Archive for the ‘Zlob’ Category
Monday, September 29th, 2008
While we’ve been calling it Rogueware for years around here, Microsoft and the state of Washington Attorney General’s office is filing a set of complaints against “scareware” makers. It’s interesting that lawsuits can be filed against “John Doe” actors in the complaints, as written up by Elinor Mills on CNet:
“Microsoft filed five new lawsuits and amended two previous complaints against SMP Soft, all relating to programs that allegedly falsely alert consumers to problems on their computers and offer to sell software fixes. The programs listed include Scan & Repair, Antivirus 2009, MalwareCore, WinDefenderXPDefender.com and WinSpywareProtect. Most of the defendants are listed as “John Doe” because investigators do not yet know the identities of the people behind the programs.”
Chief Threat Officer of our research group Kurt Baumgartner was selected to present a timely last minute technical presentation on Thursday of this week on “Recent rogueware” at Virus Bulletin 2008 in Ottawa, Canada. The presentation will focus mostly on technical aspects of Rogueware currently in the wild including a couple of software packages listed in the complaint, the ridiculous but popular MonaRonaDona hoax, and various methods of delivery.
Regardless of the filings, the threats continue to evolve online and are active today, much like the image above.
Tuesday, June 24th, 2008
Mary Landesman nailed it with a couple of posts on her about.com “Antivirus Software Blog”, when she commented on the numbers games that AV vendors play when attempting to inflate their credibility in the eyes of consumers and corporate decision-makers. Her comments relate to both the numbers themselves and Microsoft’s underlying MSRT tool’s effectiveness.
I recommend checking out her blog.
Her first post, “Tunnel Vision“, criticized Microsoft’s claims of insight into the volumes of malware actually running on user systems. She points out that Microsoft asserts ‘Zlob is among the most common type of Trojan downloaded onto Windows machines.” The assertion was based on data collected by Microsoft’s Malicious Software Removal Tool (MSRT). But the MSRT is only programmed to see 111 (as of today’s date) malware families.’
Microsoft frequently implies grand claims of their own strong perpective into (here comes my oh-so-favorite marketing term) the “malware landscape”, based on the reported findings of this MSRT tool, simply because it runs on 400 million systems. She contradicts their ability to make these MSRT-based claims with her own estimates of the tool’s effectiveness:
‘”In other words, Zlob is not “among the most common type of Trojan downloaded onto Windows machines”. Instead, Zlob is among the most common malware detected by the MSRT, which currently detects only about 5% of active malware families.’
On yesterday’s “The Numbers Behind Detection“, she updates that number by extrapolating numbers from a recent straightforward, informative and respectable post from McAfee, humorously shouting “and I say we are detecting between 400,000 and 10,000,000 malware!“:
‘That makes my comments in Tunnel Vision even more pertinent as it effectively drops the MSRT detection percentage from 5% of all families to .03%.’
Tunnel vision? The MSRT tool may be very beneficial to the Windows community at large, but the sight that tool provides is more myopic than anything. Put some glasses on it and send it to class!
On a daily basis, the ThreatFire community provides us with some insight into not only what malware users really are running on their desktops (and not just showing up in their inbox, a P2P directory, or downloaded and not run), but the unfortunate volumes of malware that go undetected by AV scanners when first released into the wild. Even time-worn and sophisticated scanners developed by talented groups have a difficult time detecting and keeping up with the volumes, the changing nature, and the evasive techniques of today’s “cash is king malware” while not bogging down users’ systems. It is often difficult to best classify these changing samples as well for these burdened groups. Keeping on top of those volumes to make sweeping claims about percentages takes a keen vision indeed.
Thursday, January 3rd, 2008
We are seeing a number of hits from binaries served up from the Ukraine via web pages’ prompts from domains registered in China and hosted in the U.S. Now that’s international.
These sites in the Ukraine are linked to by servers all over the world, and serve up “Rogueware”, or fraudulent adware, similar to the Zlob family. A couple of vendors are assigning it vague family names like “Delflob” or “Delf”.
Through a redirected http session, the user sees the standard video codec hoax. Recently, this same hoax coldly was used with other shocking news like the Bhutto assassination and the Zoey Zane death, and most likely will continue to be used throughout 2008. This site could have been a part of the fake codecs on blogger effort, but because detection is so low, it is most likely a new effort or will be a part of a new effort. Notice the “play video” title bar and the instruction “You must download the Video ActiveX Object to play”:
Once the user is suckered into clicking on the image to download the adware posing as a legitimate video codec, a file with variations on the name install_video_3913230.exe is served up. If the user runs the installer, thinking of it as a legitimate codec, it in turn writes out G76-tmp_.exe, which also installs toprates.dll. Toprates.dll is a file that claims to be a video driver in its properties, but it is nothing more than rogueware (also called rogue antispyware), or adware making fraudulent and threatening claims that a user’s system is infected and in a dangerous state. And by paying up, the user will soon fix this dangerous situation.
ThreatFire users have been seeing prompts regarding the temp file’s (%TEMP%\GL76-tmp.exe) adjustments to security settings:
If the user allows the action to occur and then double clicks on “My Computer”, or opens an explorer window another way, they are prompted with an intimidating warning. If the intimidated user clicks on “Ok”, this adware directs user’s browser to a web site peddling IeDefender, fraudulently claiming that the user’s system has been infected by an “unknown trojan” (implicitly something other than this garbage):
Unfortunately, AV detection for the variant has been low since our ThreatFire community started seeing this malware:
Even if one of our Threatfire users accepted the temp file’s attempt to change the system’s security settings, TF would prompt a second time on the source of the disingenuous warnings as it attempts to intimidate the user with more confusing ads. At this point the user really should quarantine this rogueware. If ThreatFire hasn’t seen the specific delivered binary before, it prompts the user:
ThreatFire will be picking these off as a part of the “Zlob” family.
You might notice that this hoax has a lot to do with the very last line of a previous post, quoting an ad from the distributor of these sorts of rogueware installs.