ZLOB Crosses Over

November 1st, 2007 by Carolyn Guevarra (Technical Communications)

ZLOB Trojans, which proliferated in 2006, are known for using fake codec downloads as their social engineering technique to entice users into downloading the malicious software on their systems. Initially, they are also known to affect Windows-based platforms only. Today, this Trojan family seems to be crossing over to the “other side”.

Intego, who recently partnered with Trend Micro to directly distribute Mac security products, tipped Macworld of the existence of a ZLOB Trojan that affects Mac OS X. Intego reports that the malware disguises itself as video program that when opened, displays a message that a codec is needed to run the program properly. In the background, however, it downloads then launches an installer that asks the user to enter administrator password. ZLOB variants are notorious for this type of routine. Thus, Trend Micro detects the said malware as TROJ_ZLOB.GAF.

It can be downloaded from the Web site http://{BLOCKED}tracodec.com/download/ and arrives as a .DMG file, the common format used by Mac installers. Depending on the IP address that downloads the Trojan, this Web site gives back a copy of the Trojan with a different MD5sum. Note that Trend Micro created the detection OSX_ DNSCHAN.A for the DMG file and UNIX_DNSCHAN.A for the Bash script file inside the said DMG.

Malware are crossing over. Mac fandom, beware!

Data provided by Trend Micro Senior Software Engineer Feike Hacquebord. Additional information from Elizabeth Bookman

(3 votes, average: 5 out of 5)

 Loading ...