Anti Rootkit Blog

Mark Giuliani has updated his blog with a posting entitled “New Gromozon” and Rootkit.DialCall. It is written in Italian but the essence of it seems to be that a the Gromozon server redirections have changed and that previously known Premium Dialer called Rootkit.Dialcall is being spread via the same servers that the Gromozon rootkit is being sent out from.

It does not mean that Gromozon and Rootkit.DialCall are linked. The latest Rootkit.DialCall drops a Premium Rate dialer that dials numbers in Italy only. Gromozon did the same.

Mark goes on to say that the Rootkit.DialCall characteristics have changed and drops the rootkit PE386 which uses ADS ( Alternative Data Streams ) to hide. Users who think they have this rootkit can use GMER to remove it.

Marks Blog - Italian

English Translation via Google

What we can see here are the ever evolving tactics of a crime gang directed at Italian internet users.

It will be intersting to see how it all unfolds!

Keep Safe

regards
Steo
www.antirootkit.com

The strange case of Dr Rootkit and Mr Adware gets more mysterious as the months go by. Marco Giuliani of Prevx, an Internet Security company with its headquarters in England, was one of main virus researchers who dissected the Gromozon Rootkit in detail.

He recently wrote that Gromozon is changing its tactics so it can thwart the security researchers who try to find out it’s next move. Gromozon blocks programs from running so it can avoid being identified and removed from the infected PC. Gromozon also blocks access to certain useful websites. The Gromozon authors have taken the work done by researcher Marco Giuliani to heart and have started using tactics to try and tarnish the researchers names, product and website.

The first new change we see in Gromozon is that there are a host of new websites that it is spawning from. Many new sites are listed but I’m sure that there are many more coming out every day. Marco has a list of the most current that you can block by adding them to your HOSTS file.

Gromozon also blocks websites that may have useful information on how to identify and remove it. Antirootkit.com is one such site that Gromozon blocks, so if you are reading this and you see www.antirootkit.com at the start of your address bar then you more than likely don’t have the newer version of the rootkit (that’s not to say you don’t have the older version!!!). Prevx.com is also blocked along with Marco’s own site www.pcalsicuro.com , the full list can be seen in Marco’s Gromozon Research Paper. (PDF) or (HTML).

Gromozon can also see when the Prevx Gromozon Removal Tool and Anti Rootkit software like GMER, AVG and Icesword are trying to run and it can stop them running so as to try and keep itself rooted onto the infected PC. Tools to try and see what’s going on “inside” the Gromozon code are also blocked. 

Last but not least are the tactics used within the new version to taunt Marco Giuliani and the Prevx company by displaying a window asking for a donation to be made to Marco Giuliani before the Prevx Removal Tool can run. Dr Web contacted Marco to say that within the Gromozon code it says “DO NOT DISTRIBUTE! (c) 2004-2006 Marco Giulani & Prevx.com”. He has also found webpages that “drop” Gromozon, and within the code of the webpage his name is mentioned numerous times again to make it look like Marco is the author of Gromozon.

Strange tactics indeed in the Rootkit versus Anti Rootkit race. The Strange Case of Dr Rootkit and Mr Adware versus The Virus Researchers will I’m sure get stranger, but with researchers like Marco Giuliani around, all the roads to infection that Gromozon takes will be blocked and in doing so Anti Rootkit Tools will become more advanced in their methods of detection and removal from the lessons learned.

Keep Safe

Regards
Steo
www.antirootkit.com

Prevx Ltd, a UK Internet Security company , has released a long awaited removal tool for the Gromozon Rootkit. It said in a Press Release today that according to it’s estimates the Gromozon Rootkit is currently on about 250000 PC’s in the US alone.

I blogged about the Gromozon Rootkit around a week ago here. It is a very hard rootkit to remove because of the various methods of stealth it uses. The Gromozon rootkit had been around for a short while before it was found. After maybe only a few weeks in existance Prevx estimate the Gromozon rootkit is on about 250000 computers in the US alone. It was originally found to be very prevalent in Europe, especially Italy.

We received a large amount of hits on the GROMOZON.COM - The strange case of Dr.Rootkit and Mr.Adware article. Most of these hits were from Google’s Italian users who had Googled words like img.tif and FreeAccess.ocx, both components of the rootkit attack. This rootkit sure has got around in the days since it’s release. The method by which the rootkit spread is agressive and the stealth capability is great so I am sure that we havent heard the last of Gromozon. Indeed the whole Gromozon episode shows that attackers are coming up with more prolific and stealthy attacks on our computers. What will be the next big rootkit infestation?

The Gromozon Removal Tool is available from Prevx here http://www.prevx.com/gromozon.asp
Keep Safe

regards
Steo
www.antirootkit.com

Malicious Javascripts are being used to install rootkits in the latest web attacks according to Marco Giuliani an Italian Virus Researcher.
“In May, 2006, users started to report some strange behavior in Windows: strange crashes at boot up, unusual reports of antivirus software reporting heuristic detections of files they couldn’t clean, and odd files appearing on the hard drive. Italian users reported the URLs of suspicious websites. When users visited these websites, their CPUs spiked abnormally high and their systems slowed down.
After these first signs, people reported infections of rootkits on their computers, discovered by some rootkit scanners. Removing this infection, on the other hand, would turn out to be much more difficult than expected. In August 2006, three months later, this infection is still spreading widely - not only in Italy, but to other countries as well. No security company has released an update for their engine or found a solution which totally removes the infection.”

Visitors to malicious websites were given a quick check over to see if they were using a browser that had a vulnerability or hole that could be used to install the rootkit and malware. Users PC’s were also checked to see if they had anti virus software running. The attackers also tried to fool the recipients into downloading an executable file called www.google.com which many users believed may have been a link to the famous site Google. In actual fact it was a mailcious file called www.google and the .com made it executable on a persons PC.

If the user had not updated the security patches on their Windows PC for MS06-001http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx ( Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution ) then a malicious WMF graphic file (img.tif) was downloaded on to their PC and this gave the attacker the option to remotely run code on the affected PC.

The rootkit component had two newish forms of stealth built in. One was the use of Reserved Names within Windows and the other is called ADS ( Alternative Data Streams ).

Reserved names for example begin with COM or LPT to name just two.
“It is impossible with normal file operations to delete or create files with these names, but, if you use the \\.\ prefix, you can delete and create these files easily with the command prompt. If you have a file called:
com4.gip
and try to do
del C:\com4.gip
you will receive an error because you can’t access this file as it uses a reserved name, but if you try to do:
del \\.\C:\com4.gip
you can bypass the check and fully delete the file.”

Alternative Data Streams exist on NTFS formatted disks which a lot of XP users would have.
“Alternate Data Streams (ADS) is a feature of the NTFS filesystem that can fork file data into existing files without affecting their functionality, size, and prevent traditional file browsing utilities from viewing the stream.”

“If you want to see the ADS features of the NTFS file system, you can click on Start - Run and write this command:
“notepad C:\autoexec.bat:mytest.txt”
Notepad will create a text file hidden in the ADS of the autoexec.bat file. The
“:” is used when you want to write to an ADS.”

To run Antirootkit programs like GMER and Icesword Marco found that he had to modify strings in the scanners by using a HEX Editor so that the rootkit could not identify the scanner by its checksum. Until the rootkit is removed the user cannot “see” the malicious files that the rootkit is hiding.

Have a read of the full articel here and get a feel for how malicious and advanced this rootkit is and the lengths the attackers used to keep their operation going. This is big and if it wasnt for people like Marco it probably would have been bigger.

Keep Safe

regards
Steo
www.antirootkit.com