Zlob Trojan Writer Packs Up Shop and Greets Microsoft

A Russian malware writer announced that he would stop development on the Zlob trojan and switch to the rootkit/exploits scene. However, before completely giving up on his creation, the hacker decided to send a few good thoughts to the security researchers from Microsoft, through a message embedded into a recent variant.

The Zlob trojan is a malicious application that was first discovered in 2005 and registered tens of variants to date. The malware is distributed in the form of an ActiveX control, which claims to install a video codec. Once installed, the trojan displays Windows-like warning pop-ups, which falsely alert the users of infections found on their systems. Clicking on the pop-ups will offer rogue security software for download, which then require the acquisition of a license in order to function.

“Just want to say 'Hello' from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast,” the Zlob developer writes, complimenting the Windows Defender team. He ends his message with the cordial “Happy New Year, guys, and good luck!,” but not before announcing his retirement of the Zlob gang.

“BTW, we are closing soon. Not because of your work. :-)) So, you will not see some of my great ;) ideas in that family of software,” the announcement reads. “Try to search in exploits/shellcodes and rootkit,” the unidentified virus writer adds.

Tareq Saade from the Microsoft Malware Protection Center comments on the company's Threat Research & Response Blog that “It warms my heart that they’re closing soon.” He also notes that it has not been them who discovered the hidden message, but a group of French researchers.

“Considering the enormous amount of malware we go through every day, it can be difficult to track follow up samples like this. It's very comforting to know that there are lots of others out there helping us research malware and disclose interesting findings,” Mr. Saade writes.

The Zlob developer also claims to have been offered a job at Microsoft, a proposal which he declined. “Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection. It's not interesting for me, just a life's irony,” the Russian hacker explains.

The retirement of Zlob Trojan from the threat scape might be caused by lack of profits and tied to the recent shutdown by the FTC of one of the biggest scareware schemes. Microsoft has also joined the legal fight against scareware vendors.