Naked Security Naked Security

4 ways SophosLabs is advancing protection against cyberthreats

Find out how researchers from SophosLabs are helping us build better protection against mobile malware, banking Trojans, and advanced persistent threats.


A few weeks ago was the 25th annual Virus Bulletin International Conference, where the top security minds come together to share their research and talk about where we are and where we need to go as an industry.

SophosLabs was well represented, with five of our researchers presenting four new papers on diverse topics, from mobile security to banking malware and advanced persistent threats.

If there was a common thread running through them, it’s that SophosLabs researchers are always coming up with new and novel ways to identify and analyze threats, helping us build better protection into our products.

Now that the VB 2015 conference is over, we’d like to share a bit more detail about each of the papers and the researchers behind them, and show you how to learn more about our labs.

New mobile threat: the rise of cross-platform mobile malware

Mobile malware is becoming hugely popular with cybercriminals because of the vast number of people now using mobile devices for things like email, web surfing, banking and social media, making our smartphones and tablets valuable targets.

We often write at Naked Security about new malware threats to Android, but iOS malware is beginning to crop up too, even in Apple’s App Store.

SophosLabs researchers William Lee and Xinran Wu have discovered that malware writers are beginning to use tools that allow them to create malware for all of the major mobile platforms.

As they explain in their research paper – Cross-Platform Mobile Malware: Write Once, Run Everywhere – security researchers face greater challenges in analyzing and detecting mobile malware because multi-platform tools allow them to hide their malicious code.

William and Xinran examined the package structures of some samples of cross-platform mobile malware, and came up with a solution for identifying an application’s framework type and writing detection signatures for malware based on those frameworks.

New methods for effectively testing APT defenses

The notion of “advanced persistent threats” (APTs) has generated a fair amount of controversy in security circles – and a lot of disagreement about how to even define them.

Many security products (including Sophos’s) offer protection against APTs. Although an APT doesn’t have to be particularly “advanced” to compromise a target, APT attackers are “persistent” and will keep trying until they find a security hole to get around defenses.

Because APT attacks are dynamic threats, measuring and comparing APT defenses is problematic for independent testers.

SophosLabs Principal Researcher Gabor Szappanos and his colleagues at Dennis Technology Labs and the Florida Institute of Technology have come up with a solution, which they describe in their paper titled Effectively Testing APT Defenses.

Gabor and his co-authors describe some potential ways forward which can help testers develop real-world attack scenarios for testing APT defenses.

Analyzing security features in Android 5.0 Lollipop

At the time research papers were being accepted for the VB 2015 conference, Google’s newest version of Android, boasting a raft of new security features, was Android 5.0 (Lollipop).

Sophoslabs senior researchers William Lee and Rowland Yu took a deep dive into Android 5.0 to find out if SEAndroid and containerization could be the answer to security concerns in an increasingly “BYOD” corporate environment.

As the paper explains, SEAndroid stands for Security Enhancements for Android, which enforces system-wide security policies; containerization refers to the separation of data into an encrypted zone on the device, and the ability to manage access to the zone.

However, William and Rowland look in depth at the Android malware and “potentially unwanted application” (PUA) landscape, and demonstrate that SEAndroid and containerization have their limits and can still be exploited.

This paper is a great read for anyone interested in the explosion of Android malware such as SMS senders, and spyware, ransomware and banking Trojans for Android that seem to be following in the footsteps of Windows malware.

Using an automated system to analyze banking malware

The final paper presented by SophosLabs at VB 2015 comes from senior threat researcher James Wyke, whom regular Naked Security readers might know as an occasional contributing writer here when he’s not too busy analyzing new strains of financial malware or studying crimeware like the infamous Zeus and its many offshoots.

Fortunately for us, James should have more time on his hands, after creating a system to automate data extraction from banking malware families like Vawtrak, Dyreza and Dridex.

In his research paper, titled Breaking the Bank(er): Automated Configuration Data Extraction from Banking Malware, James explains that data extraction is a time-consuming and repetitive task that is better left to systems, freeing up analysts to concentrate on the hard part of analysis.

He describes our automated system, built on a sandboxing program called Cuckoo, and how it extracts and processes data before sending it on to other systems for analysis.

James gives examples of how automated data extraction helps us learn information about malware families and malware authors that we can use to detect future variants and build more robust protection.

Stay in the know – here’s how to keep up with SophosLabs

You can follow all the developments and discoveries happening at SophosLabs right here at Naked Security and on the Sophos Blog.

Make sure to sign up for our daily Naked Security newsletter, like our Facebook page, or follow us on Twitter.

And be sure to listen to our weekly Chet Chat podcast, featuring Sophos experts Paul Ducklin and Chester Wisniewski, who always have interesting (and occasionally funny) things to say about the fast-moving world of security.

Give it a try and listen to the special episode recorded at this year’s Virus Bulletin conference.


(Audio player above not working? Download MP3 or listen on Soundcloud.)

Leave a Reply

Your email address will not be published. Required fields are marked *