Zlob trojan never give up, it's using a multi-directions strategy to infect as much as of systems. We talked recently about one of it's attacks against non-secure wireless/wired routers in the Internet which are left with default passwords. Nowadays, Zlob is trying to use some social engieering tricks, by sending spam e-mails with the subject line (You look really stupid) and the body contains a url to a fake video file with the extension (exe) !
Checklist for system admins:
- Make sure the current antispam is updated with the latest signatures.
- Make sure the current antivirus is deployed/updated on all machines. Verify if your vendor is already providing defintions to detect trojan.Zlob and it's variants.
- Deploy some URL/websites filtering solution to block malicious URLs (e.g Websense). If you already have one installed, create a policy to deny access to any URL which contains video.exe/video1.exe.
- Turn on antivirus scanning on your gateway firewall, and if it doesn't support this. It's the time to replace it by a decent UTM (e.g Fortigate / Juniper / ASA).
- User awareness is on your side, send a periodic e-mail which talks about spams, malwares, and other Internet threats. Try to use a simple and friendly language. Also, use a cartoon that talks about computer security to add the sense of humor to it.
- If you are already running Snort, use this signature to detect the download of the fake video executable: (You need to change the rule to detect different variants like video.exe, video1.exe, or video2.exe ...etc)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan.Zlob Binary Requested (video.exe)"; flow:established,to_server; uricontent:"/video.exe"; nocase; classtype:trojan-activity; reference:url,http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99; rev:1;)
other posts about Zlob: