Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Overzlobbed SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Overzlobbed

Tomorrow, it will be a year since we first ran an analysis of the ZLOB family of trojans in the ISC diary.  The write-up from back then is still an interesting read. While investigating today a few .edu sites with links to the latest ZLOB variant, it occurred to me how different these pages were compared to one year ago:  Yes, there was obfuscation of JavaScript. But not too much - certainly not enough to cause any virus scanner to reject the page outright. Yes, there were the sleazy links, thousands of them, interlinking the pages to cause a good ranking in search engines. But there were none (none!) of the embedded IFRAMES with the latest collection of browser- and application exploits that such pages used to contain in the past, Zlob or not.

Thinking it over, this sort of makes sense: if you want to trick a user into (voluntarily!) downloading and installing a piece of malware that claims to be a video codec, you probably don't want to scare the user away from the sites that draw him into the spyderweb by having other malware or exploit attempts lighting up the user's anti-virus.  The Zlob approach of propagating malware seems to have been quite successful for the bad guys: Not only are they still "going strong" more than a year after the first report, they also branched out to include Mac-OSX (diary) earlier this month.

Since the "codec" binaries change frequently and AV coverage is notoriously poor, the probably best defense in a corporate environment is to have a web filter in place that blocks access to porn pages. What used to be seen as a mere "compliance" measure to not to run afoul of sexual harassment rules at the workplace has long since turned into a cornerstone of most companies' malware defense.

Daniel

367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!