Anti Rootkit Blog

The strange case of Dr Rootkit and Mr Adware gets more mysterious as the months go by. Marco Giuliani of Prevx, an Internet Security company with its headquarters in England, was one of main virus researchers who dissected the Gromozon Rootkit in detail.

He recently wrote that Gromozon is changing its tactics so it can thwart the security researchers who try to find out it’s next move. Gromozon blocks programs from running so it can avoid being identified and removed from the infected PC. Gromozon also blocks access to certain useful websites. The Gromozon authors have taken the work done by researcher Marco Giuliani to heart and have started using tactics to try and tarnish the researchers names, product and website.

The first new change we see in Gromozon is that there are a host of new websites that it is spawning from. Many new sites are listed but I’m sure that there are many more coming out every day. Marco has a list of the most current that you can block by adding them to your HOSTS file.

Gromozon also blocks websites that may have useful information on how to identify and remove it. Antirootkit.com is one such site that Gromozon blocks, so if you are reading this and you see www.antirootkit.com at the start of your address bar then you more than likely don’t have the newer version of the rootkit (that’s not to say you don’t have the older version!!!). Prevx.com is also blocked along with Marco’s own site www.pcalsicuro.com , the full list can be seen in Marco’s Gromozon Research Paper. (PDF) or (HTML).

Gromozon can also see when the Prevx Gromozon Removal Tool and Anti Rootkit software like GMER, AVG and Icesword are trying to run and it can stop them running so as to try and keep itself rooted onto the infected PC. Tools to try and see what’s going on “inside” the Gromozon code are also blocked. 

Last but not least are the tactics used within the new version to taunt Marco Giuliani and the Prevx company by displaying a window asking for a donation to be made to Marco Giuliani before the Prevx Removal Tool can run. Dr Web contacted Marco to say that within the Gromozon code it says “DO NOT DISTRIBUTE! (c) 2004-2006 Marco Giulani & Prevx.com”. He has also found webpages that “drop” Gromozon, and within the code of the webpage his name is mentioned numerous times again to make it look like Marco is the author of Gromozon.

Strange tactics indeed in the Rootkit versus Anti Rootkit race. The Strange Case of Dr Rootkit and Mr Adware versus The Virus Researchers will I’m sure get stranger, but with researchers like Marco Giuliani around, all the roads to infection that Gromozon takes will be blocked and in doing so Anti Rootkit Tools will become more advanced in their methods of detection and removal from the lessons learned.

Keep Safe

Regards
Steo
www.antirootkit.com

This entry was posted on Wednesday, November 8th, 2006 at 12:52 am and is filed under Gromozon, News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.