Mac OS X: 2007 Year Ender for Zlob

Zlob has been proliferating in Windows platform since 2005. It only started as simple trojan downloader and stealer which is capable to check and update itself.

Then, it was last year when this trojan stand-out to the crowd of other competing malwares. A new variant arrived to users via email employing social engineering tactics to attract users in clicking the link to video. However, the video does not play successfully without installing the required codec. This tricky behavior persuades the user to install the fake codec - unknowingly, the user has just installed the malware!

The spurs of shares, free downloads, blogs and social websites has become a perfect time for Zlob to infiltrate networks. Evidently, the increasing domain names and clicks have been utility for Zlob to stay visible in search engines.

Yes, all of this works in Windows until late this year (November), this trojan crosses over to Mac specifically OS X. Suddenly, a list of domain names is capable to download installers both for Windows and Mac users. Domain names hosting Zlob fake codec for Mac user does not sleep, it stays online 24x7 and it’s increasing in numbers. It’s out there in-the-wild!

These sites are smart enough to check if you are running in Windows or Mac. Then, it gives you the right installer either in Windows Executable (EXE) or Disk Image (DMG) for Mac.

Who's behind Zlob? Let's investigate its network connection ...

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Web Site: http://codecdemo.com

A-->64.28.184.189--PTR->64.28.184.189-rev.cernel.net
NS-->ns1.codecdemo.com---A-->64.28.181.226--PTR->64-28-181-226-rev.cernel.net
NS-->ns2.codecdemo.com----A-->64.28.181.227--PTR->64-28-181-227-rev.cernel.net
MX-->10mail.codecdemo.com--A-->64.28.184.164--PTR->64-28-184-164-rev.cernel.net

NET ----> gw1.cernel.net [ 64.28.176.1]--> AS27595
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Intercage [AS27595] is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more.

In conclusion, the massive increase of sophisticated and organize cyber crimes boils to pursuit of profit and Mac users are no longer subject to proof-of-concept. The world's known worst attackers are now introducing web base cross platform malware and this should increase awareness.

Apple Security Updates: Significant Increase this Year

Last December 17, Apple released its 9th Security Updates for this year. This update fixes multiple vulnerabilities in Mac OS X that were found highly critical and could lead to privilege escalation, system access and denial of service. Nearly half of this update intends to fix vulnerabilities that allows execution of arbitrary code, if successfully exploited.

This year, there are 5 large updates that we had seen. The first was released in March which fixes 32 vulnerabilities, then followed by April, July, November and this month. These 9 security updates from Apple has fixed almost 200 bugs which is about half of last year count.

Apparently, the growing popularity of Macintosh computers will continue this trend, attracting more and more attackers. This is one of the hot stuff we should watch for next year - 2008.

Reference:
For complete list of Apple Security Update: http://docs.info.apple.com/article.html?artnum=61798

2007 Mac OS X Vulnerability Impact (source: Secunia)