Archive for the ‘News’ Category

« Older Entries
Newer Entries »

“New Gromozon” and Rootkit.DialCall

Monday, November 20th, 2006

Mark Giuliani has updated his blog with a posting entitled “New Gromozon” and Rootkit.DialCall. It is written in Italian but the essence of it seems to be that a the Gromozon server redirections have changed and that previously known Premium Dialer called Rootkit.Dialcall is being spread via the same servers that the Gromozon rootkit is being sent out from.

It does not mean that Gromozon and Rootkit.DialCall are linked. The latest Rootkit.DialCall drops a Premium Rate dialer that dials numbers in Italy only. Gromozon did the same.

Mark goes on to say that the Rootkit.DialCall characteristics have changed and drops the rootkit PE386 which uses ADS ( Alternative Data Streams ) to hide. Users who think they have this rootkit can use GMER to remove it.

Marks Blog - Italian

English Translation via Google

What we can see here are the ever evolving tactics of a crime gang directed at Italian internet users.

It will be intersting to see how it all unfolds!

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Gromozon, New Rootkits, News | No Comments »

Rootkits on your Soundcard? Could be!

Sunday, November 19th, 2006

John Heasman of Next Generation Security Software Ltd is well known for bringing us a research paper on how rootkits could use the Power Management section of a BIOS to hide itself. This paper showed us how rootkits could move away from residing on a users Hard Drive and onto a computer chip on a Motherboard. John has come up with a new research paper entitled “Implementing and Detecting a PCI Rootkit” in which he shows us how to plant a rootkit on a regular device like a Sound Card or Modem plugged onto a computer motherboard.

The research paper, avail for download as a 15 Page PDF, shows how to implement and detect a PCI Card rootkit that can be used for any operating system like XP or Linux to name but two.

PCI Rootkits can reside on Sound Cards, Modems, Network Cards, Capture Cards or any other PCI device that has an Expansion ROM and no Trusted Pltform Module or ROM write protection. Most current PCI devices are suseptible to this form of Rootkit infection although newer models have some form of ROM protection.

PCI Capture Card

An attacker can place rootkit code in an Expansion ROM of any PCI device that has no ROM protection. When the PC boots up the code in the ROM is called up by the PC startup sequence (POST – Power On Self Test). The code that runs can in turn be used to “fool” the booting Operating System that there is no threat aboard.

This research paper was published so that Anti Rootkit software makers can adapt to any potential threat of a rootkit attack via the PCI Bus.

Keep Safe

regards
Steo

Posted in BIOS Rootkits, News, PCI Rootkits | No Comments »

If you are reading this Blog, you don’t have the latest Gromozon Rootkit

Wednesday, November 8th, 2006

The strange case of Dr Rootkit and Mr Adware gets more mysterious as the months go by. Marco Giuliani of Prevx, an Internet Security company with its headquarters in England, was one of main virus researchers who dissected the Gromozon Rootkit in detail.

He recently wrote that Gromozon is changing its tactics so it can thwart the security researchers who try to find out it’s next move. Gromozon blocks programs from running so it can avoid being identified and removed from the infected PC. Gromozon also blocks access to certain useful websites. The Gromozon authors have taken the work done by researcher Marco Giuliani to heart and have started using tactics to try and tarnish the researchers names, product and website.

The first new change we see in Gromozon is that there are a host of new websites that it is spawning from. Many new sites are listed but I’m sure that there are many more coming out every day. Marco has a list of the most current that you can block by adding them to your HOSTS file.

Gromozon also blocks websites that may have useful information on how to identify and remove it. Antirootkit.com is one such site that Gromozon blocks, so if you are reading this and you see www.antirootkit.com at the start of your address bar then you more than likely don’t have the newer version of the rootkit (that’s not to say you don’t have the older version!!!). Prevx.com is also blocked along with Marco’s own site www.pcalsicuro.com , the full list can be seen in Marco’s Gromozon Research Paper. (PDF) or (HTML).

Gromozon can also see when the Prevx Gromozon Removal Tool and Anti Rootkit software like GMER, AVG and Icesword are trying to run and it can stop them running so as to try and keep itself rooted onto the infected PC. Tools to try and see what’s going on “inside” the Gromozon code are also blocked. 

Last but not least are the tactics used within the new version to taunt Marco Giuliani and the Prevx company by displaying a window asking for a donation to be made to Marco Giuliani before the Prevx Removal Tool can run. Dr Web contacted Marco to say that within the Gromozon code it says “DO NOT DISTRIBUTE! (c) 2004-2006 Marco Giulani & Prevx.com”. He has also found webpages that “drop” Gromozon, and within the code of the webpage his name is mentioned numerous times again to make it look like Marco is the author of Gromozon.

Strange tactics indeed in the Rootkit versus Anti Rootkit race. The Strange Case of Dr Rootkit and Mr Adware versus The Virus Researchers will I’m sure get stranger, but with researchers like Marco Giuliani around, all the roads to infection that Gromozon takes will be blocked and in doing so Anti Rootkit Tools will become more advanced in their methods of detection and removal from the lessons learned.

Keep Safe

Regards
Steo
www.antirootkit.com

Posted in Gromozon, News | 1 Comment »

New Version of GMER released – 1.0.12

Monday, November 6th, 2006

GMER, one of the best rootkit scanners has released a new version.

This latest version is 1.0.12 and it has the following included:

- Added kernel & user mode code sections scanning ( inline hooks )
- Added code restoring
- Added \WINDOWS\gmer_uninstall.cmd script
- Improved “GMER Safe Mode”
- Improved hidden process scanning

GMER also has provided example log files for various Rootkits:

Rustock – http://www.gmer.net/rustock.log
Gromozon – http://www.gmer.net/gromozon.log
Haxdoor – http://www.gmer.net/haxdoor.log
Hacker Defender – http://www.gmer.net/hxdef.log
Badrkdemo – http://www.gmer.net/badrkdemo.log

GMER has also provided a video of GMER scanning and finding the Gromozon rootkit.
GMER Gromozon Rootkit Video

GMER is always updating his software to find new threats and new attack vectors and because of this is one of the best rootkit scanners available today.

For more information see the Antirootkit.com GMER page or head directly to GMER.net

Stay Safe

regards
Steo
www.antirootkit.com

Posted in News, Rootkit Scanners | No Comments »

Linux Anti Rootkit – Zeppoo 0.0.4 released

Saturday, November 4th, 2006

The guys over at Zeppoo have released a new version of their Anti Rootkit Software Zeppoo.

This version is 0.0.4 and the new features in this version includes support for Redhat and Ubuntu with -r option along with AMD64 support. There is also lots of bugfixes thrown in for good measure.

For more details and download see http://www.antirootkit.com/software/Zeppoo.htm

Keep Safe Linux users,

regards
Steo
www.antirootkit.com

Posted in Linux, News, Rootkit Scanners | 1 Comment »

Do 1.28 Million computers have a Rootkit?

Saturday, November 4th, 2006

We dont get many stats as to how many PC’s in the world have rootkits installed and hiding malware like keyloggers and spyware in the background. Rootkits are too good to be true for the malware authors out there so it only goes to say that rootkits should be more prevalent. Except Microsoft does not think they are.

Microsoft recently published a Security Intelligance report entitled “An in-depth perspective of trends in the malicious and potentially unwanted software landscape in the first half of 2006″. This report had many references to rootkits. The references included the amount of individual PC’s scanned using the Windows Malicious Software Removal Tool (MSRT) and Windows Defender along with the percentage of rootkits found. Symantec today released a Security Brief entitled “Handling Today’s Tough Security Threats” in which they compared their software against other companies like Microsoft and McAffee. The Interesting part of the report for me is the rootkit detection section.

But first lets have a look at the Microsoft stats.

Microsoft says in it’s report that of the 3.2 million computers 8% had rootkits which is a drop from 17% since 2005. This means that Microsoft was able to find 256,000 (256K) computers with rootkits.

Microsoft like Symantec scanned for the Sony XCP rootkit which it could be argued didnt hide malware ( although malware authors used it’s stealth capabiliies to hide their own malware ).

The Symantec report says they tested for rootkits that are currently being used in the wild. Thompson Cyber Security Labs randomly selected 20 rootkits and used their own samples for this test. We dont know if the Sony Rootkit was one of the 20 rootkits picked.

Symantec, in the report state that of the 20 rootkits tested against the Symantec software identified all 20 while Microsoft only identified 5. This shows that Microsoft only identified 20% of the rootkits tested.

So assuming like for like, the Microsoft figure of 256,000 unique computers with rootkits could mean, taking Symantec results into account, Mirosoft have only found 20% of the actual number of computers with rootkit. Thats a staggering 1,280,000 (1.28 Million) computers infected with rootkits.

We could also add the highly publicised Gromozon and Haxdoor rootkits that are taking computers by storm at the moment but again there are no solid figures to use.

Hopefully we can get more precise details so we can really see if Microsoft is falling behind in the identification of rootkits and whether there really are 1.28 Million computers with rootkits hiding malware.

Keep Safe,

regards

Steo
www.antirootkit.com

Posted in Debate, Microsoft, News | 2 Comments »

« Older Entries
Newer Entries »