Microsoft gets attaboy from Zlob’s author, as good guys blunt some cyberthreats
Posted on | November 4, 2009 | add a comment
billy gates why do you make this possible? Stop making money and fix your software!! –July 2002, admonishment of Bill Gates hidden in MSBlast coding
You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. . . BTW, we are closing soon. –Oct. 2008, attaboy to Microsoft hidden in Zlob coding.
What a difference six years makes. In the summer of 2002, the braggart author of the infamous MS Blast worm got a $250,000 bounty put on his head for baiting Bill Gates. He was never caught.
Fast forward to the present. After infecting hundreds of thousands of Windows PCs, the author of the Zlob Trojan hides a message for Microsoft’s researchers to find, graciously congratulating the boys in Redmond for forcing the retirement of Zlob.
Could it be the good guys are finally winning?
Microsoft on Monday helped make that case. The software giant disclosed new evidence that the good guys are, indeed, getting some traction defending against a centi-billion cybercrime industry whose criminal actors have become accustomed to operating with impunity.
Scareware, fake Flash updates declining
Microsoft’s security team reported a significant decrease in scareware, those obnoxious online promotions that try to frighten you into paying for worthless antivirus protection.
Also in decline are those faked Flash player updates that actually trigger a download a copy of the Zlob Trojan, which enables the bad guys to take full control of your PC. If the hidden message from Zlob’s author is sincere, those Fake flash player update attacks, down significantly, should soon fade completely away.
During the first six months of 2009, Microsoft’s Malicious Software Removal Tool cleansed scareware infections from 13.4 million Windows PCs, down from 16.8 million in the last six months of 2008.
Additionally, Microsoft in the first six months of 2009 disinfected copies of the Zlob Trojan found on 2.3 million PCs, down from 21.1 million PCs cleansed of Zlob in the last six months of 2008 — a 10-fold decrease.
You’ve run across Zlob if you’ve ever gotten an email or an instant message, or a Facebook or MySpace private message, or a Twitter microblog enticing you to click on a Web link to check out an enticing video or a celebrity doing something, or compelling news event or even yourself doing something weird at a dinner party. Zlob attacks like the one shown below were big during the 2008 U.S. presidential elections.
Clicking on the link to the Flash player update, of course, is a ruse. You actually agree to infect your PC with the Zlob Trojan, which turns your PC into a bot. Slotted into a botnet,(insert usat 03-16 link) your PC will subsequently be deployed to spread spam, steal data, hijack online banking accounts and spread scareware promotions.
One good leads to another
Thus, blunting Zlob also helped to slow scareware. Microsoft has led the way fostering better cooperation and responsiveness from tech security companies. A good example is the leadership role it played in forming and directing the Conficker Cabal, the consortium of normally uber-competitive tech security firms that banded together to keep the one of the largest botnets ever assembled from being put to work,
“We’re starting to make a dent,” says George Stathakopoulos, Microsoft’s General Manager of Trustworthy Computing.
Stathakopoulos acknowledged that the mainstream media, trade press and security bloggers deserve credit for fostering public awareness about rising cyber threats.
He told LastWatchdog that Microsoft accepts the attaboy it received from the author of Zlob — buried in the coding of a recent variant of the Trojan — at face value. Here is the full text:
For Windows Defender’s Team:
I saw your post in the blog (10-Oct-2008) about my previous message.
Just want to say ‘Hello’ from Russia.
You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast.
I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows 
Happy New Year, guys, and good luck!
P.S. BTW, we are closing soon.
Conficker and Taterf spreading robustly
Yet, its no time to get complacent. Despite the progress on two fronts, the cyberunderground continues to thrive, says Stathakopoulos. Messaging worms, like Koobface, continue to send out millions of private messages and postings carrying tainted Web links via popular social networks, including Facebook, MySpace and Twitter.
And self replicating worms, like Conficker, and Taterf, continue to steadily infect more and more PCs. Both Taterf and Conficker spread via tainted USB flash drives.
The main way a PC gets infected is when a viral flash drive gets inserted into its USB port. The virus launches a program that looks for computers nearby sharing the internal network, and spreads the infection to those machines. It also corrupts all of the USB ports on each newly infected machine. So each PC is primed to taint any clean flash drive that subsequently gets plugged into any of its USB ports.
In the first six months of 2008, the number of copies of either Conficker or Taterf Microsoft cleaned up rose 98.4% as compared to the last six months of 2008. That total includes 4.9 million PCs found infected by Tartef in the first have of this year, compared to 2 million in the last six months of 2008, a 156% spike.
Stathakoupoulos says Conficker continues to spread at about the same rate as corporations can find it and clean it up. He says the number of Conficker infected machines, mostly inside corporate networks, remains stable at about 5 million.
However, Sunbelt Software CTO Eric Sites notes that a number of reliable reports indicate the number of Conficker infections recently topped 7 million. “The spread, and the battle, is very much continuing,” says Sites, even though “nothing much has been done” on the part of the bad guys to put Conficker-infected PCs to use in criminal pursuits. Security experts say Conficker’s controllers aren’t likely to make a move as long as the worm remains under heavy scrutiny.
By Byron Acohido
