We found something interesting recently — a variant of the Zlob fake codec which checks to see if you’ve visited a number of sites. Now, this isn’t unusual, but one thing we did see was the addition of the SunbeltBlog.
What does this mean? If the Trojan sees that Sunbeltblog has been visited, it won’t pull down extra malware.
The Trojan contains two exportable functions:
1. GetVerID
Returns the version of the Trojan installer to the Trojan installer script by reading it from the installer executable file.2. CheckIEHistory
Calls the function which lists URLs from the ‘visited’ browser cache.It checks for a number of addresses, such as ?ozyfrog(dot)com, adultchamber(dot)com, askdamagex(dot)com… and sunbeltblog.com.
If none of these addresses are found in the browser cache, it will search for them in the following registry key:
[HKCUSoftwareMicrosoftInternet ExplorerTypedURLs]If any of the addresses are found, then the installer script will return “1” as the string variable. If none of the addresses are found, then “0” will be returned”. If 0 is returned, then the Trojan makes an http get request to download the additional malware components.
One can speculate that the Trojan looks for the other sites to possibly protect certain affiliates (who don’t want to have the extra malware coming down to their users). But the addition of the Sunbeltblog is interesting, as this blog has historically been quite vocal on the subject of fake codecs. Perhaps they don’t want readers of the blog (many of whom are in the security space) to get the “additional” features…
If you read the blog / you won’t get zlob.
Alex Eckelberry