Wednesday, June 18, 2008

Zlob says: You look really stupid !

Zlob trojan never give up, it's using a multi-directions strategy to infect as much as of systems. We talked recently about one of it's attacks against non-secure wireless/wired routers in the Internet which are left with default passwords. Nowadays, Zlob is trying to use some social engieering tricks, by sending spam e-mails with the subject line (You look really stupid) and the body contains a url to a fake video file with the extension (exe) !

Checklist for system admins:

  1. Make sure the current antispam is updated with the latest signatures.
  2. Make sure the current antivirus is deployed/updated on all machines. Verify if your vendor is already providing defintions to detect trojan.Zlob and it's variants.
  3. Deploy some URL/websites filtering solution to block malicious URLs (e.g Websense). If you already have one installed, create a policy to deny access to any URL which contains video.exe/video1.exe.
  4. Turn on antivirus scanning on your gateway firewall, and if it doesn't support this. It's the time to replace it by a decent UTM (e.g Fortigate / Juniper / ASA).
  5. User awareness is on your side, send a periodic e-mail which talks about spams, malwares, and other Internet threats. Try to use a simple and friendly language. Also, use a cartoon that talks about computer security to add the sense of humor to it.
  6. If you are already running Snort, use this signature to detect the download of the fake video executable: (You need to change the rule to detect different variants like video.exe, video1.exe, or video2.exe ...etc)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Trojan.Zlob Binary Requested (video.exe)"; flow:established,to_server; uricontent:"/video.exe"; nocase; classtype:trojan-activity; reference:url,; rev:1;)

other posts about Zlob: