Is Trojan.Zlob Getting Honest? Naaahh...
New fake codec Web sites often appear out of nowhere (we are pretty used to seeing them) and in most cases if you download and run the "codec" you get infected with a variant of Trojan.Zlob. Nothing new, but this time I found something different. I was testing a fake codec Web site when I came upon a new variant. The installation step is the usual:
Figure 1: Standard installation process
However, after that the browser is started with a Google search for the word “sex.” The interesting stuff is that while browsing, you will now be frequently faced with this popup:
Figure 2: Frequently recurring message box
Well, I really appreciate the honesty of Zlob telling me I was infected! Clicking the OK button will force the download of “IE Defender,” which is an antispyware application. (IE Defender is also a potentially unwanted application. It is a wannabe malware scanner that is used in conjunction with the Zlob threat. You can find more details about IE Defender in the related write-up here.)
Of course, it’s not over yet. The Zlob also installs a browser helper object (BHO – a module for Internet Explorer, used to integrate added functionality) in order to show the previously mentioned popup during Web browsing. A quick analysis of the BHO revealed some other interesting features. It is capable of hijacking Google results and redirecting them to IE Defender Web site:
Figure 3: Google search reports a fake error box and a link to pornographic content
A fake error box is shown in the Google results, as well as a link to a pornographic video on YouTube. This is supposed to panic the user, because most users wouldn't want someone else using his or her computer for an innocent Google search and then find a link to pornographic content in the search results. (Incidentally, you might notice that the search word I used was "potato.”) Clicking the error box will bring the user to the IE Defender Web site.
If the annoying popup was not enough, surely an error message from Google will make you think twice about the potential dangers! We know very well how these threats can spoof legitimate Web sites or security products in order to convince a user to buy their own security applications. Google is not the only one being targeted. Further analysis reveals that Yahoo is also supposedly reporting the same behavior:
Figure 4: Yahoo search shows a fake error box
Not only do you see a fake error box in the search results, but also the first legitimate result is hijacked so that if it is clicked it will redirect the user to the IE Defender fake online scan Web site. Also, Live Search is not immune:
Figure 5: A legitimate search result in Live Search has been redirected
In this case there are no fake error boxes shown in the search results, but the first legitimate result entry is hijacked in order to point to the IE Defender Web site. In addition, the MySpace and MSN Web sites are targeted with the same technique.
Interestingly, if you decide to download IE Defender and run a scan, it will actually detect the Zlob infection. Of course you have to pay if you want to clean up the reported infection. So it looks like that Zlob is really kind: after infecting your system it will reveal that your system is infected. Then it tries to redirect you to a Web site where you can download antispyware software that is supposedly able to remove it (for only $38.95 USD). What a lovely Trojan! I didn't actually purchase the IE Defender software, because it would probably do more harm than good. I'd rather let my Symantec products (with the latest definitions, of course) take care of the antispyware work!
Posted by Andrea Lelli on December 21, 2007 05:00 AM