9 of 17Image
The Win32/Zlob family launched in 2005, and three years later it was the undisputed king of malware. Among infected computers that Microsoft counted in 2008, there was a one-in-four chance that Zlob was to blame.
What made Zlob so effective was was this crude but effective social engineering. The intended victim clicked a link to play a media file, and a dialog box like the one shown here popped up. Users who had been conditioned to install media codecs for various sites found this a perfectly reasonable request.
The primary purpose of Zlob initially was to frighten the victim by displaying persistent pop-up ads for rogue security software. By 2008, it had become a vehicle for delivering DNS changers and early versions of rootkits, as this Trend Micro analysis makes clear. It was also one of the first attempts at cross-platform malware, with a Mac version discovered in 2007.
Today, Zlob is mostly a bad memory and is no longer widely found in the wild. But its descendants are still going strong.
No one has ever identified the first person to think of distributing malware that disguised itself as legitimate security software. It was a stroke of evil genius, and it spawned an underground industry that is still going strong today.
This is an early example of fake antivirus software. Other products that appeared in the wake of XP Service Pack 2 mimicked the look and feel of the new Security Center.
In recent years, rogue security software has targeted the Chrome browser, Mac OS X, and legitimate security products using similar names. Despite occasional well-publicized prosecutions, there’s no sign that this category will die any time soon.
For a security researcher, the mere mention of the word rootkit can create a sickening feeling in the pit of the stomach. Bagle was one of the first examples to spread widely. It was also surprisingly sophisticated, as the above graphic (included with a contemporaneous F-Secure writeup) makes clear.
As the authors of the report note, the financial success of botnets had inspired malware authors to step up their game: “Two years ago Bagle was a simple virus. One EXE file, emailing itself around. It's not like that anymore. The malware suite has been built over time. Now the latest development is that one of the new Bagle variants integrates rootkit functionality.”
As trends go, it was anything but welcome.