Bhutto Assassination video codec malware from Blogger in my content filter logs


This morning I’ve taken some time to scan my content filter logs from the past two weeks.  Normally I look through them every few days, but I’ve been on a well deserved extended vacation.

It seems that some network users have been searching for video of the Benazir Bhutto assassination.  There have been quite a few recent reports of malicious Blogger sites that advertise the video, but when users try to view it, they are told they do not have a required codec installed.  They are prompted to download the codec, which results in a Zlob trojan downloading and installing to their system – see the McAfee blog for details and images.

CastleCops, Sunbelt Blog, and SANS Internet Storm Center have examples of an infected site.

My content filter logs show four or five users successfully downloading the offensive codec.  I’m hoping that our desktop anti-virus software and group policy stopped the malware installation, but I’m not holding my breath.  I wrote a script that’s scanning all machines for the fake codec, but I’ll probably have to wait until school resumes on Monday, January 8th to scan the entire network.  Only a very few users are woring this week, so hopefully that will help contain the infestation.

If I do find Zlob installations, I plan on using the SmitFraudFix removal tool and the free removal tool I found on ParasiteDB.  You can read all about SmitFraudFix and Zlob at the S!Ru.URZ blog.

One Response to “Bhutto Assassination video codec malware from Blogger in my content filter logs”

  1. Zlob Removal Says:

    That’s the way most people seem to get infected with Zlob. They use a current top story and say hey go to this site to look at the video of it. Just saw a link on another reputable site linking to a suposide link of a nude hanna montana. I knew just looking at the url to the site that it was rusian based and I am sure it had the zlob trojan on it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: