This morning I’ve taken some time to scan my content filter logs from the past two weeks. Normally I look through them every few days, but I’ve been on a well deserved extended vacation.
It seems that some network users have been searching for video of the Benazir Bhutto assassination. There have been quite a few recent reports of malicious Blogger sites that advertise the video, but when users try to view it, they are told they do not have a required codec installed. They are prompted to download the codec, which results in a Zlob trojan downloading and installing to their system – see the McAfee blog for details and images.
CastleCops, Sunbelt Blog, and SANS Internet Storm Center have examples of an infected site.
My content filter logs show four or five users successfully downloading the offensive codec. I’m hoping that our desktop anti-virus software and group policy stopped the malware installation, but I’m not holding my breath. I wrote a script that’s scanning all machines for the fake codec, but I’ll probably have to wait until school resumes on Monday, January 8th to scan the entire network. Only a very few users are woring this week, so hopefully that will help contain the infestation.
If I do find Zlob installations, I plan on using the SmitFraudFix removal tool and the free removal tool I found on ParasiteDB. You can read all about SmitFraudFix and Zlob at the S!Ru.URZ blog.
{ 1 comment… read it below or add one }
That’s the way most people seem to get infected with Zlob. They use a current top story and say hey go to this site to look at the video of it. Just saw a link on another reputable site linking to a suposide link of a nude hanna montana. I knew just looking at the url to the site that it was rusian based and I am sure it had the zlob trojan on it.