Zlob Trojan variant now threatens Mac OS X systems

Wiz Feinberg · Post by **Wiz Feinberg** » 2 Nov 2007 12:01 pm

From the Trend Micro Blog of November 1, 2007:

ZLOB Crosses Over
<small>November 1st, 2007 by Carolyn Guevarra (Technical Marketing)</small>

ZLOB Trojans, which proliferated in 2006, are known for using fake codec downloads as their social engineering technique to entice users into downloading the malicious software on their systems. Initially, they are also known to affect Windows-based platforms only. Today, this Trojan family seems to be crossing over to the “other side”.

Intego, who recently partnered with Trend Micro to directly distribute Mac security products, tipped Macworld of the existence of a ZLOB Trojan that affects Mac OS X. Intego reports that the malware disguises itself as video program that when opened, displays a message that a codec is needed to run the program properly. In the background, however, it downloads then launches an installer that asks the user to enter administrator password. ZLOB variants are notorious for this type of routine. Thus, Trend Micro detects the said malware as TROJ_ZLOB.GAF.

I advise caution while browsing the Internet, no matter what OS you are using. There are threats in the wild looking to infect your computer, whether it runs on Unix, Linux, Macintosh, Windows, BeOS or atoms.

Michael Douchette · Post by **Michael Douchette** » 4 Nov 2007 5:09 pm

Wiz, so if this pops up, and you do not accept the codec that is "needed," your Mac remains ok? Or does it do it anyway, acceptance or not? I just got my first Mac, and I'd hate to have YouTube or something make it worthless.

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Nov 2007 11:13 pm

Michael Douchette wrote:Wiz, so if this pops up, and you do not accept the codec that is "needed," your Mac remains ok? Or does it do it anyway, acceptance or not?

Michael;
In the case of the Mac variant of the Zlob Trojan the user must accept the installation of the infected "codec," which elevates the installer program to root privileges, giving the Trojan full control over the computer. To my knowledge the installer cannot do a stealthy install, without user interaction. This is the same as the new "UAC" (User Access Control) under Windows Vista. However, if a Mac user was tricked into visiting a hostile web page that hosts a Mac-friendly Trojan, and that person thinks they are getting a useful program to play a desirable video, nothing is going to stop them from infecting their own computer, come hell or high water.

In my spam analysis, on my blog, I have been following various types of spam and scams, some of which are sent by computers infected with the Storm, or Zlob Trojans. The email messages spammed from these Zombie computers use all kinds of social engineering tricks to get gullible folks to install the same malware package on their own computers. Judging by the huge number of machines that have been drafted into Storm Botnets, I'd have to say the writers know what they are doing. They use cats, animations, NFL score trackers, games, current events and postcard scams to fool people into following links to infected host computers, which then offer them irresistible text and links to infect themselves. As long as people are willing to act foolishly it doesn't matter whether they are using a PC or a Mac.

Jack Stoner · Post by **Jack Stoner** » 5 Nov 2007 3:43 am

Here's another article on the Leopard's Firewall
"leopard's firwall a mess"

Read the article about the Leopard Firewall

<small>Edited by Wiz to fix long URL</small>

basilh · Post by **basilh** » 9 Nov 2007 2:05 pm

JACK .. my screen's running out into next door..
I, and others (I suppose) would love to read this post WITHOUT having to scroll

Jack Stoner · Post by **Jack Stoner** » 9 Nov 2007 3:10 pm

Basil, with my I.E.7 browser, it's not overflowing into an extra wide screen??? It fits into the "normal" Forum screen that I always see.

basilh · Post by **basilh** » 9 Nov 2007 3:43 pm

Obviously MY Fault for using Firefox.

basilh · Post by **basilh** » 9 Nov 2007 4:01 pm

FULL screensnapshots on my Formac 17" set to my NORMAL resolution i.e. 1024 X 768 (Stretched) higher than the 'average'

basilh · Post by **basilh** » 9 Nov 2007 4:04 pm

Jack Stoner wrote:Here's another article on the Leopard's Firewall
"leopard's firwall a mess"

Click Here

That's what would be tidier..

basilh · Post by **basilh** » 9 Nov 2007 4:14 pm

So, how can I configure Firefox to display the long url as wrapped lines ?

Wiz Feinberg · Post by **Wiz Feinberg** » 9 Nov 2007 5:32 pm

I have edited the URL in Jack's post to eliminate the horizontal scrollbar.

Basil. You cannot make Firefox wrap that URL. It is treated the same as a HR tag that has a stated width that exceeds the viewport of the browser.

basilh · Post by **basilh** » 9 Nov 2007 5:41 pm

Thanks Wiz, you're a REAL "Wiz"
Baz

Wiz Feinberg · Post by **Wiz Feinberg** » 9 Nov 2007 5:58 pm

Internet Exploder will wrap long text in HTML "textarea" tags, if the proprietary attribute "wrap=" is included in the tag. Firefox ignores "wrap" attributes in textarea tags. The reason is that the W3C did not approve that attribute for inclusion in the HTML 4.01, or in the XML specifications. Firefox tends to stick to those specifications, while IE allows for proprietary and non-standard attributes, depending on the stated DOCTYPE in the document HEAD.