Posted by SecExtra on March 04th, 2008

6am: Woken either by clock radio (FiveLive) or youngest daughter, whichever makes sufficient noise first.  Shortly afterwards I wander downstairs and call our two dogs.  Time for their morning walk.  After a quick shower I grab some breakfast, before driving to the office.

8.30am: Arrive at the office.  While logging on, fetch a cup of tea (Earl Grey, weak).  I work from the office for the majority of the time.  After dealing with any email that needs my attention, I try to spend a little time reviewing various mailing lists, blogs and other sites for any recent updates of interest.  Keeping in touch with information from a wide variety of sources is important.  Aside from helping us to pre-empt questions the lab may receive (from other Sophos employees or customers), keeping in touch with developments in all areas of IT security is necessary.  The job involves a lot more than simply malicious file analysis nowadays.

10am: Next I review some of the data within our automation systems and information fed back to us from customers and partners.  As usual, this reveals a few items that warrant further  investigation.  One of the challenges with dealing with today’s malware is keeping on top of active, persistent campaigns.  Keeping a close watch on how the delivery method and the malware itself changes can help to ensure customers remain protected with proactive detection in place.  From some of the attacks seen today, a couple of the malicious webpages used were undetected.  I modify the appropriate detections and submit them for review and publishing.  Publishing detections, particularly generic ones which you know protect customers from current, active threats is one of the most satisfying parts of the job.

1pm: A couple of times a week I try to go out for a run at lunchtime.  Running six miles along the river is an effective way to clear your head!  This is the time I often tidy my thoughts around potential topics for a blog entry.

2pm: Showered, refreshed and one sandwich later, I head back up to the lab.  I have been researching Web 2.0 threats recently, for a presentation at a forthcoming conference.  An interesting topic, and one which covers a wide (and continually increasing) range of technologies.  I spend a couple of hours investigating some of the APIs (application programming interfaces) that are publicly available for a variety of web services.

4pm: Education is an important aspect of IT security, and something we take very seriously at Sophos.  One of the projects I am currently helping out with is the production of a video to educate people about the risk web threats present.  Demonstrating how such attacks work is not simple - I am helping out by identifying suitable attacks and working on the storyboard.  This involves figuring out how we can reproduce the attack in a controlled, secure environment so that the necessary screenshots and video can be recorded.

5pm: Checking data within our automation systems reveals more activity from a group I have been keeping an eye on over recent weeks.  The group have been aggressively trying to infect victims with a malicious banking Trojan (Zbot) for several months.  They use a combination of spam and malicious webpages  in order to target vulnerabilities in the victim web browser.  Analysing the

latest malicious webpages used I notice they are using a wide array of exploits,  including the recent image uploader vulnerability (CVE-2008-066).  Happily, the  Trojan, and the scripts used to infect victims, are already detected.  Before heading home I decide to post an article to the SophosLabs blog to give readers  an update on the Zbot situation.  Aside from being interesting, articles posted to the blog can often provide useful information which customers can use (for example, detailing how product features can be configured to combat current, real-life threats).

6pm: FREEDOM!