Dorf vs Zlob – Battle of the Bots

I posted recently about Dorf patching processes as they start up in order to stop them from running properly, and doing so in a way that’s more subtle than just killing them. I also mentioned that Dorf was targeting various AV exes, dlls and sys files, plus software such as the P2P applications BearShare and eDonkey.

In fact the latest Dorf sys files carry a list of over 500 executables to patch, and it was only when I took a closer look that I noticed names like the following on that list:

  • iesplugin.dll
  • isaddon.dll
  • isamini.exe
  • isamonitor.exe
  • ishost.exe
  • ismini.exe
  • isnotify.exe
  • pmmon.exe
  • pmsngr.exe
  • pmuninst.exe

These filenames aren’t associated with P2P applications, and they’re not related to anti-virus – quite the opposite in fact, since these are all names you’d commonly associate with the Zlob family of Trojans.

This isn’t the first time malware authors have battled for control of users’ machines – back in 2004 Bagle and Netsky went head-to-head, and there have been numerous skirmishes since then. Now the Dorf author, possibly spurred into action by recent figures that indicate that Zlob malware is more wide-spread, has decided to try to take a bite out of his opponent’s market by patching Zlob-bots to stop them from running – in effect zombifying the zombies.

These guys want to control your computer but don’t like to share – all the more reason to keep out of the fray if at all possible, mainly by watching what you click and avoiding links to ecards, video codecs and the like.