The Zlob Trojan, which was the one of the most, if not the most, active Trojan displaying advertisements and installing Rogue anti-spyware programs, is no longer under development. This Trojan was responsible for promoting and installing rogue anti-spyware programs onto millions of computers. In a a message found encoded in one of their Trojans, we learn that the Zlob author is closing down shop and moving on to other malware projects such as shellcodes and rootkits. Though this is good in terms of rogue programs, it does not bode well for future malware that we will see coming from this, unfortunately, talented programmer.

In October Microsoft wrote about discovering an encoded message in the Zlob Trojan directed towards them by the malware author. This message stated:

I want to see your eyes the man from Windows Defender's team

Recently a group of French malware & security analysts have analyzed a newer variant of the Zlob Trojan and found another message encoded in the file. This message contains a farewell message from the author and information about the projects he will be involved with in the future.

For Windows Defender's Team: I saw your post in the blog (10-Oct-2008) about my previous message. Just want to say 'Hello' from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. I can't sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;) Happy New Year, guys, and good luck! P.S. BTW, we are closing soon. Not because of your work. :-)) So, you will not see some of my great ;) ideas in that family of software. Try to search in exploits/shellcodes and rootkits. Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection. It's not interesting for me, just a life's irony.

Over the years, I have had extensive experience with rogue anti-spyware programs, and I can tell you that Zlob was one of the first Trojans of its kind. It used techniques for displaying ads and fake alerts that at the time were unheard of, and though they were not always the most difficult to remove, they were so aggressive in pushing out new versions that it was hard to keep track of them. For example, the rogue called SpywareQuake, in a 2 month period, had over 50 different variants of Zlob advertising it. Below I have included a list, in chronological order, of most of the Rogue anti-spyware programs that were promoted via the Zlob Trojan.

Rogue Program Name	Approximate Date Introduced
SpyAxe	December 2005
SpyFalcon	February 2006
SpywareQuake	March 2006
VirusBurst	August 2006
VirusBurster / VirusBursters	October 2006
AntiVermins / Antiverminser	October 2006
SpyDawn	February 2007
SpyCrush	February 2007
SpyLocked / SpywareLocked	March 2007
VirusProtect / Virus Protect / VirusProtectPro	July 2007
AntiVirGear	September 2007
VirusRay	October 2007
VirusHeat	February 2008
AntiSpyCheck	June 2008
Antivirus Lab 2009	September 2008
VirusResponse Lab 2009	September 2008
VirusTrigger	November 2008
AntivirusTrigger	November 2008

Since the end of 2005 I have been tracking, monitoring, and writing guides for the removal of these rogues and, I for one, am glad to see them gone. To read more about this story, including the original write up from the discoverers, please visit the links below.

So long, farewell Zlob.

This might be the dawn of a new era in fighting malware. The sinister programmer's new batch of malware would make history, and our malware fighters must always be on guard for the next generation of malware. Good luck to them.



I wonder if this is true?

Good news is that there isn't going to be more Zlob stuff made by this guy. Bad news is that he's working on other programs that'll be even more notorious and an outright PITA. Good news is that we know what to look out for. Bad news is that it could end up being worse case scenario and Malware Removal communities may get overflooded with things and cause more havoc for HJT Teams and other Malware fighters. Good news....oh wait....I ran out of them.....

Anywho....Yay for the fact that zlob should decrease. Boo to the fact that there will be more rootkits and shellcodes.

....and shutting up.

The guy who created this has already stopped working on it but the Trojan should still hang around for a while. But it will eventually become an extinct malware.

This makes for great reading, as, having spent the last 2 1/2 yrs using Linux Ubuntu exclusively, I've just bought new HP Pavillion 'Vista' box!

Am I going back to Linux soon, you might ask?
You bet! I answer.

I'll just have to learn about partitions first.

Pete.

I'd be more tempted to say that that jerk just wanted to brag about himself...


Stupid kid...has nothing better to do i guess

So the Zlob trojan is out... rootkits and shellcodes move in...
hrmmm...
I wonder which is worst? trojan or rootkits? Makes some thought to worry about... but, from the way the virus programmer had said, the efficacy of actions against malware had been pretty fast with the help of the valiant windows defender teams. (yep, they're valiant) It's reassuring to know they're around to help.

I wish them all the luck~

For life of me, I wouldn't know what is the fun destroying peoples computers.. OK so hackers proved the point Windows is full with vulnerabilities.. Why in the world didn't they go work for Microsoft? That would make them richer and Windows much better OS.
I don't belive either that that guy got job offer at MS.. That would be one way ticket to jail I suppose..

These guys do not do it for fun. They do it because they make a lot of money scamming people with these software.

Grinler says he's been tracking these for a while... You know what might be neat? A big ole FBI-style list of formerly wanted software. Why not have a list published of all the "defeated" or "extinct" malware out there? Just for the community to remember how far they've come when they hear a guy like this is working on a new one.

And let's not forget the hall of fame for the teams and coders who cracked and killed the malware.

Let me see what I can do

Gosh how about shoot him before offering him a job...

I have a big ole silly question.

In todays age, with programmers and whiz bangs in government agencies, not to mention the private sector, why doesnt someone go after these people. You have to admit, no matter how many hops, countries, homes, routers, addresses that a "CC number" or in the end "money" gets transferred in the malware scams and now bigger than ever crimeware, it ends up in one spot. It ends up in ONE spot. And if you say, it goes to different "banks", or Fake banks, its still ends up in ONE spot. So, lets see, lets go investigate this ONE spot, find out other leads, put 2 +2 together to get closer to these ID 10 T programmers, script kiddies, what ever you want to call them. Yes I know all ab out the crossing borders, dealing with extradition and and all that other "government" crap. But you know in the private sector, there are no borders. Hey, get a group together, fund it through the private sector, persons that are fed up with it, and go after them. I understand you will never wipe them out completely. But hey, you gotta start somewhere, going after em, bring em in like bounty hunters, track em down. Maybe it will atleast slow em down.

sorry,.....on my soapbox. Just something to think about.


The world is gettting smaller by the minute.

WHY!?
Im a pationate VB coder and i could proboly create a simple virus but i NEVER would.
It makes me ashamed to be a coder when you hear about theese lowlife scammers.
I too think i have been hit by the Zlob once, but you cant go wrong with Spybot - Search and destroy =/

Nope.
Not gonna happen.
That "one spot" to which you refer is movable in space/time according to the needs of the recipient.

Let me break it down:
Joe has illicit funds in multiple banks, being transferred back and forth in varying routes to obfuscate his intentions.
At time X, all funds transfer to location Y, where Jill is awaiting to withdraw the funds.

Once the funds are withdrawn as cash, it doesn't matter that the accounts are traceable going forward.



I don't care for them either, but dismissing them is a fool's game.
They clearly aren't idiots.



Uh huh.
It's that "government crap" that allows you to keep your material possessions without having to invest an inordinate amount of capital in security.



Please provide more details - I'm not aware of any special Vigilantes Without Borders program.



Ok - where are you going to send the money?

Who would be qualified to track down a very elusive target hidden by more obfuscation than you can comprehend, and on top of that, is protected by a small armada of top flight lawyers, with well armed backup should the lawyers not provide sufficient protection?

This isn't 1990, with a few twits cranking out badly coded malware through point and click front ends to MtE.
The people writing malware now are in it for the cash.
Do you think a kid in Russia making money from malware is going to get to breathe very long without giving the organized thugs a cut?

Bottom line, Keyser Söze has shucked off his limp, and is already here in a New Improved Persona - pursuing whatever vector is currently yielding the most hard currency.

I just took a bunch of Zlob off a Pc not to long ago. I believe the computer user got it from AntivirusTrigger. Thanks for posting this info.

I would assume that some former malware designers stay honest and some return to their old ways, either out of boredom or from greed. That has been the case with other types of identity thieves who have been hired by security or financial companies in order to get a leg up on the criminals.

I suppose there is also an element of industrial espionage going on. It isn't just between company and company or countries with software embargos trying to circumvent those embargos. It may be that some malware designers are trying to play both sides of the field. They're in it not just for the money or the intellectual challenge, but for the adrenaline rush. (Sounds like a Hollywood cliche, doesn't it?)