

This paper was presented at the VB Conference 2006

download Sophos Virus Removal Tool (無償) のダウンロード