A Closer Look at Zlob Trojans

And the war against Zlob Trojans wages on. This online enemy goes by many names (Zlob, fake codecs, Zlob codecs, Smitfraud Trojans) but whatever alias is used, the devious tactics and growing prevalence on the web are undeniable. Learn more about the Zlob family of Trojans and how you can keep this untamed online threat off of your system.

The Ever-Present Zlob

Zlob Trojans, similar to the closely related Vundo Trojans, are malware that usually masquerade as a codec needed to play a video, and then install adware or malware on an unsuspecting user's system.

"This is absolutely the worst infestation right now on the Internet - certainly the most widely known and seen in the security forums," says Janie "Calamity Jane" Whitty, a Lavasoft malware removal and prevention expert and Support Forums administrator.

To avoid getting infected with this underhanded malware, all it takes is a little caution and awareness of the problem.

The Trickery

How do you get infected in the first place? The usual scenario is that you attempt to download a video, only to receive a message that a special codec is needed to view it. After this prompt, you install the required "codec". You may even have to accept an End User License Agreement (EULA), either spelling out exactly what will be downloaded onto your machine, or showing a fake EULA to make you believe the download's legitimacy.

Once you install the program, you begin seeing loads of unwanted adware. A "nag" screen takes over your desktop in the form of a security warning or as a pop-up telling you your system is infected. The message demands that you run a scan or buy a specific "anti-spyware program" in order to fix your PC.

Below is an example of a request message prompting you to download a fake codec. Click to see the larger image.

The Tactic

Where did you go wrong? The required codec was actually a fake, a Zlob Trojan capable of downloading more of its kind onto your system, along with a variety of adware and rogue anti-spyware. Messages you receive post-infection - another sneaky component - often mimic valid programs (like Windows Security Center) and many of the rogue anti-spyware programs imitate popular anti-spyware software (like Lavasoft's Ad-Aware) to feign legitimacy.

The popularity of downloading and watching videos online, combined with users not finding out exactly what they are downloading onto their PCs, is the perfect environment to keep Zlobs alive and thriving. These fake codecs are a frequently used ploy, delivered through various methods that rely on the vulnerability of unsuspecting computer users including websites, e-greeting cards, and instant messages. Along with that, Zlob developers spew out new Zlob Trojans daily in an attempt to avoid detection by anti-spyware and anti-virus software.

"Despite our efforts, Zlob is still winning and it remains the number one public enemy, of this malware researcher anyway. Just take a look in the forums, our forums - ANY security forums and people are still coming in droves and hoards needing help to remove this malware. It is constantly changing and jumping domains to avoid detection," Whitty says.

Winning Strategies

How can you avoid falling for fake codecs? The first step is reading EULAs and privacy statements carefully before installing anything on your computer. If the EULA is hard to find or difficult to understand, reconsider installing the software. By not fully reading the EULA, you may agree to questionable activities by the software vendor and even to installing spyware and adware on your computer.

"Users need to be warned about these fake codecs. My own experience with these codecs is that if people would just read the EULAs of the software they download they would see that they are getting additional (and possibly unwanted) adware and spyware in that fake codec," according to Whitty, who answers victims' daily cries on the forums for help to remove this malware.

Lavasoft researchers are also in a constant battle with this Internet nasty, finding new variants of the Zlob family of Trojans and putting them into detection on a daily basis. Currently, the Zlob family of Trojans are among the largest families of malware in Lavasoft's Detection Database.

Quick Tips for Zlob Prevention

  • Use up-to-date real-time protection. Real-time protection is key in keeping malware off of your system. Ad-Aware's real-time protection, through Ad-Watch Live! feature, blocks malicious processes and infected programs that try to start or run on your PC.
  • Be leery of adult content videos. Zlob Trojans often masquerade as codecs needed to view pornographic videos. If you see a link for "free porn", chances are it's a sure way to get your PC infected.
  • Watch out for fake anti-spyware software. Never pay for a program that installed itself to your computer. This is a hallmark of rogue software.
  • Verify files before downloading. Never download software or a file without knowing exactly what it is. If you are unsure about a certain download, verify it by using an online virus scanner site or check with an expert at an online security forum, like Lavasoft's Support Forums.