HOME > VIRUS ALERTS


VIRUS ALERTS

ZLOB Trojan

Original issue date: November 06, 2007
Updated: October 01, 2008

It has been observed that various variants of ZLOB family of Trojans are spreading widely. These Troajns pretend to be “Codec” applications used for playing video files. This Trojan topped in number of detection by Malicious Software Removal Tool(MSRT).

ZLOB Trojans first appeared in late 2005. Initial variants use to download malware and update copies of malware, ensured running of the other variants of the malware by re-executing their process. In the year 2006 ZLOB variants started spreading through email spam containing links to the video file. Some ZLOB variants also get dropped by other malware.

It arrives on the system as a mail message:

Subject: Help

Message body:
Hi! How are you?
I started my own website! Can you check it?
It's http://www.{BLOCKED}.com/test . Did you see video?

Thank's!

Once unsuspecting users click on the link, they are indeed redirected to a site that contains a video file. This video does not seem to be working because it needs a special codec in order to play properly. Users are then prompted to download and install the "codec", which is actually a copy of the Trojan.

It displays a fake End User License Agreement(EULA) to trick users into thinking that they are installing a video codec.

ZLOB family of Trojans performs following actions:

  • Encrypts data, data encryption routine is used by ZLOB variants and some other malware to hide their malicious routine and data gathered from the infected system.
  • Prompts for installing a special codec (coder-decoder) for playing the video properly which is actually the copy of the Trojan. The Trojan variant displays a fake End-User License Agreement (EULA) in order to trick user.
  • Downloads adware and rogue anti-spyware. ZLOB variants can persuade user into purchasing sfake anti-spyware by prompting some warning saying the system is infected with the spware and guides them to the websites by clicking on some link. Credit card information used for the purchase can also be stolen by the malware.
  • Alters DNS setting. Variants such as TROJ_ZLOB.ALE modify the registry of the infected system to alter its DNS settings, such that it connects to a remote DNS server controlled by the attacker. It redirects the user to adult themed sites.
  • Attempts to reconfigure different routers and DNS. Variants such as TROJ_ZLOB.CCT does this by sending requests to the local Web page for various setup wizards bundled with the said routers. Variants like TROJ_ZLOB. CCS connect to remote IP address.

Upon execution, the Trojan variants:

  • Creates of copy of themselves on the computer, in location such as:
    <program files>\messenger\msmsgs.exe
    <system folder>\tgbrfv_.exe
    <system folder>\cmd.exe

    %User Temp%\tmp{random characters}.tmp

  • Creates registry keys such as:

    Set \"<file path to Trojan executable>" under key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\policies\explorer\run

    HKEY_CURRENT_USER\Software\Classes\CLSID\{84938242
    -5C5B-4A55-B6B9-A1507543B418}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
    {84938242-5C5B-4A55-B6B9-A1507543B418}

    Set "notepad.exe" = "<dropped copy>", under key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
    policies\explorer\run

    Set "Start" = "2", under key HKLM\SYSTEM\CurrentControlSet\Services\pnpsvc

    Set "EventMessageFile" = "<dropped copy>", under key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\
    Application\pnpsvc

    Set "(default)" = "service", under key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
    Minimal\pnpsvc

    HKEY_CURRENT_USER\Software\Classes\CLSID\
    {84938242-5C5B-4A55-B6B9-A1507543B418}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Internet Explorer\Toolbar\
    {84938242-5C5B-4A55-B6B9-A1507543B418}

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion
    {random file name}.exe = "{random hex value}"

  • Modifies the following registry entries to enable its automatic execution at every system startup:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion
    {random file name}.exe = "{random hex value}"

  • Reconfigure the router & DNS settings, it does this by:

    • The Trojan first calls the Web page file used in setting up routers for initial use. The file names used suggest that targeted routers may include Linksys and D-Link.

  • Some of the requests are the following:

    • /index.asp
    • /dlink/hwiz.html
    • /wizard.htm
    • /home.asp

  • Upon accessing the configuration page the Trojan is able to test out a pre-defined list of username and password combinations. The Username: password combinations is given at the end.
  • If entry is successful the Trojan modifies the system’s DNS records to lead all traffic to malicious URLs.

  • DNS will be changed into the following:

    • Primary Name Server: 85.{BLOCKED}.{BLOCKED}.164
    • Alternate Name Server: 85.{BLOCKED}.{BLOCKED}.81

  • Modifies DNS settings by either HTTP POST or GET depending on the router. Some of the requests are the following:

    • {ip address of router}/apply.cgi%parameter%
    • {ip address of router}/cgi-bin/prim%parameter%
    • {ip address of router}/cgi-bin/rebo?%parameter%
    • {ip address of router}/ether.cgi%parameter%
    • {ip address of router}/setup.cgi%parameter%

      Where %parameter% are the parameters for changing the DNS.

  • Connects to the IP addresses

    http://{BLOCKED}.255.{BLOCKED}237/index.php. http://{BLOCKED}.50.{BLOCKED}.24/gather.php

  • Inject remote thread in other processes, such as:

    • winlogon.exe
    • services.exe
    • svchost.exe
    • explorer.exe
    • spoolsv.exe
    • msmsgs.exe
    • vmsrvc.exe

  • Connect to remote Web servers at TCP port 80, such as:

    • http: //a-search.biz/
    • http: //zloeboogle.biz/info
    • http: //freeprohosting.net
    • http: //syshosts.com

  • Checks if the user has visited the following Web sites and terminate its execution if it finds a match-->

  • Reconfigure the IE default start page, such as:

    • Set the "Start Page" value under the key HKCU\Software\Microsoft\Internet Explorer
      \Main to values such as "http://mysearchpage.biz/
      home.html" or to "http://a-search.biz/"
    • Set "CustomizeSearch" = "http://mysearchpage.biz/customizesearch.html",
      under the key HKLM\SOFTWARE\Microsoft\
      Internet Explorer\Search

  • Some variants listens for commands from a remote attacker to perform some of the following actions on the compromised computer:

    • Ping remote computers
    • Report the status of the threat
    • Download and execute remote files

  • Fake spyware detection alerts and persuading for purchasing rouge anti-spyware products.



  • Downloads and installs rogue Spyware and Adware applications.

    • SpyAxe
    • SpyFalcon
    • SpywareQuake
    • SpywareStrike
    • WinAntivirusPro
    • MalwareWipe

  • Some of the Username &Password (username: password format) combination used by the Trojan is following-->

In view of rapid propagation of the ZLOB Trojan variants, users are advised to implement the following countermeasures:

  • Delete executables with the abovementioned names.
  • Delete the registry keys made by the Trojan a mentioned above.
  • Create strong passwords include using a mix of alphanumeric characters, symbols, and uppercase and lowercase letters. Passwords should at least be eight characters long, and should be changed regularly.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Keep up-to-date on patches and fixes on the operating system.
  • Install and maintain Desktop Firewall and block the ports which are not required

References

Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?name=
TrojanDownloader:Win32/Zlob.gen!P
http://www.microsoft.com/security/portal/Entry.aspx?name
=TrojanDownloader:Win32/Zlob.gen!O
http://www.microsoft.com/security/portal/SearchResults.aspx?
query=win32%2Fzlob

Trend Micro
http://www.trendmicro.com/vinfo/secadvisories/default6
.asp?VNAME=The+ZLOB+Show%3A+Trojan+poses+as+fake+video
+codec%2C+loads+more+threats
http://blog.trendmicro.com/rogue-domain-name-system-servers-part-2/
http://blog.trendmicro.com/new-zlob-rigs-routers/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_ZLOB.CCS&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_ZLOB.CCT&VSect=T

WashingtonPost
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_
alters_wirele_1.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003