More Zlob lure sites surfacing
So, recently the Zlob folks have been pretty busy. Aside from adding Mac users to their victim list, we recently reported aggressive use of SEO techniques to lure victims. No more than what we should expect from a group that has been pushing this malware onto victims for a couple of years now.
For a few weeks we have been detecting some of the malicious scripts used by Zlob to push the fake codec installers onto the victim machine as JS/Dload-X. Yesterday, an enhanced detection was published to catch more recent flavours of these scripts (Mal/ZlobJS-A).
During November and December the Zlob group have been fairly active in registering new domains and setting up video sites intended to lure victims. As ever with Zlob, the lure sites all look very realistic with quite professional looking graphics and design. Some follow the regular ‘Zlob MO’ - using porn sites to attract victims. Others offer celebrity videos:
![[Celebrity videos Zlob lure]](http://www.sophos.com/blogs/sophoslabs/images/blogs/sophoslabs/2007/12/stz.png)
Some offer humorous clips:
![[Comedy videos Zlob lure]](http://www.sophos.com/blogs/sophoslabs/images/blogs/sophoslabs/2007/12/stz2.png)
One site (a few months old now) spoofs the YouTube site (the observant will notice it copies an old YouTube design, not the latest):
![[Spoofed Zlob YouTube site]](http://www.sophos.com/blogs/sophoslabs/images/blogs/sophoslabs/2007/12/stz3.png)
Perhaps as more people start to associate pornographic content with increased risk of infection, we will start to see malware authors branching out from the tried and trusted (and clearly successful) porn lure? The bad guys will simply follow the traffic - I have little doubt that we shall see spoofing of numerous video sharing, social networking and similar sites in 2008.
Posted on December 6th, 2007 by Fraser Howard, SophosLabs UKFiled under: Malware, Web
Free virus scan - Download the Sophos Threat Detection Test
