Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The End of Zlob


  • Please log in to reply
16 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:25 PM

Posted 22 January 2009 - 12:07 PM

The Zlob Trojan, which was the one of the most, if not the most, active Trojan displaying advertisements and installing Rogue anti-spyware programs, is no longer under development. This Trojan was responsible for promoting and installing rogue anti-spyware programs onto millions of computers. In a a message found encoded in one of their Trojans, we learn that the Zlob author is closing down shop and moving on to other malware projects such as shellcodes and rootkits. Though this is good in terms of rogue programs, it does not bode well for future malware that we will see coming from this, unfortunately, talented programmer.

In October Microsoft wrote about discovering an encoded message in the Zlob Trojan directed towards them by the malware author. This message stated:
I want to see your eyes the man from Windows Defender's team
Recently a group of French malware & security analysts have analyzed a newer variant of the Zlob Trojan and found another message encoded in the file. This message contains a farewell message from the author and information about the projects he will be involved with in the future.
For Windows Defender's Team: I saw your post in the blog (10-Oct-2008) about my previous message. Just want to say 'Hello' from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. I can't sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;) Happy New Year, guys, and good luck! P.S. BTW, we are closing soon. Not because of your work. :-)) So, you will not see some of my great ;) ideas in that family of software. Try to search in exploits/shellcodes and rootkits. Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection. It's not interesting for me, just a life's irony.
Over the years, I have had extensive experience with rogue anti-spyware programs, and I can tell you that Zlob was one of the first Trojans of its kind. It used techniques for displaying ads and fake alerts that at the time were unheard of, and though they were not always the most difficult to remove, they were so aggressive in pushing out new versions that it was hard to keep track of them. For example, the rogue called SpywareQuake, in a 2 month period, had over 50 different variants of Zlob advertising it. Below I have included a list, in chronological order, of most of the Rogue anti-spyware programs that were promoted via the Zlob Trojan.

Rogue Program Name
Approximate Date Introduced
SpyAxeDecember 2005
SpyFalcon February 2006
SpywareQuakeMarch 2006
VirusBurstAugust 2006
VirusBurster / VirusBurstersOctober 2006
AntiVermins / AntiverminserOctober 2006
SpyDawnFebruary 2007
SpyCrushFebruary 2007
SpyLocked / SpywareLockedMarch 2007
VirusProtect / Virus Protect / VirusProtectProJuly 2007
AntiVirGearSeptember 2007
VirusRayOctober 2007
VirusHeatFebruary 2008
AntiSpyCheckJune 2008
Antivirus Lab 2009September 2008
VirusResponse Lab 2009September 2008
VirusTriggerNovember 2008
AntivirusTriggerNovember 2008



Since the end of 2005 I have been tracking, monitoring, and writing guides for the removal of these rogues and, I for one, am glad to see them gone. To read more about this story, including the original write up from the discoverers, please visit the links below.


BC AdBot (Login to Remove)

 


#2 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:25 PM

Posted 22 January 2009 - 06:52 PM

So long, farewell Zlob.

This might be the dawn of a new era in fighting malware. The sinister programmer's new batch of malware would make history, and our malware fighters must always be on guard for the next generation of malware. Good luck to them.

Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection.


I wonder if this is true?

#3 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:25 PM

Posted 22 January 2009 - 07:16 PM

Good news is that there isn't going to be more Zlob stuff made by this guy. Bad news is that he's working on other programs that'll be even more notorious and an outright PITA. Good news is that we know what to look out for. Bad news is that it could end up being worse case scenario and Malware Removal communities may get overflooded with things and cause more havoc for HJT Teams and other Malware fighters. Good news....oh wait....I ran out of them.....

Anywho....Yay for the fact that zlob should decrease. Boo to the fact that there will be more rootkits and shellcodes.

....and shutting up.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#4 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:25 PM

Posted 22 January 2009 - 07:20 PM

Anywho....Yay for the fact that zlob should decrease. Boo to the fact that there will be more rootkits and shellcodes.


The guy who created this has already stopped working on it but the Trojan should still hang around for a while. But it will eventually become an extinct malware.

#5 gungebucket

gungebucket

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 23 January 2009 - 05:34 PM

This makes for great reading, as, having spent the last 2 1/2 yrs using Linux Ubuntu exclusively, I've just bought new HP Pavillion 'Vista' box! :flowers:

Am I going back to Linux soon, you might ask?
You bet! I answer. :thumbsup:

I'll just have to learn about partitions first.

Pete.
AMD Athlon 64x2 Dual Core Processor 45600+. 300gig H/D. 2 gig DDr RAM. Vista Home fully updated. Firefox. AVG Free. Zonealarm.
Look, I'm quite capable of fouling up my computer without your help. Thank you very much! :-D

#6 funnytim

funnytim

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:25 PM

Posted 24 January 2009 - 12:48 AM

Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection.


I wonder if this is true?



I'd be more tempted to say that that jerk just wanted to brag about himself...


Stupid kid...has nothing better to do i guess

#7 crimlair

crimlair

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 25 January 2009 - 12:44 AM

So the Zlob trojan is out... rootkits and shellcodes move in...
hrmmm...
I wonder which is worst? :flowers: trojan or rootkits? Makes some thought to worry about... but, from the way the virus programmer had said, the efficacy of actions against malware had been pretty fast with the help of the valiant windows defender teams. :trumpet: (yep, they're valiant) It's reassuring to know they're around to help.

I wish them all the luck~

:thumbsup:

#8 Notorious

Notorious

  • Members
  • 322 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Amsterdam
  • Local time:05:25 PM

Posted 27 January 2009 - 08:28 AM

For life of me, I wouldn't know what is the fun destroying peoples computers.. OK so hackers proved the point Windows is full with vulnerabilities.. Why in the world didn't they go work for Microsoft? That would make them richer and Windows much better OS.
I don't belive either that that guy got job offer at MS.. That would be one way ticket to jail I suppose.. :thumbsup:
Posted Image

Down in the bayou, Bubba called an attorney and asked, "Is it true they're suin' the cigarette companies for causing people to get cancer?
"Sure is Bubba. But why you asking?"
"Cause what I want to know is, I was thinking, can I sue Budweiser for all them ugly women I've slept with?"

#9 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:25 PM

Posted 27 January 2009 - 10:59 AM

These guys do not do it for fun. They do it because they make a lot of money scamming people with these software.

#10 DnDer

DnDer

  • Members
  • 624 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 27 January 2009 - 02:29 PM

Anywho....Yay for the fact that zlob should decrease. Boo to the fact that there will be more rootkits and shellcodes.


The guy who created this has already stopped working on it but the Trojan should still hang around for a while. But it will eventually become an extinct malware.


Grinler says he's been tracking these for a while... You know what might be neat? A big ole FBI-style list of formerly wanted software. Why not have a list published of all the "defeated" or "extinct" malware out there? Just for the community to remember how far they've come when they hear a guy like this is working on a new one.

And let's not forget the hall of fame for the teams and coders who cracked and killed the malware.

#11 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:25 PM

Posted 27 January 2009 - 02:38 PM

Let me see what I can do :thumbsup:

#12 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:03:25 PM

Posted 27 January 2009 - 03:20 PM

Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection.

Gosh how about shoot him before offering him a job...

#13 Blue Coconut

Blue Coconut

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the right side ocean, NC
  • Local time:05:25 PM

Posted 01 February 2009 - 08:46 AM

:thumbsup:

I have a big ole silly question.

In todays age, with programmers and whiz bangs in government agencies, not to mention the private sector, why doesnt someone go after these people. You have to admit, no matter how many hops, countries, homes, routers, addresses that a "CC number" or in the end "money" gets transferred in the malware scams and now bigger than ever crimeware, it ends up in one spot. It ends up in ONE spot. And if you say, it goes to different "banks", or Fake banks, its still ends up in ONE spot. So, lets see, lets go investigate this ONE spot, find out other leads, put 2 +2 together to get closer to these ID 10 T programmers, script kiddies, what ever you want to call them. Yes I know all ab out the crossing borders, dealing with extradition and and all that other "government" crap. But you know in the private sector, there are no borders. Hey, get a group together, fund it through the private sector, persons that are fed up with it, and go after them. I understand you will never wipe them out completely. But hey, you gotta start somewhere, going after em, bring em in like bounty hunters, track em down. Maybe it will atleast slow em down.

sorry,.....on my soapbox. Just something to think about. :flowers:


The world is gettting smaller by the minute.

:trumpet:
Ever tried landing a city block? Its a rush one cannot describe.

#14 Wolfy87

Wolfy87

  • Members
  • 414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:10:25 PM

Posted 01 February 2009 - 05:51 PM

WHY!?
Im a pationate VB coder and i could proboly create a simple virus but i NEVER would.
It makes me ashamed to be a coder when you hear about theese lowlife scammers.
I too think i have been hit by the Zlob once, but you cant go wrong with Spybot - Search and destroy =/

#15 RobertFranz

RobertFranz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 02 February 2009 - 07:27 PM

:thumbsup:

I have a big ole silly question.

In todays age, with programmers and whiz bangs in government agencies, not to mention the private sector, why doesnt someone go after these people. You have to admit, no matter how many hops, countries, homes, routers, addresses that a "CC number" or in the end "money" gets transferred in the malware scams and now bigger than ever crimeware, it ends up in one spot. It ends up in ONE spot. And if you say, it goes to different "banks", or Fake banks, its still ends up in ONE spot.


Nope.
Not gonna happen.
That "one spot" to which you refer is movable in space/time according to the needs of the recipient.

Let me break it down:
Joe has illicit funds in multiple banks, being transferred back and forth in varying routes to obfuscate his intentions.
At time X, all funds transfer to location Y, where Jill is awaiting to withdraw the funds.

Once the funds are withdrawn as cash, it doesn't matter that the accounts are traceable going forward.

So, lets see, lets go investigate this ONE spot, find out other leads, put 2 +2 together to get closer to these ID 10 T programmers, script kiddies, what ever you want to call them.



I don't care for them either, but dismissing them is a fool's game.
They clearly aren't idiots.

Yes I know all ab out the crossing borders, dealing with extradition and and all that other "government" crap.



Uh huh.
It's that "government crap" that allows you to keep your material possessions without having to invest an inordinate amount of capital in security.

But you know in the private sector, there are no borders.


Please provide more details - I'm not aware of any special Vigilantes Without Borders program.

Hey, get a group together, fund it through the private sector, persons that are fed up with it, and go after them. I understand you will never wipe them out completely. But hey, you gotta start somewhere, going after em, bring em in like bounty hunters, track em down. Maybe it will atleast slow em down.


Ok - where are you going to send the money?

Who would be qualified to track down a very elusive target hidden by more obfuscation than you can comprehend, and on top of that, is protected by a small armada of top flight lawyers, with well armed backup should the lawyers not provide sufficient protection?

This isn't 1990, with a few twits cranking out badly coded malware through point and click front ends to MtE.
The people writing malware now are in it for the cash.
Do you think a kid in Russia making money from malware is going to get to breathe very long without giving the organized thugs a cut?

Bottom line, Keyser Söze has shucked off his limp, and is already here in a New Improved Persona - pursuing whatever vector is currently yielding the most hard currency.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users