Zlob Enters Search Engine Market

TrendMicro reports in its TrendLabs Malware Blog that people behind ZLOB malware have now entered the multibillion-dollar search engine market.

Over a year ago, last spring, Trend Micro (TM) threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. Recently TM researchers discovered that this network is now targeting four of the most popular search engines.

In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”. Found ZLOB Trojans change the local DNS settings of affected systems to use two of abovemeantioned 900+ rogue DNS servers. These trojans spread by advanced social engineering tricks. One good example of this would be professional-looking web sites that promise internet users access to pornographic movies after installing malware that pose as video codecs.

"Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers," is told in the TrendLabs Blog.

The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. TM has taken steps to get in touch with its security contacts in all four affected search engine companies. However, there isn't much these contacts could do since the DNS hijacking is done locally on ZLOB Trojan infected systems.