Sunday, December 28, 2008

Zlob updates

Zlob gang does not seem to be in holiday mood. They are churning up more domains to spread their badware. Here are some of the new domains:

94.247.3.232
216.240.151.112
78.159.99.52
www.newdllsolution.com (92.241.163.90)
http://brakeplayer.net (94.247.2.183)


One of the site mentioned above, http://brakeplayer.net (94.247.2.183), hosts a fake media player installer called BrakePlayer. This installer actually installs a nasty kernel mode rootkit. Following screenshot shows the kernel mode hooks installed by rootkit driver:


The backdoor component of this rootkit establishes connection with a remote rogue server 85.255.112.188 (whois). VirusTotal scan results for the installer and rootkit driver files can be found here and here respectively.

Update: BrakePlayer removal procedure has been posted here. Hope that helps :)

6 Comments:

Anonymous Peter said...

First if all, congratulations for your blog. I was searching for info on this alleged video codec and stumbled on your post. I found the codec very fishy, and your blog entry confired it, so thanks a lot for that. Here's what happened, I downloaded a video of the web, and it had a DRM protection... I thought it was strange.. In WMP, when trying to play the video, a window opened that said I needed to download a specific coded... Weird but ok... Luckily I found the name of the codec very weird, and also scanned it first with AVG... bingo! Never though they'd go to such great lenghts to infect someone with something nasty... Kudos for the blog
A hello from portugal

10:16 AM  
Anonymous Peter said...

Here are some screenies of the nasty I talked about, thought you might find them interesting:

http://img411.imageshack.us/img411/3499/22595584dq1.jpg

if you click "YES":

http://img399.imageshack.us/img399/2988/46212617lp4.jpg

if you click "CLICK HERE" then:

http://img165.imageshack.us/img165/4356/74292637vy7.jpg

Here is the nasty:

http://img123.imageshack.us/img123/3365/78108434gz5.jpg

10:31 AM  
Anonymous Peter said...

and here's the automated analysis of the file:

http://www.threatexpert.com/report.aspx?md5=84a35cc0b63b766d154a43a29329b73c

11:05 AM  
Blogger swatkat said...

Hi Peter,

Thanks for visiting the blog. Good that you found out that the codec was a fake one! Yes, recently Zlob gang has started using DRM protection features to push their malware. PrevX had blogged about these incidents earlier:
http://www.prevx.com/blog/104/Malware-exploits-DRM-protection.html

http://www.prevx.com/blog/105/DRM-protection-abused-by-TrojanDRMLive.html

Thanks for posting screenshots and analysis information. Stay safe! Merry Christmas and happy holidays :)

1:47 PM  
Anonymous Dan said...

Hi... I also had this. I consider myself to be fairly PC savvy and have never fallen for anything virus or phishing etc but this one got me. I opened a DRM video file which said it needed to acquire a license, I clicked yes and it asked me if I wanted to instal the player. I just didn't even stop to think. It was only seconds later that my brain reminded me that this was unusual. I couldn't find any way of removing it. It wouldn't let me install MS malicious code removal tool either. As it was a new PC I just trashed it and started again from scratch. You lives and learns. Devious as all hell though. natip

8:40 PM  
Anonymous Peter said...

Thanks swatkat. The best to you too.
Keep up the good work! ;)

5:15 PM  

Post a Comment

<< Home