Dangerous backdoor in Acer laptops

Thanks Ronjor
i checked my sister's laptap with the test page and the laptop is safe woot!
lodore

 

Many thanks for pointing out this info. The Acer Patch seems to work fine.

 

Scary!.

 

This exploit is being used in the wild. See my post on gromozon here:
https://www.wilderssecurity.com/showthread.php?p=912072#post912072

 

Hi,

I missed that post. Looking at your screen shot #8 -

1) it looks like the code uses tftp.exe to connect out? wouldn't a firewall catch that?

2) if it does connect, it looks like that it downloads an executable?

Thanks,

-rich

 

Yeah, but not the 'regular' Windows firewall.

Yes, and runs the downloaded executable too.

 

Wouldn't an application like Process Guard catch the executable before running?

Thanks,

-rich

 

Yeah. Besides, the last time I checked, the gromozon trojans shut down if they detect Process Guard, even if you explictly try to run them.

 

Thanks for that info!

Just curious, why you didn't include this with your original analysis.

regards,

-rich

 

It didn't do that in the beginning. It evolved very rapidly, and added these 'features' along the way (also, it didn't stop rootkit tools from working initially, it started doing that later on).

Frankly I didn't notice when it started checking for Process Guard, I never had Process Guard running the few times I had 'sacrifical' machine available to test the infection on (doesn't run in VMWare). I found that info only when Symantec wrote their second write-up. At the time I was not working as a spyware researcher either, so I didn't have that MUCH time or hardware available to analyze, test, decompile, etc.

 

So, the interesting thing about gromzon is its ability to serve a great number of diferent exploits depending upon the browser agent and IP detected and its nasty payload. Am I right?
The dropper can´t do further harm if you have a HIPS, sandbox or firewall with outbound protection?
Off topic:
TNT: are you saying that you was hired as a spyware researcher because of your investigation about Gromzon? Congratulations, you have earned your job without doubts.

 

Yes, things evolve rapidly!

From your explanation of the code, it's evident how easily this can be blocked on two fronts.

For the ACER user, knowing this provides some peace of mind until a patch arrives (I guess it has by now)

I thought of PG - (but any similar program would do the same) - because PG is getting a bum rap since DCS quit supporting it. So, here it is effective against a clever NEW zero-day exploit!

regards,

-rich

 

No, I think it's more interesting for the things it does when it's on the system already (and you can check Marco Giuliani's papers and the Symantec write-ups for that, and also the excellent december issue of Virus Bulletin).

The number of exploits is, however, interesting its own way, because it seems that a method of serving exploits comparable to the famous "web attacker" (which is a tool with several exploits sold on the 'underground' crackers market) was developed SPECIFICALLY for this particular infection (no other infections use it). In fact, the gromozon exploits are probably more advanced, up-to-date and 'stealth' (because of the work done server-side) than web attacker itself.

It depends. The dropper DOES do harm even if you have a firewall with outbound protection, because of the BHO component. Some gromozon incarnations started with just a tiny downloader, and a software firewall would be able to stop that, others delivered a bigger payload. Can't remember exactly the behavior of all of them, they changed pretty quickly.

As for HIPS, maybe some would not be able to block it, but some definitely would. It depends. In many instances of the latest samples, it's the trojan themselves that refuse to even start if they detect a hips or a sandbox.

Well, I don't know, it was somewhat unexpected, but I'm very happy with the perspective of working full time in the security business (I did do security-related stuff before, but I was a programmer occasionally doing security test and penetration tests).

 

I really like PG.

 

I have to read them. I´ve downloaded them a good time ago.

I was thinking about WebAttacker too. A sad side of Web 2.0 tools, today, almost any remote server can be hacked and be used to serve exploits in a few minutes.

Good. Call it "colateral protection" but it is protection in the end

Really nice. Your ocassional job doing security audits has becomed a full-time job in the security industry. Best wishes and good luck as long as you keep us updated with your blacklist