Virus Bulletin - July 2011

Editor: Helen Martin

Technical Consultant: John Hawes

Technical Editor: Morton Swimmer

Consulting Editors: Ian Whalley, Nick FitzGerald, Richard Ford, Edward Wilding



Tumblr attacks – what to watch out for

‘Tumblr is definitely a hot property for scammers, and users should be very careful.' Christopher Boyd, GFI Software.

Christopher Boyd - GFI Software


Anti-phishing feature for Gmail

Gmail users get helping hand in avoiding phishing scams.

Helen Martin - Virus Bulletin, UK

Spam levels take a nose dive

Spamming losing its attraction for criminal operators?

Helen Martin - Virus Bulletin, UK

Malware prevalence report

May 2011

The Virus Bulletin prevalence table is compiled monthly from virus reports received by Virus Bulletin; both directly, and from other companies who pass on their statistics.

Malware analyses

Toll fraud: SipPhreak

PHP/SipPhreak.A acts like an ancient SMTP open relay scanner, but with a twist: it targets open or vulnerable SIP devices instead of mail servers. Alexis Dorais-Joncas gives a detailed analysis of this threat - which is probably the initial step in a broader toll fraud scheme.

Alexis Dorais-Joncas - ESET, Canada

SpyEye malware infection framework

The SpyEye bot has a sophisticated, modular design and has improved its capabilities over time. In this article, Aditya Sood and colleagues examine SpyEye’s modules and map out how they are initialized and how they interact with each other, providing an insight into the design and methods of the bot, and into an effective instance of modern malware.

Aditya K Sood - Michigan State University, USA, Richard J Enbody - Michigan State University, USA & Rohit Bansal - SecNiche Security, USA

Technical feature

Reversing Python objects

As Python has gained popularity with malware writers, new bytecode obfuscation techniques have started to appear. Aleksander Czarnowski describes some of those techniques.

Aleksander P. Czarnowski - AVET Information and Network Security, Poland


Not so random

Pseudorandom generators are increasingly becoming an integral component of modern malware. Raul Alvarez shows how Conficker uses a pseudorandom generator to produce random domain names while retaining its ability to communicate with the Command and Control (C&C) server.

Raul Alvarez - Fortinet, Canada

Comparative review - updated 1 Aug

VBSpam comparative review July 2011

The 14th VBSpam test showed both a number of excellent performances as well as some that leave room for improvement. Martijn Grooten has all the details.

Martijn Grooten - Virus Bulletin, UK


Anti-malware industry events

Must-attend events in the anti-malware industry - dates, locations and further details.


Latest articles:

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.

APT vs Internet service providers – a threat hunter's perspective

Organizations in the telecommunications sector are faced with a multitude of threats, ranging from targeted attacks to malicious actions attributable to the criminal or activist world. Telsy researcher Emanuele De Lucia reports what he observed in…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.