Sophos

12 November 2007 16:25 GMT

Zlob. It's all in the name. Well, initials at least.

As a follow up to the recent move by the Zlob crew to target Mac users [1,2] in addition to Windows users [3,4], we have been monitoring some of the fake codec sites from where they are distributing their SFX and DMG installers.

For some time, the person(s) behind Zlob have registered batches of domains on certain dates. For example, October 2007 saw a fair amount of activity with numerous codec-related registrations on the 4th, and porn-related ones on the 18th. All the Zlob-codec domain names I checked were registered with Estdomains Inc. Of course, the details provided at the point of domain registration should be taken with a pinch of salt as they are often bogus. Nonetheless, you can often find patterns in the details which can help to link certain attacks.

Zlob is no different. For some time now, whoever is registering the domain names for the fake codec sites and (at least some of) the porn sites has been using their own ‘pattern’. For several batches of domains where the domain registrant name is different, the initials have been constant. To pluck just a few examples out:

For those interested, it would appear Hione, Hilary, Nilda, Nigel, Timothy, Tim and Tiffany all reside in New York. Probably not too far away from Hindy and Hitoshi:

These latter two registrant details were extracted from two of the recently registered domains used for hosting porn content ultimately directing people to the fake codec site (in order to ’see the movie’ or whatever).

One thing is for sure - the folks behind Zlob have clearly enjoyed success with their methods of infecting users over the past 18 months (and more) and they are not about to stop now. More likely they will become more inventive with their social engineering and distribution methods (for example see the use of fake GooglePack installers as blogged by the folks at SunBelt [5]).

Fraser Howard, SophosLabs UK