Since we last reported on Nsag infectors, we’ve seen quite a lot of new malware related to Nsag.
There’s no real point in continuing to refer to this malware as Smitfraud, so we won’t.
Overall, the malware is the same old thing, but in slightly different clothing. Nsag.b infectors have taken the place of Nsag.a infectors. Although these new infectors aren’t really innovating, the Trojan-Downloaders that install these infectors are.
Most Trojan-Downloader.Win32.Zlob variants download numerous pieces of malware – most notably a Nsag.b infector and Trojan.Win32.Puper variants.
Zlob is interesting because of the technique it uses to download files.
It uses a new method to inject code into explorer.exe. This way it can download the malicious files without alerting the firewall.
It would seem that the creators are refining the way the Nsag infector gets introduced to the system rather then building new features into the infector itself.
This once again shows that the author(s) means business. This story is far from over.
The Nsag infector story continues