Monday, December 22, 2008

Zlob updates

Here are some of the new Zlob trojan spreading domains:

http://vidzwares.com (92.241.163.90)
http://light-player.net (94.247.2.183)
http://fire-player.net (93.190.140.48)
http://downloadallsoft-now.com (94.247.3.228)
http://myprivatetubes09.net (91.208.0.221)


One of the Zlob variant (named wmpcdcs.exe, hosted at http://myprivatetubes09.net) uses Microsoft Windows Background Intelligent Transfer Service (BITS) to communicate with rogue servers to transfer data. Since BITS is a trusted Windows component, firewalls don't block it; making it easy for malware to download files from remote servers (info here and here). An automated analysis of this malware is available at ThreatExpert here.

0 Comments:

Post a Comment

<< Home