| From Italy, but not with Love -> www.google.com = V Bad Marco Giuliani has written an Excellent account in a PDF of one of the most persistent nasties currently doing the rounds. This nasty - www.google.com - and ALL it's constantly changing variants, employs lots of different methods of trying to gain entry, via multiple flavours of browsers. All these come from the " Infamous " ESTDOMAINS.
These are some of the things you can expect to get hit with, if caught out - www.google.com - LinkOptimizer - FreeAccess.ocx/Trojan - JavaByte.Verify - WMF exploit etc.
Lots of screenys to accompany the indepth breakdown. Here's a few pertinent points from it.
---------------------------------
In May, 2006, users started to report some strange behavior in Windows: strange crashes at boot up, unusual reports of antivirus software reporting heuristic detections of files they couldn't clean, and odd files appearing on the hard drive. Italian users reported the URLs of suspicious websites. When users visited these websites, their CPUs spiked abnormally high and their systems slowed down.After these first signs, people reported infections of rootkits on their computers, discovered by some rootkit scanners. Removing this infection, on the other hand, would turn out to be much more difficult than expected.In August 2006, three months later, this infection is still spreading widely - not only in Italy, but to other countries as well. No security company has released an update for their engine or found a solution which totally removes the
infection.In the following pages, we will deeply analyze the infection to better understand how it works. All of the information stated in this document has been taken from myself, the web, and other researchers around the world. For information on contributors and sources, I have included a complete list at the end of the document.
-
The infection starts from strange Italian websites that contain in their code a link to a JavaScript hosted on another server.
-
If we try to connect to the webpage shown in the deobfuscated script, we will find a complex PHP script which is loaded dynamically and changes depending on the browser's user agent. This means that depending on the browser, each user will receive a different type of infection.We tested with Internet Explorer 5, Internet Explorer 6, Mozilla Firefox 1.5.0.6 and Opera 9 user agents:
-
Immediately after the dropper is launched, a new - fake - user acount is created in Windows with a random name and a random password. After the new user account is created, a directory under C:\Documents and Settings\ with the same name as the new account is created.
-
After deobfuscating the JavaScript, we can see that the exploit is loaded only after a check of installed software on the PC. It checks the presence of antivirus software
-
After this, a new file is created under C:\Program Files\Common Files\system (or sometimes under Microsoft Shared instead of system). This file has a random name and random size. It is encrypted using the Windows Encrypting File System (EFS) feature so that only the fake account has rights to it, preventing any other user from moving, reading, or deleting it.
-
The rootkit can also infect your system by copying rootkit code into the Alternate Data Stream of a file or directory. This method is only possible if the victim's file system is NTFS. Alternate Data Streams (ADS) is a feature of the NTFS filesystem that can fork file data into existing files without affecting their functionality, size, and prevent traditional file browsing utilities from viewing the stream. It is an alternative, hidden stream where a software can write to and it will be hidden from most file browsing utilities and some antivirus programs.
-
After it is fully loaded, the rootkit hides the APPInit_DLLs key and hides the LinkOptimizer
-
After this, the rootkit removes the SeDebugPrivilege privilege to all Windows user accounts. This will prevent some anti-rootkit programs from running - for example, the F-Secure BlackLight Beta
The rootkit component is launched with fake user account rights so that removing the ADS streams are even harder than removing the reserved-name version.
The rootkit component is detected by Kaspersky as: Trojan.Win32.RKDice.a, but not every variant is detected because there are a lot of different variants.The newest versions of the rootkit appear to implement a checksum scanner to prevent the execution of anti-rootkit software like GMER, The Avenger and IceSword
-
There is no automatic solution for cleaning this infection, and users can only use some programs together which can be difficult for many users.
-
If the rootkit is hidden into an ADS, there is no complete working procedure, and you will need to talk with an expert who can help you. The most important thing is to deactivate the rootkit - removing all of the
files is just a bonus.
Marco Giuliani - Member of Malware Research group - Senior Editor Hardware Upgrade
PDF - »www.pcalsicuro.com/gromozon.pdf
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
 Elite
join:2002-10-03
Orange, CT | First off, Spanner thank you for shining some light on this.
I appear to have ran across this infection on a relatives' PC 2 days ago.
Relative had gotten a keylogger installed on his PC from accepting something over AIM, so I installed KIS 6.0 Trial so I could make removing the keylogger a little less of a pain in the ass. He also had no AV/Antispyware at all (not good).
The machine had automatic updates enabled to check I think weekly for updates, so I'm going to assume the Windows Media Center w/ SP2 machine was 100% patched and up to date.
He was however, using IE as his default browser. He also had very old versions of both Shockwave Player, Flash Player, and JRE 1.5 Update 4 AND 6.
I crank KIS 6.0 Scan Settings up to 'High'. Before even turning the machine on, just knowing he had no AV, I figured he had a few dozen viruses at least and figured this was a must.
Machine was VERY slow for a 2.8Ghz P4 w/ 256MB RAM. There weren't many running process, the CPU load was near 0, and memory usage was nothing near 256MB.
After about 2 hours of scanning with KIS 6, he had a total of 253 infections; ranging from misc. spyware, a keylogger, a few misc. trojans, and a good handful or two of infected files marked as Trojan.Win32.Agent.ny. Before I had even installed KAV, I looked at the process list and there didn't appear to be anything nasty running minus the keylogger, I thought about DLL injection or a rootkit being a possibility. One of the Trojan.Win32.Agent.ny files was in fact a driver named Driver.sys. I thought it may have been a rootkit, but KIS 6 had marked it as a Trojan and I didn't have the time to go look it up.
In the end, after 2 hours of scanning and 253 infections, KIS 6 seemed to do a damn good job at detection and cleanup. To remove the driver file I had to reboot and actually got a BSOD upon shutdown. The machine seemed moderately faster after everything had been cleaned up and I updated Flash/Shockwave, uninstalled old JRE and threw Update 8 on the machine. Was still a *little* on the slow side so I defragged and left.
But since you posted this... now I've got some second thoughts on whether or not I got everything. I love KIS 6 and I know it's got some stunning detection rates, but rootkits don't like to go out without a fight. Seems as though I may have to go back over there next week with a few anti-rootkits and maybe fire up IceSword to go through it by hand. |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to SpannerITWks
There is a long thread about this at Wilders.
»www.wilderssecurity.com/showthre···t=136452
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
| reply to SpannerITWks
Bah this is what I get for not having AV and missing a full clean of the root kit... Anyways great write up and I have a few remnants left over to clean from this mess. Now where is my backup disk...
--
I have gone on a journey to find myself. If you find me before I find myself be sure to find me and let me know. |
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | reply to SpannerITWks
a b'stard of a rootkit
Cudni |
|
|
|
| reply to SpannerITWks
Elite
Hi,
Glad you + others found it interesting too.
With that amount of infections i'm surprised your relative didn't realise something was wrong ages ago !
Nothing wrong with IE if it's set up securely, but for someone like your relative an alternative might be an option, but it sounds like they might still need Scripting etc enabled if they to use some www's. A good talk about All the dangers etc should be beneficial, hopefully !
Yes updating/patching " can " be important, as long as the updates/patches don't need patching/updating themselves, and/or open up more holes lol, as has happened Very recently with MS, Again ! Sounds like they went Way past the, wait + see for a little while, usual recommended precautions though lol.
Those low CPU + Memory figures seem a bit odd, with All that junk in there ?
Rootkits can be called Trojans too, so i wouldn't rule it out, especially as - Driver.sys - was discovered in there !!!
I think using some extra tools as you mentioned would be a Very good idea, and as well as IceSword try these too, and ALL Free -
GMER
DarkSpy
Blacklight
Rootkit Revealer
Sophos Anti-Rootkit
One of the best, but least known is - RKUnHooker
Find them all, and lots of other things in here - »forum.sysinternals.com/forum_pos···962&PN=1
I hope when you go back they havn't Allowed a load more nasties in for you to clean up ! I Would be Very concerned about their Passwords etc being compromised with that selection of crap in there, not forgetting the possible RK !!! Might be worth thinking about blitzing the HD and a fresh install ?
Anyway all the best with it, and let us know what tools/methods etc you used, and what you found, and the outcome.
John2g
Thanx for the link which some might have not seen.
wrath457
Sorry to hear about you getting blasted, do you know Exactly hoe it happened, are you going to get a good AV/AT now ?
Cudni
Yeah not good !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
| reply to SpannerITWks
More leads and other angles etc -
www.shiptrop.com - was listed by bobince in here - »WMF Exploit injected when you visit thevista.ru web site: - If you click on - www.shiptrop.com - you get redirected to of all places - »www.msn.com/
This " appears " to be a similar trick to the ones researched by TNT in here - »cut-thecrap.blogspot.com/2006/06···ing.html
Guess what ? looks like it's those same pesky critters already mentioned responsible for the - www.google.com - createControlRange/iframe + WMF etc etc exploits. Estdomains = Coolwebsearch hijackers !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
 ilagoPremium
join:2005-06-28
Australia | reply to SpannerITWks
There is a removal procedure posted in an Italian anti-malware forum. It seems that Italy or Italian language sites were used as some sort of test bed and it is only now hitting the english speaking world. This post is in english and may be of interest for additional information.
»www.suspectfile.com/forum/viewto···hp?t=170
Symantec have posted information. The link is in the Wilders thread. They describe removal as 'easy'  So the afflicted users I deal with won't have a problem then 
I'm not seeing easy anywhere in my researching, although it can be removed. EraserHW has done a good job with his write-up and he's way ahead of the published Symantec detail.
It is using many known and patched exploits, a fully patched and up to date system, running as a limited user, should provide protection with javascript disabled. I'd be interested to see if that will stand up on its own. I haven't got a test machine at the moment. |
|
| ilago
Thanx for the link + info.
Apparently Symantec has made some errors in their analysis of this on their wwww, according to Marco Giuliani/EraserHW !
The critters behind all this arn't going to give up any day soon, so i wonder what's next, and this ain't anywhere near over just yet !
The trouble is, as i've said many times, Most people out there WILL be running not only with JS enabled, but also ActiveX, which also makes things a lot easier for the nasty peeps to get in with their crap !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
| reply to SpannerITWks
This crap is obviously well funded. One has to wonder what the ultimate business model is for the funders. Is is just data collection for fraudulent purposes, or is it espionnage (industrial or otherwise)? At the same time, something does not quite make sense. If you can deploy such a powerful platform for unfettered remote access and data mining of so many computers, why weaken it with low-rent malware that invites detection? Even distributed spamming has to be less profitable than some of the other forms of exploitation of the owned systems. Is this a smoke screen for something more malicious? |
|
| I would have thought this type of malware without the adware component would have been great for making a botnet, extremely effective i'd say.
cheers, rotty |
|
| reply to SpannerITWks
I've been trying some of those nasty www's again to see what the're up to today. Seems like more new tactics are being served up, which i didn't experience before ! Active Scripting was set to prompt, which i was numerous times, along with ActiveX ones. I accepted the AS but not the AX. I was able to DL more - google.com - files, but none that i didn't already have.
Several www's ALL redirect and then i get 10 SO's and a Script warning -
These were new events, to me anyway !
After i clicked to continue i experienced a VERY slow loading attempt of " something " which i aborted after 2 mins. I could visually see my FW indicating the DL input.
The other www's i tried also redirect to the same www with similar Very slow loading of " Whatever " ? after you get the main page. I aborted again after 2 mins.
So the're still @ it, and i'm surprised the same www's are still working ! What next i wonder ?
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
2 edits | reply to SpannerITWks
Prevx Provides Free Fix for Malware Nightmare Unleashed by Gromozon.com
U.S. Computer Users Especially at Risk for New Layered Malware Attack During Labor Day Weekend as Many Shop Online; Prevx Offers Free Security Download to Protect Consumers and Businesses
DERBY, ENGLAND -- (MARKET WIRE) -- September 01, 2006 -- Prevx, a leading developer of Automated Malware Research, today announced that it has developed a detection and removal tool that will allow users to check their PCs for the presence of the high risk Gromozon/LinkOptimizer Rootkit, and associated PC infections. These originated on Gromozon.com but are now carried by a growing number of websites. The tool is free, it performs a thorough analysis of the users PC to detect and if necessary remove the Gromozon infection.
Once installed, the Gromozon Rootkit is virtually undetectable by PC users and allows their PCs to be used for any purpose without their knowledge including downloading additional malware, information/identity theft and click fraud.
The detection and removal tool is available for free download from the web at ....
Etc -
»www.marketwire.com/mw/release_ht···d=159395
Spanner
edit - PS, Erasmus is the director of malware research at Prevx.
PPS - The fix appears to be ONLY for XP !
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
 mozerdLight Will Pierce The DarknessPremium,MVM
join:2004-04-23
Nepean, ON | Just a FYI, If anyone is considering installing Prevx1 be warned that it is a RESOURCE HOG big time ... your system will crawl.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business |
|
| reply to SpannerITWks
Proof that the Prevx free fix has and does work -
" rootkit succesfully removed with the Prevx tool. Thx! "
»forum.sysinternals.com/forum_pos···598&PN=1
Nice job Prevx !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
| reply to SpannerITWks
Hello
Could someone try something for me that uses Process Guard?
On my system.
I run the removal tool.
The tool wants to reboot as it does I see PG alerting it did not allow service/driver.
Machine reboots and asks to run the file.
For as long as I leae that window up, PG's GUI will not show up but I still get alerts from PG.
I chose cancel to run the file.
On next reboot, same thing.
How do I stop this removal tool from starting up each time I reboot?
Thanks
controler |
|
| reply to SpannerITWks
Update
Was able to stop the startup with Autoruns  |
|
 fatdcukPremium
join:2005-02-20
England | reply to SpannerITWks
Hi Spanner et all
Heres another free software to add to the list of available Gromozon(detection&cleaning)software.
SUPERantispyware free detects and removes many gromozon RK var's now and it dose'nt do a bad job at all cleaning up the imported associated infections too |
|
| 
 |
|
fatdcukPremium
join:2005-02-20
England | reply to SpannerITWks
quote:
SUPERantispyware free detects and removes many gromozon RK var's
 In this case not your variant,so far i have personally submitted 6 vars To SAS and in each case it has sliced&diced after updated defs on my test pc.
Oh well,lazy sunday afternoon,time to fire up the imaging software
PS Im sure Nick S at SAS would appreciate that variant being submitted so he could add it to next set of defs update as would all anti malware vendors come to think about it  |
|
