Before the holidays, most of the hit television series in the United States such as Desperate Housewives and Grey's Anatomy had their "fall finale" episodes -- their final episodes for the year before they go on hiatus. Naturally, fans of these shows, especially those outside the US, would have already scourged their trusty peer-to-peer networks for digitized copies of these episodes. Forget the fact that the 42-minute videos take about 350MB each in size: a couple of hours spent downloading is nothing compared to the average waiting time of one year for the series' official DVD releases.

For most computer users, this has been a common scenario ever since Fall TV season began last September. Thanks to TiVo, high definition television, broadband Internet, and YouTube, the computing industry has seen digital and streaming media gaining momentum. Apart from television series, computer users can also download or watch full-length movies and news broadcasts, among others. Indeed, computers are no longer just machines for processing data: they are now full-fledged media centers.

Unfortunately, along with this increasing popularity of video download and video streaming, it's no surprise that malware are also attempting to ride on and take advantage of it. One such malware is the ZLOB family of Trojans, whose recent iterations are sprouting practically on a weekly basis.

Much like a TV series.

The pilot

Like most malware families, ZLOB started from humble beginnings. Initially detected late 2005, its first iterations act as mere downloaders or watchdogs of other variants. That is, either they simply download possibly malicious files and updated copies of themselves, or they ensure that their counterparts keep on running by re-executing the latter's process, if terminated.

The only thing interesting about these earlier ZLOB variants was the fact that they are also capable of data encryption. Indeed, initial analysis reveals that the first ZLOB iterations also download files that they or other Trojans may use to encrypt data associated with their malicious routines. Thus, they may avoid easy detection and removal, or at the very least hide their real payloads. The latter is especially true when ZLOB started using the same data encryption techniques to hide the information it gathers from an affected system.

Fig.1: Early ZLOB variants download files, which they use to encrypt data associated with their malicious routines, or data gathered from an affected system.

All-new episodes

It wasn't until the second quarter of 2006, though, when ZLOB started making itself known. Such "recognition" came in the form of TROJ_ZLOB.MT, which -- according to the reports received by the Trend Micro Incident Response Team -- may arrive on a system via the following email message:

Subject: Help

Message body:
Hi! How are you?
I started my own website! Can you check it?
It's http://www.{BLOCKED}.com/test . Did you see video?

Thank's!

Once unsuspecting users click on the link, they are indeed redirected to a site that contains a video file. However, this video does not seem to be working because it needs a special codec in order to play properly. Thus, these users are then prompted to download and install the "codec", which is actually a copy of the Trojan.

Fig.2: The Web site contains a video that supposedly needs a codec in order to be played properly. The said "codec" is actually a copy of TROJ_ZLOB.MT.

The mere fact that this ZLOB variant arrives via a spammed email message is already something, as other variants are simply dropped or downloaded by other malware. But for it to use social engineering (and an elaborate one at that) may already be considered a feat. For one, the spammed message does not contain any malicious attachment. Most spammed Trojans would have settled with that. Instead, ZLOB provides a link in an attempt to exploit two vulnerabilities at once: the Internet browser as a venue for malware distribution, and the good old, tried-and-tested human vulnerability.

Secondly, the link the message provides is not entirely malicious. Depending on a user's browser ActiveX control settings, the file is not necessarily downloaded automatically. Finally, even if the file is automatically downloaded, this Trojan displays a fake End-User License Agreement (EULA) in order to make its installation "known" to the "consenting" user.

Fig.3: TROJ_ZLOB.MT displays a fake EULA to trick users into thinking that they are installing a video codec. The Trojan, meanwhile, starts performing its malicious routines in the background. Succeeding variants also use this stealth technique.

Its use of video codec as a disguise is also notable. As most computer users know, a codec (short for coder-decoder or compressor-decompressor) is a program that encodes and decodes digital data stream or signal. Media files, being naturally large, are often compressed for easy transmission. If a media file is compressed using a certain codec, that codec should also be present on a system, so that the file can be decompressed and played by the system's media player.

At a time when the demand for digital video is at its peak, ZLOB found a viable, gullible target market. After all, the said demand for videos is almost tantamount to an increased demand for codecs. Add the fact that there's a myriad of available formats a video can be encoded into (AVI, MPEG, MP4, and WMV, among others), and that there are numerous codec Web sites easily accessible in the Internet, all ZLOB needs to do is put up a fake codec Web site and wait for hasty, desperate video watchers to click on the Download Now! link.

That's when the real show starts...

Fig.4: Succeeding ZLOB variants can be downloaded in professional- or legitimate-looking Web sites.

The two-part specials

Despite all its efforts to trick users into running its copies, ZLOB's main routine remained the same: to download files. Indeed, recent variants -- however flashy their disguises are -- still download more ZLOBs into affected systems, if not a deluge of adware or rogue anti-spyware.

Too small a payload for such an elaborate ruse? Hardly. If there's anything to be learned from the changing threat landscape, it's that malware can -- and will -- go at great lengths for profit. This Trojan family is no exception.

Consider the fact that it is capable of downloading both adware and rogue anti-spyware. Then consider the fact that it can download them into the same system. Coincidence? Oxymoronic?

More like a one-two punch of an organized set-up.

Imagine users getting several annoying pop-up advertisements. Then, conveniently, a balloon warning tells them that their computers may be infected by spyware. Unsuspecting users may be tricked into clicking the link that leads to the supposed anti-spyware site. Worse, they may be even tricked into purchasing the said anti-spyware.

Worst, their credit card information they used for their purchase is stolen. After all, who knows if the said site is the real deal? According to Senior Threat Analyst Jamz Yaneza, some of these alleged anti-spyware sites are actually phishing sites that log an unknowing user's account information. It's not that surprising, come to think of it. And yet, many computer users still fall victim, all because of several pesky advertisements.

And to think that, ironically, the ZLOB authors were (most likely) paid by these advertisers to download and install the adware to begin with.

Fig.5: Recent ZLOB variants download adware and rogue anti-spyware, which may indicate that there is an organized set-up behind their routines.

Apart from the usual downloaders, the ZLOB family also had its share of exceptions when it comes to payloads. TROJ_ZLOB.ALF, for instance, modifies an affected system's registry to alter its DNS (Domain Name System) settings, such that it connects to a remote DNS server that is likely controlled by a remote malicious user. Thus, using this setup, the said remote user can decide what IP address the affected system connects to when the affected user tries to access a domain name.

At the time when it was first detected, TROJ_ZLOB.ALF redirects users to adult-themed sites. Of course, by now the DNS server could have been changed already -- perhaps by the highest bidder it was rented to -- so that connections are redirected to other, possibly malicious, sites instead.

The cliff-hanger

With the popularity of digital media far from waning, one can expect more threats to follow ZLOB's footsteps before the popular TV shows resume in January. In any case, antivirus and security companies are proactively providing countermeasures in order to protect computer users from these threats. For Trend Micro, not only does it currently detect more than a thousand of ZLOB variants, it also provides preventive solutions, such as the generic detection pattern POSSIBLE_ZLOB and the Trend Micro URL Filtering Engine, so that files that exhibit similar characteristics of the Trojan and the fake codec Web sites that it uses are automatically blocked at the gateway.

Another thing that can be learned from ZLOB is that it simply takes advantage of man's insatiable appetite to need. Unfortunately, no security patches can fix this flaw. Computer users just have to be cautious when visiting Web sites or downloading files to avoid possible infection of this malware.

Or they could come up with their own "workaround fixes", like using applications that can play various media types without needing codecs. This way, fans of Desperate Housewives and Grey's Anatomy can watch their favorite episodes with popcorn, not pop-ups.