Gromozon Rootkit: The Mutha Of All Rootkits

Well it seems the scum who craft malware for a living have out done themselves.

This rootkit, in some cases linked to LinkOptimizer, in many instances prevents the running of the following rootkit tools:
Blacklight
Rootkit Revealer
Ice Sword
Avenger
Gmer

Now this is not very consistent as it seems each DL found by researchers tends to change a little bit. Experts have been working on this thing since about August 12. 22 pages of forum analysis, commentary and attempted killing and so forth.

There is a complete write up by one of the research experts at Prevx. It can be read here.(PDF) I urge all with the slightest interest in malware and how they work to read this.

Some experts are recommending a reformat of a compromised system. Based on what I have seen and read, I tend to agree.

Just be sure to back up all your data before doing so. And of course be sure you're actually infected before panicking.

Most AV companies have not formulated any removal method, the instructions in the above PDF are the best so far and not 100% effective in every case.

I'll update as things progress.

 

TeMerc,

Thans for the heads up. I read through the PDF you linked. Didn't comprehend a lot of what I read other than to determine this one appears to be extremely elusive. Do you know if a computer behaves or operates in any pattern to give one a clue they might be infected? For Firefox, they showed a JavaScript dialog box with a message "......='www.google.com' ". Is that something that would appear on the display prior to the infection taking place? Or would you already be infected if you saw that?

It appears it is still early in the analysis so there may be no answers to my questions but I guess I'm a bit paranoid about things like this.

 

Yes and no. Most variants are easily spotted, but trying to remove the hidden parts is whats troubling the experts.

I can't say if the average user would notice too much wrong, it would really depend on how much security one has installed. I'd gather a guess and it's only a guess that some security prevention tool should pick up on some of the activity.

This has been around since late June, early July. But the experts have only this earlier in the month begun to dissect and Analise it. They change things almost hourly as you read in the PDF.

I can almost guarantee they have changed it again since this write up came out.

 

Thanks, TeMerc!

I read the PDF document and made sense of what I could. Saved it to my HD for future reference.

I tried running TD8EAU9TD.COM through SiteAdvisor and found they have nothing on it. So I submitted it for review. I'm considering trying js.jbeb.cc at SiteAdvisor too, just for kicks.

Downloaded GMER and will give it a shot. I looked at the screenshots of the rootkit detector and I assume if we see RED entries, those are the ones we should be concerned about, right?

If I have any concerns, I'll post 'em in a new thread.

Thanks again!


EDIT: I disconnected from the Internet, closed all other applications except memory-resident items, and started GMER's Rootkit scanner with the "Show all" option enabled, and went to bed. Upon checking the results, GMER displayed a popup: "WARNING!!! GMER has found system modification caused by ROOTKIT activity." I scanned through the results and there are several red items. (I exported the results to a .TXT file and those red items are shown in the .TXT file as "<-- ROOTKIT !!!" items.)

Also, in my case, the Processes tab in GMER contains one red entry for C:\WINDOWS\explorer.exe (indicating it's a hidden process). The rest of the entries under the Processes tab are black.

Many (all?) of the red ( "<-- ROOTKIT !!! ") items appear to me to be legitimate, so I guess one shouldn't necessarily be alarmed by such a warning (yet) and should simply use GMER as an investigative tool.

BTW, here are handy links to two other rootkit scanners in case someone wants to run them as well. All these rootkit scanners are "stand-alone" apps . (i.e., They don't need to be "installed" like other applications.)

• Sysinternals: Rootkit Revealer v1.7
• F-Secure: Blacklight (beta)
  

If you want to try Blacklight (beta), you apparently have only a few days.

 

Your best bet with GMER is to Google what it finds or have someone with experience using GMER (excludes me) to look at the logs.

There are also rk tools from Bit Defender and Sophos as well.

I would say the average user need not DL these apps as they are not really needed as every day tools.

 

Prevx has a Gromozon detection/removal tool available:

http://www.prevx.com/gromozon.asp

 

Thought I had updated this thread with that news....guess not, thanks mailman.