New fake codec Web sites often appear outof nowhere (we are pretty used to seeing them) and in most cases if youdownload and run the "codec" you get infected with a variant ofTrojan.Zlob. Nothing new, but this time I found something different. Iwas testing a fake codec Web site when I came upon a new variant. Theinstallation step is the usual:
Figure 1: Standard installation process
However, after that the browser is started with a Google search forthe word “sex.” The interesting stuff is that while browsing, you willnow be frequently faced with this popup:
Figure 2: Frequently recurring message box
Well, I really appreciate the honesty of Zlob telling me I wasinfected! Clicking the OK button will force the download of “IEDefender,” which is an antispyware application. (IE Defender is also apotentially unwanted application. It is a wannabe malware scanner thatis used in conjunction with the Zlob threat. You can find more detailsabout IE Defender in the related write-up here.)
Of course, it’s not over yet. The Zlob also installs a browserhelper object (BHO – a module for Internet Explorer, used to integrateadded functionality) in order to show the previously mentioned popupduring Web browsing. A quick analysis of the BHO revealed some otherinteresting features. It is capable of hijacking Google results andredirecting them to IE Defender Web site:
Figure 3: Google search reports a fake error box and a link to pornographic content
A fake error box is shown in the Google results, as well as a linkto a pornographic video on YouTube. This is supposed to panic the user,because most users wouldn't want someone else using his or her computerfor an innocent Google search and then find a link to pornographiccontent in the search results. (Incidentally, you might notice that thesearch word I used was "potato.”) Clicking the error box will bring theuser to the IE Defender Web site.
If the annoying popup was not enough, surely an error message fromGoogle will make you think twice about the potential dangers! We knowvery well how these threats can spoof legitimate Web sites or securityproducts in order to convince a user to buy their own securityapplications. Google is not the only one being targeted. Furtheranalysis reveals that Yahoo is also supposedly reporting the samebehavior:
Figure 4: Yahoo search shows a fake error box
Not only do you see a fake error box in the search results, but alsothe first legitimate result is hijacked so that if it is clicked itwill redirect the user to the IE Defender fake online scan Web site.Also, Live Search is not immune:
Figure 5: A legitimate search result in Live Search has been redirected
In this case there are no fake error boxes shown in the searchresults, but the first legitimate result entry is hijacked in order topoint to the IE Defender Web site. In addition, the MySpace and MSN Websites are targeted with the same technique.
Interestingly, if you decide to download IE Defender and run a scan,it will actually detect the Zlob infection. Of course you have to payif you want to clean up the reported infection. So it looks like thatZlob is really kind: after infecting your system it will reveal thatyour system is infected. Then it tries to redirect you to a Web sitewhere you can download antispyware software that is supposedly able toremove it (for only $38.95 USD). What a lovely Trojan! I didn'tactually purchase the IE Defender software, because it would probablydo more harm than good. I'd rather let my Symantec products (with thelatest definitions, of course) take care of the antispyware work!