ValueClick involved with Trojan.Zlob.N

Following up on a recent Symantec security article Trojan.Zlob.N … notice that several of the posted images show one or more programs from the WinFixer group. Of particular interest is the following:


The Trojan will then connect to the following Web site and attempt to download other potentially malicious files: lbgate(dot)com


Ok, so I venture to lbgate(dot)com which redirects to: (URLs disabled)
Fetching hxxp://lbgate(dot)com/ …
HTTP/1.1 302 Found
Date: Fri, 18 May 2007 07:47:09 GMT
Location: hxxp://checkssecurity(dot)com/soft/


So what do we find at checkssecurity(dot)com? … oh no not again!



I’ve highlighted in red the two links that you also see in the View Source on the page …


hxxp://go.systemdoctor.com/MzcwMg==/2/142/ax=1/ed=1/ex=1/sc1/
redirects to: (View safely here)
hxxp://adfarm.mediaplex.com/ad/ck/47067?mpt=1179475189&aid=swp_sdr&lid=142&affid=pp_2322432905&ax=1&ed=1&ex=1


This again leaves no doubt that ValueClick is getting a commission from undesireable sources … which Symantec describes as:


Trojan.Zlob.N is a Trojan horse which displays fake error alerts on the compromised computer in an attempt to trick the user into downloading potentially malicious software.


Both Sandi Hardmeier and myself have been in contact with ValueClick over this matter several times over the last three weeks, however there doesn’t seem to be much progress on their end … really makes you wonder what they are waiting for.


More info on the WinFixer/ValueClick connection [1] [2] [3] (there is more, but you get the idea)



Leave a Reply

*