In October Microsoft wrote about discovering an encoded message in the Zlob Trojan directed towards them by the malware author. This message stated:
I want to see your eyes the man from Windows Defender's teamRecently a group of French malware & security analysts have analyzed a newer variant of the Zlob Trojan and found another message encoded in the file. This message contains a farewell message from the author and information about the projects he will be involved with in the future.
For Windows Defender's Team: I saw your post in the blog (10-Oct-2008) about my previous message. Just want to say 'Hello' from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. I can't sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;) Happy New Year, guys, and good luck! P.S. BTW, we are closing soon. Not because of your work. :-)) So, you will not see some of my great ;) ideas in that family of software. Try to search in exploits/shellcodes and rootkits. Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection. It's not interesting for me, just a life's irony.Over the years, I have had extensive experience with rogue anti-spyware programs, and I can tell you that Zlob was one of the first Trojans of its kind. It used techniques for displaying ads and fake alerts that at the time were unheard of, and though they were not always the most difficult to remove, they were so aggressive in pushing out new versions that it was hard to keep track of them. For example, the rogue called SpywareQuake, in a 2 month period, had over 50 different variants of Zlob advertising it. Below I have included a list, in chronological order, of most of the Rogue anti-spyware programs that were promoted via the Zlob Trojan.
Rogue Program Name
Approximate Date Introduced
|VirusBurster / VirusBursters||October 2006|
|AntiVermins / Antiverminser||October 2006|
|SpyLocked / SpywareLocked||March 2007|
|VirusProtect / Virus Protect / VirusProtectPro||July 2007|
|Antivirus Lab 2009||September 2008|
|VirusResponse Lab 2009||September 2008|
Since the end of 2005 I have been tracking, monitoring, and writing guides for the removal of these rogues and, I for one, am glad to see them gone. To read more about this story, including the original write up from the discoverers, please visit the links below.