Trojan Zlob

TonyKlein · Jun 19, 2006

BTW, none of yesterday's four or five new variants were detected by Nod32.

Here are the relevant bits from the VirusTotal reports I could retrieve (I seem to have misplaced the others...)
These are the three that were detected neither by Nod32 nor by Kaspersky

Complete scanning result of "8a005be6fd089cbff87343d39bbe1ab1", received in VirusTotal at 06.19.2006, 01:23:49 (CET).

Authentium 4.93.8 06.16.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
CAT-QuickHeal 8.00 06.17.2006 (Suspicious) - DNAScan
Fortinet 2.77.0.0 06.18.2006 suspicious
F-Prot 3.16f 06.17.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
Panda 9.0.0.4 06.18.2006 Suspicious file
TheHacker 5.9.8.162 06.18.2006 Trojan/Downloader.Zlob.tm

Complete scanning result of "1259658124752fc0907956e29434eec2", received in VirusTotal at 06.19.2006, 01:24:46 (CET).

Authentium 4.93.8 06.16.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
CAT-QuickHeal 8.00 06.17.2006 (Suspicious) - DNAScan
Fortinet 2.77.0.0 06.18.2006 suspicious
F-Prot 3.16f 06.17.2006 Possibly a new variant of W32/AdwareDropper.MCodec-based
Panda 9.0.0.4 06.18.2006 Suspicious file
TheHacker 5.9.8.162 06.18.2006 Trojan/Downloader.Zlob.sw
VirusBuster 4.3.7:9 06.18.2006 Trojan.DR.Zlob.Gen!Pac8

Complete scanning result of "e013aa95e0db15f5843d85e79200f15d", received in VirusTotal at 06.19.2006, 01:25:10 (CET).

CAT-QuickHeal 8.00 06.17.2006 (Suspicious) - DNAScan
Fortinet 2.77.0.0 06.18.2006 suspicious
Panda 9.0.0.4 06.18.2006 Suspicious file

Samples sent; available to other developers on request.

NOD32 user · Jun 19, 2006

TonyKlein said:

When I try that I link, I get:

... which is odd, to say the least, as I don't recall even having seen that forum before... LOL!
Click to expand...

heh that is funny
What do you get if you try http://forums.aanet.com.au/viewtopic.php?t=10041 or just http://forums.aanet.com.au/ then Service Issues, Service Problems - VIC, 'Melbourne router is being attacked now' ?

Perhaps they have a ban on some international IP's? It's the member forum for an Australian ISP.

andrator · Jun 19, 2006

NOD32 user said:

heh that is funny
What do you get if you try http://forums.aanet.com.au/viewtopic.php?t=10041 or just http://forums.aanet.com.au/ then Service Issues, Service Problems - VIC, 'Melbourne router is being attacked now' ?
Click to expand...

I also get:
You have been banned from this forum.
Please contact the webmaster or board administrator for more information.

Perhaps they have a ban on some international IP's? It's the member forum for an Australian ISP.
Click to expand...

Very likely. If you ban international IP's you only have to worry about Australian hacking attempts filling your log files

TonyKlein · Jun 19, 2006

NOD32 user said:

heh that is funny
What do you get if you try http://forums.aanet.com.au/viewtopic.php?t=10041 or just http://forums.aanet.com.au/ then Service Issues, Service Problems - VIC, 'Melbourne router is being attacked now' ?

Perhaps they have a ban on some international IP's? It's the member forum for an Australian ISP.
Click to expand...

Gotto be that, as I get the same anywhere at that site...

gerardwil · Jun 19, 2006

I have no probs with that link!

Gerard

TonyKlein · Jun 19, 2006

gerardwil said:

I have no probs with that link!
Click to expand...

Oh well, I guess I'll have to resign myself to it...

NOD32 user · Jun 19, 2006

TonyKlein said:

Gotto be that, as I get the same anywhere at that site...
Click to expand...

Oh well, for the benefit of international visitors, I'll copy some over here.
The background is that aanet an Australian ISP was the beneficiary of a major DOS attack - took down their network across an entire state via traffic targeted at a specific IP address. Probably zlob related - the result outcome was as follows - One IP is completely toast - permanantly blocked upstream by their wholesale provider never to be re-allocated.
Some of this may be of interest to malware researchers, or they may already be fully aware of it. Those in the industry can PM me if they would like to know the www's that were being viewed - they're not in the list at post #136 of this thread.

Got in touch with them this morning.
They were quite helpful in fact and requested I post back here with some more detailed info from our end for the benefit of others, so here goes, and apologies for the kind of long post Smile

As can be seen from the logs a couple of posts back, the traffic was inbound (and VERY unrequested I might add) but just to satisfy everybody that everything here is clean, we did full scans of everything with fully up to date NOD32 which is 'Checkmark' certified by West Coast Labs in the following areas: Anti-Virus Level 1, Anti-Virus Level 2, Trojan and also Anti-Spyware Desktop. You can check these results yourself -->HERE<-- Another one of the many independant certifications that NOD32 has received is the world record 38 prestigious VB100% awards by Virus Bulletin and it is the only product tested that has never missed an 'In The Wild' virus in more than 8 years of testing.

At this point we were still 99.99% sure everything was clean just as we were before we started (no product has 100% detection), so just to be as sure as possible we followed up with complete scans of everthing using first AdAware SE by Lavasoft, and then Spybot S & D - Most internet users would probably be familiar with either or both of these. They detected and cleaned the normal batch of cookies between them as they do.

Besides all of this, and in addition to it, if anything was to make it onto a system here we would certainly have been notified by our firewall that somethink new or changed was trying to make a connection to the internet or bind to a port. Checking these logs revealed no such event.
Finally all machines have been checked for their currency of windows updates.

So where does all this lead to?

It is possible that through some investigation into the trojan 'Zlob' (discussion -->HERE<--) and the relationship between it's sites on Saturday that we inadvertently triggered an IP update mechanism, causing lot's of Zlob infected machines everywhere to try and reach 202.164.202.234. We weren't running the trojan here, although we do have some quarantined versions of it from some clients machines. The investigation that was being done was WHOIS lookups, DNS resolution and browsing. That is all.
If this was the case, that we have inadvertently triggered this (and it seems a quite likely possibility) then I most sincerely apologise for any and all inconvenience. In future I'll certainly be making use of anonymous browsing services to remove any access to my actual IP when this sort of investigation is necessary.

Some info on the zlob trojan might be useful also:-
Essentially the zlob trojan usually gets onto a PC after a user downloads and installs it themselves. It is shipped as a codec you that you 'need' to view downloaded or streaming media(video) of dubious content that will not play without first having installed the free 'software' that let's you view it.
It's writer plays innocent, having even requested Anti-Virus vendors remove it from their signatures and stop detecting it (quote -->HERE<--). It's executable is modified almost daily in an attempt to avoid detection by AV software. Later on the zlob trojan downloads further components that intergrate into a windows installation. These provide further function to the trojan including popup advertising at regular intervals.
This is possibly THE most rampant trojan on the internet at the moment, and has been for some time due mostly to the way it is delivered as a 'codec' you need to view dubious videos.
There has been an ongoing thread relating to this trojan over at Wilders Security Forum -->HERE<-- over the last three or so weeks. Of special interest is a partial list of sites that should defiantely be avoided visiting or downloading from at post #136. This list is not exhaustive but if you get the idea - the 'codec' you dont need is the one for the video you don't need to see Smile

Some hit stats for a couple of the related sites from TonyKlein
Peaked to 80 million views Jan - Feb (then drop out of sight - once detected)
http://www.alexa.com/data/details/tr...rl=v-codec.com

Peaked to 75 million views in Feb (then drop out of sight)
http://www.alexa.com/data/details/tr...mediacodec.com

Peaked to 120 million views in April (then drop out of sight)
http://www.alexa.com/data/details/tr...rl=emcodec.com

Peaked to 120 million views in April - May (then drop out of sight)
http://www.alexa.com/data/details/tr...edia-codec.com

Peaked to 105 million views in May
http://www.alexa.com/data/details/tr...mediacodec.net

Peaked to 30 million views in May
http://www.alexa.com/data/details/tr...digikeygen.com

Some of the involved sites seem to have been registered through, or related to an ISP in the Ukraine whose home page notes that they are not accepting new clients since around May 2005 due to fraudulent registrations. Some of the zlob related WHOIS entries for the zlob sites have aparently been made as recently as June 2006 and their DNS appears to be managed by this same Ukraine ISP. Go figure!

Once more my apologies if this DOS attack was something I inadvertently triggered.

Cheers and Happy Computing Smile
Click to expand...

NOD32 user · Jun 19, 2006

TonyKlein said:

Oh well, I guess I'll have to resign myself to it...
Click to expand...

Were you running test zlobs? Could your IP be one of these?

Here you go, this is just a tiny snippit of maybe a hundred pages of this.. this was after I managed to get him shut down so that is why traffic is coming and going through the same interface.

The protocol is TCP (06) and the port 3053 or 0BED . Dont worry his ip is published, he wont be using it anytime soon

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi1/0/0 113.126.124.39 Gi1/0/0 202.164.202.234 06 B803 0BED 22
Gi1/0/0 104.4.40.68 Gi1/0/0 202.164.202.234 06 CA04 0BED 30
Gi1/0/0 160.76.77.94 Gi1/0/0 202.164.202.234 06 5149 0BED 2
Gi1/0/0 218.16.245.106 Gi1/0/0 202.164.202.234 06 6F32 0BED 3
Gi1/0/0 87.85.190.57 Gi1/0/0 202.164.202.234 06 F01A 0BED 1
Gi1/0/0 135.105.13.0 Gi1/0/0 202.164.202.234 06 D857 0BED 3
Gi1/0/0 142.78.168.49 Gi1/0/0 202.164.202.234 06 0F0E 0BED 1
Gi1/0/0 65.127.71.95 Gi1/0/0 202.164.202.234 06 C20C 0BED 2

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi1/0/0 154.83.230.103 Gi1/0/0 202.164.202.234 06 F353 0BED 7
Gi1/0/0 206.13.31.35 Gi1/0/0 202.164.202.234 06 7076 0BED 9
Gi1/0/0 116.16.169.23 Gi1/0/0 202.164.202.234 06 5F0F 0BED 2
Gi1/0/0 162.82.220.76 Gi1/0/0 202.164.202.234 06 A148 0BED 5
Gi1/0/0 58.18.152.61 Gi1/0/0 202.164.202.234 06 550C 0BED 11
Gi1/0/0 127.73.9.101 Gi1/0/0 202.164.202.234 06 3F33 0BED 2
Gi1/0/0 149.78.101.42 Gi1/0/0 202.164.202.234 06 DF49 0BED 3
Gi1/0/0 124.36.18.65 Gi1/0/0 202.164.202.234 06 806E 0BED 5
Gi1/0/0 138.92.112.7 Gi1/0/0 202.164.202.234 06 7076 0BED 4
Gi1/0/0 44.56.68.77 Gi1/0/0 202.164.202.234 06 D86B 0BED 14
Gi1/0/0 138.110.16.23 Gi1/0/0 202.164.202.234 06 AB27 0BED 3
Gi1/0/0 141.28.49.55 Gi1/0/0 202.164.202.234 06 D007 0BED 1
Gi1/0/0 117.77.251.99 Gi1/0/0 202.164.202.234 06 6574 0BED 7
Gi1/0/0 161.37.122.43 Gi1/0/0 202.164.202.234 06 D27A 0BED 4
Gi1/0/0 87.126.55.126 Gi1/0/0 202.164.202.234 06 7F52 0BED 4
Gi1/0/0 181.122.198.39 Gi1/0/0 202.164.202.234 06 340D 0BED 10
Gi1/0/0 21.30.191.67 Gi1/0/0 202.164.202.234 06 2958 0BED 9
Gi1/0/0 138.55.32.108 Gi1/0/0 202.164.202.234 06 5E17 0BED 16
Gi1/0/0 44.66.198.11 Gi1/0/0 202.164.202.234 06 4951 0BED 30
Gi1/0/0 0.28.167.12 Gi1/0/0 202.164.202.234 06 B371 0BED 1
Gi1/0/0 93.6.225.63 Gi1/0/0 202.164.202.234 06 070D 0BED 5
Gi1/0/0 185.108.253.32 Gi1/0/0 202.164.202.234 06 9865 0BED 5
Gi1/0/0 188.35.228.52 Gi1/0/0 202.164.202.234 06 4A6A 0BED 2
Gi1/0/0 197.29.156.11 Gi1/0/0 202.164.202.234 06 4073 0BED 21
Gi1/0/0 26.81.205.51 Gi1/0/0 202.164.202.234 06 5841 0BED 12
Gi1/0/0 145.16.189.66 Gi1/0/0 202.164.202.234 06 5605 0BED 3
Gi1/0/0 206.2.3.10 Gi1/0/0 202.164.202.234 06 5801 0BED 14
Gi1/0/0 75.71.112.26 Gi1/0/0 202.164.202.234 06 8577 0BED 6
Gi1/0/0 0.59.60.15 Gi1/0/0 202.164.202.234 06 2B57 0BED 7
Gi1/0/0 124.46.79.126 Gi1/0/0 202.164.202.234 06 6805 0BED 2
Gi1/0/0 48.84.34.88 Gi1/0/0 202.164.202.234 06 2430 0BED 12
Gi1/0/0 69.77.204.86 Gi1/0/0 202.164.202.234 06 287C 0BED 16
Gi1/0/0 165.126.85.101 Gi1/0/0 202.164.202.234 06 D719 0BED 6
Gi1/0/0 133.25.210.126 Gi1/0/0 202.164.202.234 06 7470 0BED 16
Gi1/0/0 148.43.232.27 Gi1/0/0 202.164.202.234 06 9A2E 0BED 6
Click to expand...

And besides Tony, you are from 'The Netherlands' - gerardwil is from 'Netherlands'

pykko · Jun 19, 2006

wow...such a big discussion since I was away.
But anyway there are still at least 4 variants not detected now...

beetlejuice69 · Jun 19, 2006

I don`t have any problem with either links.

TonyKlein · Jun 19, 2006

NOD32 user said:

Were you running test zlobs? Could your IP be one of these?
Click to expand...

Nope, it isn't...

And besides Tony, you are from 'The Netherlands' - gerardwil is from 'Netherlands'
Click to expand...

Ah, that must be it! http://www.spywareinfoforum.com/html/emoticons/weee.gif

ugly · Jun 19, 2006

F-Prot seems to have a really nice heuristic on that !
I was expecting this from eset !

Marcos · Jun 19, 2006

I think we should cease posting any futher screenshots, or the thread will need to be eventually closed. It's a matter of fact that these Zlobs are a neverending story that will go on.

the_sly_dog · Jun 19, 2006

i wish these zlob virus would stop its getting stupid now

these people should get out more or get a girlfriend something to take there mind of causing mayhem on the internet

steve1955 · Jun 20, 2006

Marcos said:

I think we should cease posting any futher screenshots, or the thread will need to be eventually closed. It's a matter of fact that these Zlobs are a neverending story that will go on.
Click to expand...

Hi Marcos
The screenshots are a little interesting because they show that no single AV seems better than others at detecting these variants,seems to depend who has updated bases and who hasn't at time test was run,must be said that some AV's seem to miss more than their fair share though

Firecat · Jun 20, 2006

steve1955 said:

Hi Marcos
The screenshots are a little interesting because they show that no single AV seems better than others at detecting these variants,seems to depend who has updated bases and who hasn't at time test was run,must be said that some AV's seem to miss more than their fair share though
Click to expand...

Actually, I've discovered that most vendors *are* adding signatures, but it takes time to do so. Since this is the NOD32 forum I won't quote any names, but all the big vendors seem to have the samples and are adding signatures for these Zlobs, though not as quickly as one would expect.

Eset is the only one to offer quick protection against all these Zlobs. Again, a job well done.

NOD32 user · Jun 21, 2006

HiTech_boy said:

...Zlob is alive and will always be , nothing can be done .
Click to expand...

Some of those hosting DNS records for zlob would surely remove them if somebody from an AV company was to notify them with evidence about what the sites are used for....
For example, several of the DNS records are hosted by http://www.everydns.net/
from the everydns TOS...

4.2 Member Conduct. Member is solely responsible for the contents of his/her usage of Service. Member's use of the Service is subject to all applicable local, state, national, and international laws and regulations. Member agrees: (1) to comply with US law regarding the transmission of technical data exported from the United States through the service; (2) not to use the Service for illegal purposes; (3) not to interfere with or disrupt networks connected to the Service; and (4) to comply with all regulations, policies, and procedures of networks connected to the Service. The Service makes use of the Internet's DNS protocol to create and delegate domains; therefore, Member's conduct is subject to Internet regulations, policies, and procedures. Member will not use the Service for illegal software, junk pornography, spamming or any use of distribution lists to any person who has not given specific permission to be included in such a process. Member agrees not to transmit through the service any unlawful, harassing, libelous, abusive, threatening, harmful, vulgar, obscene or otherwise objectionable material of any kind or nature. Member further agrees not to transmit any material that encourages conduct that could constitute a criminal offense, give rise to civil liability or otherwise violate any applicable local, state, national, or international law or regulation. Attempts to gain unauthorized access to other computer systems are prohibited. Member shall not interfere with another Member's use and enjoyment of the Service or another entity's use and enjoyment of similar services. EveryDNS may, at its sole discretion, immediately terminate Service should Member's conduct fail to conform with these terms and conditions of the AUP.
Click to expand...

ASpace · Jun 21, 2006

NOD32 user said:

Some of those hosting DNS records for zlob would surely remove them if somebody from an AV company was to notify them with evidence about what the sites are used for....
For example, several of the DNS records are hosted by http://www.everydns.net/
from the everydns TOS...
Click to expand...

Well , I wanted to tell , that the malware (no matter if it is Zlob or something else) cannot be totally stopped because the bad guys are not sleeping

We are not sleeping,too

Bubba · Jun 21, 2006

A number of posts removed.

For those not wishing to follow along as this important discussion plays out....Please feel free to participate in the numerous other ongoing support threads....or not. We rarely close threads @ Wilders....especially for reasons of non interest by a few members. Simply move on and let this Nod32 Support discussion continue Please.

Thanks,
Bubba

the insider · Jun 22, 2006

yesterday I scanned my second HD with Kaspersky AV 6 and it found 2 ZLOB "things" in the NOD cache files and NOD quarantine files..... does this mean that NOD found these already or were this trojans still active? I was so scared that I immediately had them eliminated so I can't exactly remember the names of the different infected files... sorry but I am not an experienced user.

pykko · Jun 22, 2006

if they were in the quarantine then NOD has previously catched them so you were protected.

Marcos · Jun 22, 2006

Files in quarantine are encrypted and thus benign. KAV can decrypt and scan them.

the insider · Jun 22, 2006

thx for the advice !

Firecat · Jun 22, 2006

Marcos said:

Files in quarantine are encrypted and thus benign. KAV can decrypt and scan them.
Click to expand...

Decrypt those files? How is that possible?

Sorry for the off-topic question, but can NOD32 also decrypt such files?

Marcos · Jun 22, 2006

It's not difficult, but there's no sense in it.

Log in or Sign up

Trojan Zlob

TonyKlein Security Expert

NOD32 user Registered Member

andrator Registered Member

TonyKlein Security Expert

gerardwil Registered Member

Attached Files:

aa.gif

TonyKlein Security Expert

NOD32 user Registered Member

NOD32 user Registered Member

pykko Registered Member

beetlejuice69 Registered Member

TonyKlein Security Expert

ugly Registered Member

Marcos Eset Staff Account

the_sly_dog Registered Member

steve1955 Registered Member

Firecat Registered Member

NOD32 user Registered Member

ASpace Guest

Bubba Updates Team

the insider Registered Member

pykko Registered Member

Marcos Eset Staff Account

the insider Registered Member

Firecat Registered Member

Marcos Eset Staff Account

Log in or Sign up

Trojan Zlob

TonyKlein Security Expert

NOD32 user Registered Member

andrator Registered Member

TonyKlein Security Expert

gerardwil Registered Member

Attached Files:

aa.gif

TonyKlein Security Expert

NOD32 user Registered Member

NOD32 user Registered Member

pykko Registered Member

beetlejuice69 Registered Member

TonyKlein Security Expert

ugly Registered Member

Marcos Eset Staff Account

the_sly_dog Registered Member

steve1955 Registered Member

Firecat Registered Member

NOD32 user Registered Member

ASpace Guest

Bubba Updates Team

the insider Registered Member

pykko Registered Member

Marcos Eset Staff Account

the insider Registered Member

Firecat Registered Member

Marcos Eset Staff Account

Useful Searches