Trojan Zlob

Nice one


~screenshot removed~ As previously requested by Marcos in this post, no more screenshots please. snapdragin

 

Right ! Nobodies's interested about zlob detection.

 

Just post the text rather than a picture maybe...?

 

If you added new screenshots of new Zlob variants every day, imagine how many pages this thread would reach in a couple of weeks / months. I for one tend to close this thread.

 

ugly,

I think everyone is interested in zlob detection, but precisely how does a continuing wave of screenshots help in achieving that particular objective? The simple fact of the matter is that they don't. They don't speed samples to the various AV vendors, they don't provide the AV vendors with new information, they don't (or rather shouldn't) impact workflow priorities.

Given that, precisely what purpose do they serve? In my personal estimation, they serve no useful function and only serve to clog sites like these with inherently non-actionable and very quickly outdated information.

Blue

 

The only useful purpose would be to show if any trend in which a single AV or a few were most succesful at detecting variants,but there doesn't seem to be such a trend:-ability to detect seems rather random for almost them all

 

steve1955,

Even if that were the explicitly stated objective here, how would simple variables such as sampling bias be assessed, even if done approximately? Information in-context is valuable. Context free data, in instances where context is critical, can be misleading. Let's consider a strawman scenario - how about the case of a congenitally #2 (or 3, or 4, etc..) vendor who always releases a signature for a zlob variant say..., 112 seconds after every screenshot posted in this thread. Looking at the raw data, one might surmise users of that product were woefully unprotected from this malware, which would clearly not be the case.

I want to be clear that I'm not dismissing the yeoman's work being done by those harvesting these beasts and making sure that they are forwarded to the appropriate vendors, that is certainly a valued contribution to the community at large.

Blue

 

What would be REALLY nice would be if one specific AV(nod hopefully!) was detecting every variant without updates:-just relying on heuristics,is there a specific reason that thes "Zlobs" aren't detected this way?After all I thought that was what the AH module was all about

 

I'm very doubtful about this, they change them significantly whenever someone begins detecting them heuristically.

 

I would have thought that would have been more of a prob for sig based AV's,I thought the whole idea of heuristics was to detect new/changed malware without having to update

 

While I can not argue with your point....a point you have made no less than 1/2 dozen times in this thread alone....there does come a time when comments made in this fashion in the same thread time after time become more than just a normal post

 

I have only made it more than once because the replies seem to be implying that heuristc detection works in a similar way to sigs,which it doesn't I originally asked WHY these variants cannot be detected this way,do you think that question has been answered?
We all know each variant is different than the last,some significantly(otherwise they wouldn't be variants would they?)I wanted to know if there was some SPECIFIC reason that they aren't being detected with AH.If you don't know the reason:-just say so!
If it is some certain characteristic of this strain that stops it being detected by AH,which possibly could be incorporated in other malware??perhaps the AH module should be updated(if possible) to cope

 

IMON blocks urls with Zlobs so you are well protected against new variants.

 

Many ways to skin a cat; very sweet indeed Marcos, thanks for the explanation.

Cheers

 

Actually one AV program was detecting early variants of these Zlobs heuristically (hint: "BehavesLike:" detections), but the Zlobs were changed to prevent heuristic detections. Heuristic detection currently cannot be done without having high number of FPs. That said, another AV does catch most variants, old and new, using variant detection capability, but this AV does have high number of FPs (hint: "Trojan.Popuper").

Anyway, do not ever think that analysts are not concerned about this Zlob trojan. I'm pretty sure there will be a heuristic detection after better, more advanced forms of heuristic engine come into action. Software is always advancing.

And when NOD32 already blocks all websites distributing this trojan, what else do you need?

 

Whats the chances of new websites distributing new variants?

 

ThreatSense ®

http://www.eset.com/company/funstuff/nigel/NOD32songs/threatsense.mp3

 

No need to make a song and dance about it well song anyway!(lol)

 

Although it is off-topic , the song is excellent . Greetings to Nigel Cook

 

I think ESET was among the few AVs to detect all Zlob variants in a very fast time. Others are still having problems...and if the websites are blocked the protection is even better.

 

The game behind Trojan Zlob, is it to play a 'catch me if you can game' with AV software, or there is more to it? If the pre-occupation with this Trojan is never-ending could this be a decoy attack? Just asking.

 

Yes , it is something like that . Moreover , most times it is even "kill me if you can"

 

Problem is, I've noticed Eset not detecting some newer Zlob samples; which incidentally arrived to me after this thread died down. However, I'm not making any assumptions, since I've found some (but not all) of the files to be corrupted. I'll check if the others are also corrupted; and then I'll send the samples to Eset if necessary.

 

well, all my Zlob samples are detected. and I have plenty. I once had some corrupted files also, and of course they weren't detected. I'm sure your files are also corrupted.

 

Of course, everything is corrupted when it's not detected by NOD32