Zlob trojan in the Firefox Admin cache

[nordloewelabs]

yesterday i ran a few virus scans (Kaspersky SOS, FSecure, TrendMicro, Avast, BitDefender) on my C: drive. some of those scans reported that one of the files on my (constantly updated) Firefox cache was infected with a Zlob trojan.

after checking "about : cache" i discovered that the trojan was downloaded last month while i was logged as Admin, downloading and installing Windows updates. :-( i never leave my Restricted account for anything besides updating Windows....that day i only spent some 10min browsing as Admin! all i did then was i browsed TechNet plus a did a few searches on Google (searches about one of the patches MS had released that day -- really!!! no pr0n, warez or games!). my guess is that some ad banner got the trojan into my cache....

btw, i visit Secunia *monthly* and i always keep all my software updated. it's also worth noting that none of the AV scans i ran found anything irregular on my memory, WINDOWS folder or SYSTEM32 folder! and neither SpyBot nor AdAware found any problems either. i also have ZoneAlarm and i've never let Firefox act as a server.

i'll probably format the system and re-install everything again, but i'd like to know if the system got compromised, anyway.
how can i know if the said trojan actually *infected* my system?

any suggestions deeply appreciated. i'm running XP Home SP-2 (constantly updated).

 

[mechBgon]

Could you post a Hijack This log? download link

You probably are aware of this already, but when logged onto WinXP or Win2000 as the Admin, you can still run your browser at low privilege level, just right-click it while holding SHIFT, Run As, and pick your low-rights account. As long as the low-rights account has a password. Given that the bad guys now try to poison Google sometimes (among other things)... could be a good idea.

 

[nordloewelabs]

right now i dont have access to the "possibly" infected PC....
i'll be at it in about 1hr...

regarding RUN AS, i know the trick. i've even used its Command Prompt version a few times to be able to execute CACLS. i've tried RUN AS from within the Admin account but it has never worked. i remember reading about the "must be pasword-protected" requirement, but it didnt work anyway. i prolly messed up something when i tried it. i'll give it a shot again later. it has always bothered me that i could not run apps as a Restricted user while logged as Admin.

i ran a whois on the domain from where the trojan was downloaded, but the result page said that the domain was "inactive".

this is the Trojan (same MD5) description i got from Sunbelt:
http://research.sunbelt-softwa...iewMalware.aspx?id=220

from what i understood, the trojan doesnt create any new files, besides those temp ones. and even those, according to the description, are deleted.

this whole odyssey just stresses the importance of using Firefox and Restricted accounts.... Zlob seems to attack as an ActiveX plugin. i wonder if even a *patched* XP system can get infected by it....

 

[mechBgon]

Originally posted by: nordloewelabs
right now i dont have access to the "possibly" infected PC....
i'll be at it in about 1hr...

regarding RUN AS, i know the trick. i've even used its Command Prompt version a few times to be able to execute CACLS. i've tried RUN AS from within the Admin account but it has never worked. i remember reading about the "must be pasword-protected" requirement, but it didnt work anyway. i prolly messed up something when i tried it. i'll give it a shot again later. it has always bothered me that i could not run apps as a Restricted user while logged as Admin.

i ran a whois on the domain from where the trojan was downloaded, but the result page said that the domain was "inactive".

this is the Trojan (same MD5) description i got from Sunbelt:
http://research.sunbelt-softwa...iewMalware.aspx?id=220

from what i understood, the trojan doesnt create any new files, besides those temp ones. and even those, according to the description, are deleted.

this whole odyssey just stresses the importance of using Firefox and Restricted accounts.... Zlob seems to attack as an ActiveX plugin. i wonder if even a *patched* XP system can get infected by it....

Key word: "seems". In the common fake-codec scenario, Zlob may pose as an ActiveX plug-in when the user is detected as using IE, but that doesn't mean it's really ActiveX-based. When hunting Zlobs in the wild, I've tried using FireFox too, and then the Zlob trojan often calls itself a Flash Player update. Which doesn't make it a Flash Player update either There are DNSChangers that even have Mac variants nowdays.

Best browser defense IMO would be IE7 Protected Mode on Vista. Not applicable in your situation, though By the way, Microsoft has some of the best generic detection of Zlob bits & pieces, so you might want to run the Live OneCare Safety Scanner when you get an opportunity: http://onecare.live.com/site/en-US/default.htm

Regarding the results at Sunbelt's Sandbox, don't take them as a definitive answer to what the malware will do on a real, physical system (as opposed to virtualized). Most Zlobs I've dealt with will not run in my virtual machine, only on a physical test system.

Incidentally, are there other systems connecting to your router? It's not the most likely thing in the world, but malware does exist which will cause another system on your network to inject malicious code into your system's network traffic. from the "interesting malware" links

 

[nordloewelabs]

i ran HJT on the system and it looked fine. because i run my systems very light (about 25 processes in each PC), it's easy to see what is there and i recognized all items as things i installed myself since my last format c:. The Windows OneCare scan took a while. at the end, it only reported "Performance" issues. the list was huge and i decided to leave it untouched coz i guessed that the program would remove some of my registry customizations.

at the end, after so many scans (4 of them run from inside Bart-PE), the only reported problem has been the trojan file inside the Firefox cache. and the funny thing is that neither the free Avast nor the free Kasperky SOS scans reported *anything* -- not even the existence of the trojan file inside the cache! i believe that, even though Firefox downloaded the damn "codec", Firefox has never executed it.

i'll re-install XP again later today, anyway.
the lesson here is: even 10 minutes is too much if browsing as Admin....

 

[lusher]

I don't know guys... I have occasionally found all sort of strange things in my firefox browser cache according to my AVntiviruses but AFAIK they were inert, and never ever ran.

I believe it has something to do with the way firefox downloads stuff before you even click yes.....

Perfectly harmless, trust me if zlob or whatever nasty really was on your system you would find it in more places than just your firefox browser cache...

 

[nordloewelabs]

Originally posted by: lusherI believe it has something to do with the way firefox downloads stuff before you even click yes.....

very good point. i had forgotten this detail.
Firefox does download stuff before you click YES....

 

[Medea]

Originally posted by: nordloewelabs

from what i understood, the trojan doesnt create any new files, besides those temp ones. and even those, according to the description, are deleted.

this whole odyssey just stresses the importance of using Firefox and Restricted accounts.... Zlob seems to attack as an ActiveX plugin. i wonder if even a *patched* XP system can get infected by it....

Zlob files are downloaded in a various ways, and I defninely wouldn't rely on the ActiveX thing. About a year ago, I got a Zlob file on my system but was running Firefox as a limited user. I jumped on it right away and was able to delete it. I also gave my system a full scrubbing.

The majority of Zlob files are usually downloaders and will download smitfraud. Every computer I've seen that's been infected with smitfraud has zlob files.

 

[nordloewelabs]

Originally posted by: Medea
About a year ago, I got a Zlob file on my system but was running Firefox as a limited user. I jumped on it right away and was able to delete it. I also gave my system a full scrubbing.

at that occasion, did your AVs report any suspicious files besides the ones inside Firefox's cache?

 

[Medea]

It's been a while, so I can't remember if Kas alerted me on download, or when Kas did its daily scan.