Beware of the Zlob

Once installed, Zlob variants typically show fake error messages designed to convince the computer user into installing and buying rogue antispyware products.

Security experts at MicroWorld Technologies warn that a new Zlob variant named Zlob.fes is spreading among unsuspecting computer users. When a user visits certain websites, a harmful code named Trojan.HTML.Agent.e is downloaded without the user's knowledge. This file prompts an error message that says the browser has encountered an Active-X error and needs to download a codec to play a video file.

When a user clicks on Yes button and proceeds to download the codec, a License Agreement is displayed to make him believe that the program is authentic. The name of the downloaded file is VideoAccessCodecInstall.exe, which in fact is Zlob.fes. Once inside the computer, Zlob.fes downloads many other kinds of malware.

Other pests from the Zlob gang such as DNSChanger silently reconfigure the computer's DNS server settings. DNS servers are responsible for converting people friendly text URLs into computer friendly numeric IP addresses. Once the DNS settings are changed to their servers — the Zlob gang is in control of the Web browser's destination.

They generate money by redirecting Web searches. Should the victim search for "air fare", Zlob's sponsored revenue-generating link will be put at the top of the results.

Zlob makes money by acting as a parasite. Stealing data from their victims is not the goal, and they don't steal the computer's resources to build a botnet either. What the Zlob gang prefers is to use their victims. As the victim does not suffer undo harm, many may not even realize how they are being used.

The Zlob gang expanded their target audience base late October with the introduction of DNSChangers for the Mac OSX platform.

(Source:F-Secure)

26.12.2007