Zlob trojan

Last updated

Zlob
Technical name
  • TrojanDownloader:Win32/Zlob (Microsoft)
  • Trojan.Zlob (Symantec)
  • Trojan.Zlob.[Letter] (Symantec)
  • Trojan-Downloader:W32/Zlob (F-Secure)
  • Win32.Trojandownloader.Zlob (F-Secure)
  • Trojan-Downloader.Win32.Zlob (F-Secure)
  • TROJ_ZLOB.[Letter] (Trend Micro)
  • Trojan-Downloader.Win32.Zlob.[letter] (Kaspersky)
  • Downloader.Win32.Zlob.[Letter] (Kaspersky)
  • TR/Dldr.Zlob.Gen (Avira)
  • TR/Drop.Zlob.[Letter] (Avira)
TypeMalware
SubtypeSpyware

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006. [1]

Contents

Once installed, it displays popup ads which appear similar to real Microsoft Windows warning popups, informing the user that their computer is infected with spyware. Clicking these popups triggers the download of a fake anti-spyware program (such as Virus Heat and MS Antivirus (Antivirus 2009)) in which the Trojan horse is hidden. [1]

The Trojan has also been linked to downloading atnvrsinstall.exe which uses the Windows Security shield icon to look as if it is an anti-virus installation file from Microsoft. Having this file run can wreak havoc on computers and networks. One typical symptom is random computer shutdowns or reboots with random comments.[ further explanation needed ] This is caused by the programs using Task Scheduler to run a file called "zlberfker.exe."

Project Honeypot Spam Domains List (PHSDL) [2] tracks and catalogs spam domains. Some of the domains on the list are redirects to porn sites and various video watching sites that show a number of online videos. Playing videos on these sites activates a request to download an ActiveX codec which is malware. It prevents the user from closing the browser in the usual manner. Other variants of Zlob Trojan installation come in the form of a Java cab file masquerading as a computer scan. [3]

There is evidence that the Zlob Trojan might be a tool of the Russian Business Network [4] or at least of Russian origin. [5]

RSPlug, DNSChanger, and other variants

The group that created Zlob has also created a Mac Trojan with similar behaviors (named RSPlug). [6] Some variants of the Zlob family, like the so-called "DNSChanger", add rogue DNS name servers to the registry of Windows-based computers [7] and attempt to hack into any detected router to change the DNS settings, potentially re-routing traffic from legitimate web sites to other suspicious web sites. [8] DNSChanger in particular gained significant attention when the U.S. FBI announced it had shut down the source of the malware in late November 2011. [9] However, as there were millions of infected computers which would lose access to the Internet if the malware group's servers were shut down, the FBI opted to convert the servers into legitimate DNS servers. Due to cost concerns, however, these servers were set to shut down on the morning of 9 July 2012, which could cause thousands of still-infected computers to lose Internet access. [10] This server shutdown did occur as planned, although the expected issues with infected computers did not materialize. By the date of the shutdown, there were many free of charge programs available that removed the Zlob malware effectively and without requiring great technical knowledge. The malware did however remain in the wild and as at 2015 could still be found on unprotected computers. The malware was also self-replicating, something the FBI did not fully understand, and the servers that were shut down may have only been one of the initial sources of the malware. Current antivirus programs are very effective at detecting and removing Zlob and its time in the wild appears to be coming to an end.[ citation needed ][ needs update ]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Graybird is a Trojan horse that hides its presence on compromised computers and downloads files from remote Web sites. There are many variations of this virus.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Trojan.Emcodec.E is a trojan horse that is mis-represented as an audio and video codec for Windows-based PCs. It exists in various variants with names such as Media Codec, Ecodec, Imediacodec, IntCodec, Pcodec, SVideocodec, Video iCodec, QualityCodec, Vcodec, Zip Codec, zCodec, ZCODEC and began to be widely used in spring 2005.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac security researchers at Intego.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

  1. 1 2 "The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats". Trend Micro. Retrieved 26 November 2007.
  2. Project Honeypot Spam Domains List
  3. PHSDL Zlob Trojan Forum Spam Hijacking Attempt Documentation
  4. "RBN – Fake Codecs".
  5. "TCP – Проект Киберкультуры | Zlob Team".
  6. Tung, Liam (8 November 2007). "Multiplying Mac Trojan not epidemic yet". CNET News. Retrieved 26 November 2007.
  7. Podrezov, Alexey (7 November 2005). "F-Secure Virus Descriptions: DNSChanger". F-Secure Corporation. Retrieved 26 November 2007.
  8. Vincentas (9 July 2013). "Zlob Trojan in SpyWareLoop.com". Spyware Loop. Retrieved 28 July 2013.
  9. "International Cyber Ring That Infected Millions of Computers Dismantled". U.S. FBI. 9 November 2011. Retrieved 6 June 2012.
  10. Kerr, Dara (5 June 2012). "Facebook warns users of the end of the Internet via DNSChanger". CNET. Retrieved 6 June 2012.

Anti Zlob Malware Forums