Home
Forums
News
Software
Rootkit List
Articles
Links
Contact Us




Click Flag for Translation

Subscribe to the Antirootkit Newsletter
Enter Email Address

Subscribe
Unsubscribe

Home > Articles

See Also: Gromozon Removal Tools

GROMOZON.COM

The strange case of Dr.Rootkit and Mr.Adware


rev. 0.5


Marco Giuliani

INTRODUCTION
In the last few years, we've seen a dramatic change of infection techniques. Years ago, malicious programs started as simple file infectors, then progressed through macro viruses, worms, script viruses, and now we are plagued in massive numbers by backdoors, trojans, adware, and rootkits.

The skill set needed for writing malware has changed, and so have the goals. The days when virus writers wrote viruses to show off how good they are at making malicious programs have gone away, and now all that the virus writers care about is making money by infecting a lot of computers.

By using bot trojan horses, an attacker can remotely gain system access. There are thousands of networks of zombie computers - machines infected with backdoors that are ready to be used for anything the bot controllers desires, ranging from sending spam emails to performing Distributed Denial of Service (DDoS) attacks.

A lot of these virus writers are fueled by companies that have poor moral values and bad advertising campaigns. A company that wants to advertise a product to a million users by email would need to send out all of those emails by themselves, which can get their company blacklisted very quickly. Instead, all they would need to do is pay a virus writer to write a virus that can remotely infect a computer, turning it into a mail server. Companies make millions of dollars a year due to spam emails.

A lot of infections also advertise locally on the user's computer. Malware is frequently used to display messages about products on people's computers by analyzing their surfing habits and sending the user's information to the attackers server.

Terrorists are also using bot networks (botnets) frequently to attack websites. For example, someone could digitally hold a company and its website ransom, forcing them to send money or else the virus writer would start a distributed denial of service attack. Some computer terrorists have networks of hundreds of thousands of computers, making the attacks powerful enough to take down even the largest corporate servers.

The last weapon in the attacker's arsenal is the rootkit - a technique used to hide the malicious code in an infected computer so that no software can see them. There are many techniques available to attackers which can hide files and other components of viruses. Many of these techniques have been discovered and counter-attacks have been created by antivirus companies, but, as always, the virus writers are one step ahead and have many ways to combat even the most powerful antivirus and antirootkit software. Some months ago, users started reporting about a rootkit infection that was totally unknown to antivirus companies. This threat is still emerging and evolving and is still widely undetected. On the following pages, we are going to analyze this infection in detail.

THREAT SUMMARY
In May, 2006, users started to report some strange behavior in Windows: strange crashes at boot up, unusual reports of antivirus software reporting heuristic detections of files they couldn't clean, and odd files appearing on the hard drive. Italian users reported the URLs of suspicious websites. When users visited these websites, their CPUs spiked abnormally high and their systems slowed down.

After these first signs, people reported infections of rootkits on their computers, discovered by some rootkit scanners. Removing this infection, on the other hand, would turn out to be much more difficult than expected. In August 2006, three months later, this infection is still spreading widely - not only in Italy, but to other countries as well. No security company has released an update for their engine or found a solution which totally removes the
infection.

In the following pages, we will deeply analyze the infection to better understand how it works. All of the information stated in this document has been taken from myself, the web, and other researchers around the world. For information on contributors and sources, I have included a complete list at the end of the document.


PART ONE: SPREADING TECHNIQUES ANALYSIS

The infection starts from strange Italian websites that contain in their code a link to a JavaScript hosted on another server.
Infected webpages look like the picture below:

Infected webpage

Although there are many different malicious websites that look different, each has a common aspect - a link the source code to a website that contains a malicious JavaScript.

Malicious JavaScript

The website above contains an obfuscated JavaScript. Trying to decode this script isn't a trivial task. We can see a function that terminates with an eval() function and another function that calls the main function, passing a long obfuscated string. The eval() function will return the decoded script, so, we can change the eval() function into an alert() function, forcing the script to show the decoded code rather than run the code. Using this method provided yet more obfuscated code. The encryption used has multiple layers.

Malicious JavaScript 2

Looking more deeply into the code, we can see the use of arguments.callee.toString().replace(/\s/g,'').length function, that returns a value related to the function body itself. The same function is used as a parameter for the obfuscation of the code. By changing eval() to alert(), we incremented the number returned by that function by 1. Changing eval() to alert() and incrementing the values by 1 subtracted the function arguments.callee.toString().replace(/\s/g,'').length we can easily deobfuscate the code.
As shown in the picture below, the JavaScript simply calls another website.

Malicious JavaScript 3

We can now see in the script that the next website is http://td8eau9td.com that 'appears' to be closed by the abuse team - but that is a fake message.

Looking at the website's information:

[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: TD8EAU9TD.COM
Registrant:
N/A
Austen Rando (joker41@list.ru)
Conde St. 16 81
BELLEVILLE
Illinois,62220
US
Tel. +001.6187775834
Creation Date: 08-Aug-2006
Expiration Date: 08-Aug-2007

As we can see, this website is registered at ESTDOMAINS, which isn't surprising because a lot of spam and malware-related websites come from them. The creation date is interesting because it looks like there is someone who is trying to change domains quickly to prevent being defeated by users who block everything from a specific domain.

If we try to connect to the webpage shown in the deobfuscated script, we will find a complex PHP script which is loaded dynamically and changes depending on the browser's user agent. This means that depending on the browser, each user will receive a different type of infection.

We tested with Internet Explorer 5, Internet Explorer 6, Mozilla Firefox 1.5.0.6 and Opera 9 user agents:

Internet Explorer 5 U.A = Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Internet Explorer 6 U.A = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla Firefox 1.5.0.6 U.A = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.6
Opera 9 U.A = Opera/9.00 (Windows NT 5.1; U; en)

We caught four different webpages. The webpage loaded with Internet Explorer utilized the highest number of exploits and similar types of attacks.

OPERA 9 BEHAVIOUR
Surfing the webpage with Opera 9 loaded another .htm page which automatically loaded an obfuscated JavaScript. Once deobfuscated, we could see that the JavaScript checks the user's platform, and if it is Win32, it then downloads an executable called www.google.com.

Malicious JavaScript 4

FIREFOX 1.5.0.6 BEHAVIOUR
Surfing with Firefox 1.5.0.6 loaded the same script as surfing with Opera and it then asked to download the same executable. With Firefox, it tries to launch another two-layer obfuscated JavaScript.

The picture below shows the 1st layer unobfuscated code.

Malicious JavaScript 5

INTERNET EXPLORER 5 BEHAVIOUR
When surfing it with Internet Explorer 5, the webpage attempted more attacks than with the other browsers. The webpage loaded 5 different iframes, and each iframe used a different kind of attack.

The first iframe load tries to automatically drop the same executable seen in the two browsers before. The JavaScript here was also obfuscated.

Malicious JavaScript 6

The second iframe tries to install a well-known Java exploit called Byte.Verify. After deobfuscating the JavaScript, we can see that the exploit is loaded only after a check of installed software on the PC. It checks the presence of antivirus software like:

Norton Antivirus (NAVCfgWizDll.NAVCfgWizMgr)
Kaspersky (DD230880-495A-11D1-B064-008048EC2FC5)
Nod32 (B089FE88-FB52-11D3-BDF1-0050DA34150D)
Ewido (8934FCEF-F5B8-468F-951F-78A921CD3920)

and so on, skipping the installation of the exploit if it one of them is found.

Malicious JavaScript 7


The third iframe loads another JavaScript that exploits a well known (and patched) vulnerability in the createControlRange() function. This vulnerability can be exploited by a malicious web site to corrupt the memory in a way which allows to the program flow to be redirected to the heap. Successful exploitation allows the execution of arbitrary code. This bug is dated 2005-02-27 and reported by Microsoft as MS05-014.

Malicious JavaScript 8

The fourth iframe loads another obfuscated JavaScript that checks if the surfer's platform is Win32 and then tries to install an ActiveX control called FreeAccess.ocx.
This OCX is a library that will be copied under the System32 directory as
<randomname>.dll with a size of 15648 bytes. This file is detected by
Kaspersky Antivirus as Trojan.Win32.Agent.rl.

Malicious JavaScript 9

The fifth iframe tries to manually download the same executable as the first iframe.


INTERNET EXPLORER 6 BEHAVIOUR
Internet Explorer goes to yet another different webpage than the others. The first iframe is the same as the Internet Explorer 5 webpage, and tries to automatically load the www.google.com executable.

The second iframe tries to exploit the well known WMF bug, discovered in January of this year. An obfuscated JavaScript checks if an antivirus software is installed - similar to the check in the IE5 paragraph above - and then, if nothing is found, tries to load a file called img.tif. This is a malformed image that exploits the WMF bug and tries to download a DLL from http://gromozon.com/d.php?10000_2 and saves it into the System32 directory as jvaa.dll, with a size of 12288 bytes. This file is registered as a BHO.

Malicious JavaScript 10

The third iframe loads the ActiveX - FreeAccess.ocx, as we saw for Internet Explorer 5.

The fourth iframe loads the same executable as the first iframe, but this time asks the user to manually launch it.

 


PART ONE: FINAL THOUGHTS

As we've seen, everything starts from the JavaScript we deobfuscated at the beginning. That is the bridge from the normal websites to this malicious server.

What is really impressive is the amount of work that is done by the server. The link shown in the bridge JavaScript changes constantly and the links we've analyzed, caught by the webpage linked to the first JavaScript, are always randomly generated. Moreover, each link generated dies after a predefined time - about an hour. After the user reaches the bridge JavaScript from the "harmless" website, it takes a couple seconds to have the links generated and visited by the user - all automatically, then the server removes all of the links to prevent analysis and other random directories are created for other victims.

In this analysis, we accessed http://td8eau9td.com as the server that contains all of the scripts and malware. However, this is only the last server changed, as we could see in the registration date of the domain that it was created 8 August, 2006.

Before this server, others were the assigned server used to spread these malwares - the most famous is gromozon.com, registered as seen below:

[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Domain Name: GROMOZON.COM
Registrant:
gromozon.com
Ladarius Mcgeary (admin@gromozon.com)
Pembroke Rd 80 79
SAN ANTONIO
TX,78208
US
Tel. +1.2103377863
Creation Date: 16-Feb-2006
Expiration Date: 16-Feb-2007


This is the first website caught during May 2006, the starting website of this infection. As we can see, it is registered since 16 February 2006, and it is registered to ESTDOMAINS as well.
The other known domain is mioctad.com, registered under:

[whois.estdomains.com]
Registration Service Provided By: WNZ
Contact: +420.776183233
Website: http://web-namez.com
Domain Name: MIOCTAD.COM
Registrant:
mioctad.com
Vernon Dayton (admin@mioctad.com)
Avenue A 78 26
SAN ANTONIO
TX,78220
US
Tel. +1.2108732122
Creation Date: 03-Jun-2006
Expiration Date: 03-Jun-2007

This is the second server registered based on the creation date.

Why three servers? Changing the server often defeats attempts by people to prevent infection by blocking the servers.
To prevent further infections, we can block these three servers, but we know that the maintainer will just change the server another time, as he did with
previous servers. The one thing that has stayed constant is the first JavaScript which acts as a bridge at the address: http://js.gbeb.cc/advertising/
Blocking access to this domain will prevent all infections even if the webmaster changes the servers used to spread the malware (as long as he doesn't change it also ;) )

Malware Servers

 


PART TWO: INFECTION TECHNIQUES ANALYSIS
We've seen from Part One the names of the files that are installed onto the victim's PC when surfing on that website.
Now we need to know more about the actual files that we have installed on your PC so that we can know every aspect of this infection.
We've seen that the infection is different according to the browser used to surf on the server. The common file for all of the browsers is www.google.com which will be the last file we are going to analyze.

Save www.google.com code


With Internet Explorer 5/6 an unaware victim received:

  • Java exploit Byte.Verify, easily detected by almost every antivirus software (on Internet Explorer 5):
  • An ActiveX called FreeAccess.ocx that needs user permission to be installed;
  • www.google.com on which we'll dedicate a full paragraph;
  • img.tif, a WMF exploit that downloads some malware from the server (in case you still need some more malware ;) )


We are going to analyze FreeAccess.ocx and img.tif.

FreeAccess.ocx
When the browser asks to install this ActiveX and the user accepts it, this OCX will drop a 15648 byte long dll with a random name (in our case vcaa.dll) into the Windows System Directory (usually C:\Windows\System32\).

After this, the dll is registered as a CLSID under:

HKEY_CLASSES_ROOT\CLSID\{GUID}\InprocServer32

This dll is recognized by Kaspersky Antivirus as Trojan.Win32.Agent.rl. Very few antivirus companies currently recognize this sample.

Img.tif
This file is a WMF exploit and won't be loaded if the victim uses an antivirus software that is checked by the script, as seen in part one.

If the PC is unpatched and the script launches the exploit, img.tif will download a 12288 byte file from http://gromozon.com/d.php?50310_2 and it will be saved into the Windows System Directory with a random name and a dll extension. These sizes are the sizes currently found as I am writing this article and they can arbitrarily change as the author wishes.

This dropped file is also detected by Kaspersky Antivirus as Trojan.Win32.Agent.rl and few other antivirus programs find this file.


WWW.GOOGLE.COM
This is the infamous file - the source of all evils coming from the gromozon.com website. We need to ask yourself: Why the strange name?

The author is using an interesting form of social engineering with this filename by tricking the user into answering 'yes' to the "Do you want to download this file?" message on a file that the user will think is coming from Google, Inc.

This file is definitely not a website - it is actually an executable file with a .COM extension. 'COM' files are executed exactly the same as .exe, .pif, .scr, .bat, .cmd and many other similar file formats. The www.google.com file is a dropper which installs more files into the user's computer.

Since May 2006, this executable has changed its source code many times by using a type of server-side polymorphism. By not containing a static malware body, the virus becomes more difficult to detect by antivirus companies. To further evade detection and testing by antivirus companies, the dropper doesn't work at all on a Virtual Machine.

After the file is launched on a real computer into the system, the virus attempts to make so many changes that, in some cases, corrupts the operating system and causes startup crashes - showing errors caused by C:\WINDOWS\system32\SERVICES.exe.

First of all we can hear hard disk working hard for some seconds, but technically we don't see nothing, nothing appear. After the dropper starts, we will hear the hard disk working intensely for a few seconds, but we don't see anything. The dropper connects to a remote server, 195.225.177.22, and drops some installers that install an adware program, a rootkit, and a fake Windows service. The droppers are downloaded into the C:\Windows\Temp\<randomname>1.exe and C:\Documents and Settings\<user>\local settings\temp (the %TEMP% directory).

We are going to analyze these three parts.

Windows Service
Immediately after the dropper is launched, a new - fake - user account is created in Windows with a random name and a random password. After the new user account is created, a directory under C:\Documents and Settings\ with the same name as the new account is created.

Encrypted File


After this, a new file is created under C:\Program Files\Common Files\system (or sometimes under Microsoft Shared instead of system). This file has a random name and random size. It is encrypted using the Windows Encrypting File System (EFS) feature so that only the fake account has rights to it, preventing any other user from moving, reading, or deleting it. The file can be recognized because it is marked with a green colour.

A new Windows service which is related to this file is then created with a random name. We can recognize this fake service because of its random name and the "Logon As" value is the name of the randomly created account.

Windows Service

This service is detected by Nod32 as: Win32/Agent.VP


Adware LinkOptimizer
After the service is created, an adware with a random name is installed to the C:\Windows\ directory. In our tests, this file is called luijp1.dll and is 64671 bytes long.

The file is loaded as a BHO (browser helper object) under: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects

This adware is hidden to the user by the rootkit. Adware LinkOptimizer shows advertising on the victim's PC when surfing the web. Kaspersky Antivirus detects this file as: not-a-virus:AdWare.LinkOptimizer.a


Rootkit
The most annoying part of this infection is the rootkit component. After the dropper is launched, the rootkit is installed onto the victim's PC. This is a usermode rootkit which is hard to remove because it randomly make use of:

  • Windows reserved names;
  • Alternate Data Streams (ADS);

Microsoft Windows has a list of reserved device names that can't be used for normal file naming. These names are:

  • CON
  • COM8
  • PRN
  • COM9
  • AUX
  • LPT1
  • NUL
  • LPT2
  • COM1
  • LPT3
  • COM2
  • LPT4
  • COM3
  • LPT5
  • COM4
  • LPT6
  • COM5
  • LPT7
  • COM6
  • LPT8
  • COM7
  • LPT9

It is impossible with normal file operations to delete or create files with these names, but, if you use the \\.\ prefix, you can delete and create these files easily with the command prompt.

If you have a file called:
com4.gip
and try to do
del C:\com4.gip
you will receive an error because you can't access this file as it uses a reserved
name, but if you try to do:

del \\.\C:\com4.gip
you can bypass the check and fully delete the file.

Delete ADS file

The rootkit can also infect your system by copying rootkit code into the Alternate Data Stream of a file or directory. This method is only possible if the victim's file system is NTFS. Alternate Data Streams (ADS) is a feature of the NTFS file system that can fork file data into existing files without affecting their functionality, size, and prevent traditional file browsing utilities from viewing the stream.

It is an alternative, hidden stream where a software can write to and it will be hidden from most file browsing utilities and some antivirus programs.

If you want to see the ADS features of the NTFS file system, you can click on Start - Run and write this command:

"notepad C:\autoexec.bat:mytest.txt"

Notepad will create a text file hidden in the ADS of the autoexec.bat file. The ":" is used when you want to write to an ADS.

This rootkit makes use of this feature, copying its code usually into the ADS of the root drive C:\ (for example: "C:\:xchse.xmz") or into the Windows System Directory ADS (for example "c:\windows\system32:vbhfd.vna").

After the rootkit is loaded, it modifies the APPInit_DLLs key at

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

loading itself (with the \\?\ prefix if it is using a reserved name and not the ADS method).

ADS File 2

After it is fully loaded, the rootkit hides the APPInit_DLLs key and hides the
LinkOptimizer adware by hooking the following APIs:

KERNEL32.DLL NTDLL.DLL  

GetBinaryTypeW

LdrShutdownProcess NtQuerySystemInformation

MoveFileWithProgressW

NtAccessCheck NtQueryInformationFile

OpenFile

NtQueryInformationJobObject NtReadVirtualMemory
  NtQueryIntervalProfie NtVdmControl
ADVAPI32.DLL NtQueueApcThread NtWriteVirtualMemory
CreateProcessWithLogonW NtWriteFile RtlGetNativeSystemInformation
CreateRestrictedToken RtlAbortRXact ZwQueryDirectoryFile
  RtlGetNtVersionNumbers ZwQuerySystemInformation
PSAPI.DLL LdrLoadDll ZwReadVirtualMemory
EnumProcessModules LdrUnloadDll ZwVdmControl
  NtQueryDirectoryFile ZwWriteVirtualMemory

ntdll File

After this, the rootkit removes the SeDebugPrivilege privilege to all Windows user accounts. This will prevent some anti-rootkit programs from running - for example, the F-Secure BlackLight Beta.

The rootkit component is launched with fake user account rights so that removing the ADS streams are even harder than removing the reserved-name version.

The rootkit component is detected by Kaspersky as: Trojan.Win32.RKDice.a, but not every variant is detected because there are a lot of different variants. The newest versions of the rootkit appear to implement a checksum scanner to prevent the execution of anti-rootkit software like GMER, The Avenger and IceSword.

Modifying with an hex editor some bytes (for example strings values) of the software "The Avenger" allowed us to fully run the software, bypassing
rootkit's checksum scanner.


PART THREE: Final thoughts

This paper has described what we actually know about this threat that started spreading in Italy and then spread across the entire world.

There is no automatic solution for cleaning this infection, and users can only use some programs together which can be difficult for many users.

To remove the infection caused by W32/Agent.VP - the Windows service - it is possible to use a cleaner developed by Paolo Monti which is downloadable from http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP

Otherwise, users need to go through a manual procedure. The standard procedure is summarized here but this could be inadequate for some variants of the infection.

1) To deactivate the rootkit, you need to understand that cleaning the APPInit_DLLs key is the key to deactivating (deactivating is different from removing - deactivated means that the file is still in the system by is no longer directly harmful) the rootkit. You need to deactivate the rootkit before being able to check the files that are hidden by it. Download the www.gmer.net anti-rootkit program and scan the system. If it finds a hidden DLL in the C:\Windows folder and a strange file hidden, you should take note of the full path of these two files.

2) Take note of the full path of where the Windows Service executable is located (if it is present on the drive). Usually it is in C:\Program Files\Common Files\System or C:\Program Files\Common Files\Microsoft Shared\

3) Take note of the name of the directory created under C:\Documents and Settings\

4) Download a program called "The Avenger" from http://swandog46.geekstogo.com/avenger.zip and unpack it to C:\, in a directory called tool (the name of the directory isn't important, and a user can call it as he wants) and launch the program called avenger.exe.

The Avenger

5) Click on "Input Script Manually" and then click the magnifying glass icon. A window will open where you can write your script. The user simply has to copy and paste the code below:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Folders to Delete:
c:\windows\temp
<here insert full path to directory with random name found>

Files to delete:
<here insert full path to dll hidden found>
<here insert full path to hidden file found if it isn't hidden into ADS>

Users need to change the lines with those found in points 1, 2, and 3.

6) After the code is compiled, the user needs to click on the "Done" button and then on the traffic light button. If everything goes well, the software will ask to restart the computer.

7) If The Avenger returns some kind of error, close the software, delete (if present) the folder C:\Avenger, and delete the files error.log and avenger.txt from C:\ and rename the directory where avenger.exe is located with another name and restart from point 1.

8) After the computer reboots, if notepad.exe is opened with the Avenger.txt file, everything should be going well (if the user copied the right paths into the script) and the rootkit infection with the adware and Windows Service should be gone.

9) If the rootkit is hidden into an ADS, there is no complete working procedure, and you will need to talk with an expert who can help you.
The most important thing is to deactivate the rootkit - removing all of the files is just a "bonus".

This is only a short guide and doesn't cover every case of this infection, as we said at the beginning of this part. If you want to follow a more advanced guide, you can read the full guide written by the SuspectFile team at this address:
http://www.suspectfile.com/forum/viewtopic.php?t=170

 

***UPDATE***
Prevx released a full automatic removal tool at the address below:
http://www.prevx.com/gromozon.asp
Link to the Prevx Press Release is:
http://www.marketwire.com/mw/release_html_b1?release_id=159395

 

-------- UPDATE: INSIDE WWW.GOOGLE.COM FILE -------
The executable file downloaded from gromozon.com website act as a dropper.
It contains in its code a dll embeded, which is the real component that download and install rootkit, adware and EFS-cripted file.

The Dll is firstly extracted under %TEMP% directory and, after that, copied under
C:\WINDOWS\System32 directory as <random>.dll.
Then the dll tries to connect to a remote server to download remaining infection components.

I talked in the 2nd part about Virtual Machine check on www.google.com.
More deeply, the check is located in the dll embedded into the executable and responsible of installing rootkit and other infection components. Check routine used is a well known and old trick called by Joanna Rutkowska as “Red Pill”.

Routine check where IDT (Interrupt Descriptor Table) is located in memory, at which memory address.
Normally, a Windows-based pc locates IDT at address 0x80xxxxxx but emulated machine locate it in different memory address spaces.
VMWare, for example, locates IDT at 0xffxxxxxx address whilst VirtualPC locates it at 0xe8xxxxxx address.
So, routine checks if the IDT memory address is major of 0xDxxxxxxx. If so, then dll is running on a emulated machine and stop its infection payload.

The SIDT instruction stores the contents of the IDTR in a 6-byte memory location. This instruction can be executed at ring 3 too, because it isn't privileged in the Intel architecture.
In some later versions, the dll doesn't show anymore this routine explicitely, instead it's written immediately in a opcode way, in a attempt to obfuscate it.

-------- UPDATE: NEW SERVER AND TRICKS ADDED -------
Since the first version of this paper I have observed no significant changes in the infection routines.

Gromozon team refined a bit website infection, adding new infection servers and adding another bridge server together the old js.gbeb.cc.
New bridge server is js.pceb.cc, which uses a new way to infect reading a referrer parameter from the starting website.

Another different thing is the change on starting websites. There isn't anymore direct link to the bridge server, but another obfuscated JavaScript that, after decrypted, show always the same link to the bridge server.

Then Gromozon team added more infection servers. This list is taken from a
post in Wilders Security Forum, done by user TNT:

  • gromozon.com
  • xearl.com
  • mioctad.com
  • td8eau9td.com
  • cvoesdjd.com
  • lah3bum9.com


Good thing is that at least Google is trying to filter these decoy servers from
search results.

---------------------- UPDATE: CHANGED AGAIN ----------------------
Since the last time I've updated this document, a lot of things have changed with the infection routine of this rootkit. Starting from spreading websites, going thru dropped files and looking what a user sees in his infected pc, almost everything changed a bit. We're going to see what happened during these weeks.

First of all, list of websites that are spreading this infections is increased a lot and can be resumed in the list below (even if incomplete and not exact, because as far as we know there could be other new websites ready to start spreading infection again):

aagxgbdlztw.com mioctad.com
cvoesdjd.com mufxggfi.com
e-46.com ou2dkuz71t.com
fgvmwyfstd8.com ozkkmkdk.com
ghr5rudiys.com rac5kymzk6u.com
gromozon.com rolahujkzq.com
guerdonde.com td8eau9td.com
hk1eyenfzjd7.com uv97vqm3.com
idkqzshcjxr.com wlos.net
js.gbeb.cc xearl.com
js.pceb.cc xoboe.com
lah3bum9.com ycvcp1ege8.com

To prevent access to these websites you could modify your HOSTS file – under C:\WINDOWS\System32\drivers\etc\ - adding these websites as shown below:

127.0.0.1 aagxgbdlztw.com 127.0.0.1 mioctad.com
127.0.0.1 cvoesdjd.com 127.0.0.1 mufxggfi.com
127.0.0.1 e-46.com 127.0.0.1 ou2dkuz71t.com
127.0.0.1 fgvmwyfstd8.com 127.0.0.1 ozkkmkdk.com
127.0.0.1 ghr5rudiys.com 127.0.0.1 rac5kymzk6u.com
127.0.0.1 gromozon.com 127.0.0.1 rolahujkzq.com
127.0.0.1 guerdonde.com 127.0.0.1 td8eau9td.com
127.0.0.1 hk1eyenfzjd7.com 127.0.0.1 uv97vqm3.com
127.0.0.1 idkqzshcjxr.com 127.0.0.1 wlos.net
127.0.0.1 js.gbeb.cc 127.0.0.1 xearl.com
127.0.0.1 js.pceb.cc 127.0.0.1 xoboe.com
127.0.0.1 lah3bum9.com 127.0.0.1 ycvcp1ege8.com

Remember that the first line of HOSTS file must always be: 127.0.0.1 localhost

When visiting infected websites with Internet Explorer, as explained in one of the first pages of this document, an ActiveX installation is asked. This is anymore the same name of ActiveX control, instead gromozon team changes it continuously, so it's almost useless to list down every new name found.

Even the dropped file www.google.com isn't anymore the same but name changed continuously, but it always has the same structure: www.<some name strange>.com.

So you can find: www.music.com, or www.play.com, or something else. If it's asked to download a file with this filename structure, this is almost surely a gromozon related file.

Even the file structure of the dropper and the dll dropped into System32 directory is almost changed.

They changed packer, FSG instead of UPX, and changed ways to protect dll from curious eyes. We talked before about anti-emulating routine (Red Pill), now it includes antidebugging routines (SoftIce check) and anti-logging tools, like Filemon and Regmon.

More interesting is the new version of the rootkit installed by the dll. New rootkit features include file check and website check.

In fact, rootkit blocks access to that websites that could give information on how to remove gromozon infection from pc.

Some of blocked websites are:

www.411-spyware.com
www.antirootkit.com
www.aumha.org
www.castlecops.com
www.dslreports.com
www.geekstogo.com
www.gladiator-antivirus.com
www.hwupgrade.it
www.megalab.it
www.p2pforum.it
www.pcalsicuro.com (my website)
www.prevx.com
www.sarc.com
www.spywarefix.org
www.spywarewarrior.com
www.sunbelt-software.com
www.suspectfile.com
www.techguy.org
www.tgsoft.it
www.viritpro.info
www.wilderssecurity.com
www.yourtechonline.com

This list is not still complete, more websites are blocked. Moreover, the rootkit tries to block removal tools developed to remove the infection.

An incomplete list of blocked tool is below:

Prevx Gromozon removal tool;
Symantec Fix LinkOptimizer;
GMER antirootkit;
AVG Antirootkit;
Sophos Antirootkit;
F-Secure BlackLight;
The Avenger;
IceSword Antirootkit;


Actually, as far as we know, our removal tool works if main executable is renamed with a random name choosed by user. Manual removal tool shown before in this paper is now useless with latest versions of rootkit. After we removed the rootkit, then it's useful to manual removing remaining files.

Last “funny” trick used by Gromozon team is defaming my name and Prevx company name as virus authors.

In fact, a message box appears when trying to run a blocked software, as shown here below:

Gromozon Message Box

Now the tactics followed by gromozon team is clear: trying to accuse me to be gromozon author. Looking at this infection, it looks like that I wrote the rootkit with the goal of blocking other security tools to make money through my website (on which, by the way, there isn't a Paypal link through which donate money).

In fact, think this: would be really so smart adding my name into the message box and, moreover, adding NOW this messagebox when this infection is spreading since May 2006?

CONCLUSIONS

This paper is a cumulation of a lot of sleepless nights filled with work from me and many other researchers during the past months. Users need to understand how to defeat this threat and, if antivirus companies still haven't written a full report, this could help them (and other users) to understand what is happening to thousands of infected people that are reporting strange infections to forums and newsgroups.
This paper will be updated as soon as more information becomes available. If you think to have more information that need to be added here or you think there is some kind of error, feel free to write me.
I hope you will all appreciate my work.

Best regards,
Marco Giuliani
virus researcher
Hardware Upgrade Editor
marco.g [ a t ] email [ d o t ]it

SOURCES

 


Reproduced with kind permission of Marco Giuliani.

This article is also available in PDF format from Marco's Site.

©2005 Antirootkit.com