Dangerous trojans on the loose

[Rasheed187]

Just for the record, isn´t it true that a HIPS like SSM can protect you against all this stuff? Also, it seems that you get alerts about just about everything that tries to install, at least if you´re patched I assume. So not really scary. The only striking thing is that AV scanners can´t detect a lot of these trojans, so another proof why you really need to have a HIPS or sandboxing solution.

[TNT]

Quote:

Originally Posted by Rasheed187

Just for the record, isn´t it true that a HIPS like SSM can protect you against all this stuff?

Yes, at least in my experience. I executed some of these trojans in Sandboxie and none was ever able to escape from it. Also, Core Force (unless badly configured of course) stops the exploits dead in their tracks.

However note that malware can be (and has been several times) created so that it won't execute in a "sandboxed" environment, only a real one: fine for "protection" purposes, but faulty to see whether something is really malicous or not.

Quote:

Originally Posted by Rasheed187

Also, it seems that you get alerts about just about everything that tries to install, at least if you´re patched I assume. So not really scary.

What alerts? It does almost everything in the background. In fact, everything with something like IE6. All you can notice is some system slowdowns.

[Rasheed187]

You might also want to test SSM and Neoava Guard against these sites, would be interesting to see how they performed, but I´m sure they will block everything.

Quote:

What alerts? It does almost everything in the background. In fact, everything with something like IE6. All you can notice is some system slowdowns.

I mean about the activex controls and the google.com file, they will not load silently, correct?

[Devinco]

EraserHW,

Thank you for the great analysis report.

One thing that was very surprising to me was that it wouldn't run in a virtual environment. I thought programs couldn't detect if they were run in a virtual environment. Can they break out of a virtual environment?

[TNT]

Quote:

Originally Posted by Rasheed187

I mean about the activex controls and the google.com file, they will not load silently, correct?

Yeah, but that's just two examples. All the other exploits work in the background, and they install the same thing. So even if, say, you're vulnerable in IE and you see an ActiveX prompt which you refuse, you're gonna get infected and rookited anyway.

[EraserHW]

Quote:

Originally Posted by Devinco

EraserHW,

Thank you for the great analysis report.

One thing that was very surprising to me was that it wouldn't run in a virtual environment. I thought programs couldn't detect if they were run in a virtual environment. Can they break out of a virtual environment?

I'm really pleased to have done something interesting

yes, some malware can detect if it's running in a Virtual Machine or not. There are several ways to detect if it's running inside a VM, for example (one stupid example) using some istructions that a VM can't emulate

Regards,
Marco

[SirMalware]

Excellent document, EraserHW. Well written.
You might want to add this whois to it.

Quote:

<ip address/hostname>
195.225.177.147
gromozon.com
Host unreachable

<net block>
195.225.176.0 - 195.225.179.255

<owner>
NetcatHosting
Ukraine
* Abuse contacts: abuse@netcathost.com *

<administrative contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<technical contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<additional data>
NETCATHOST
Source: whois.ripe.net

[spy1]

http://www.pcalsicuro.com/gromozon.pdf

Anyone tried just putting the gbeb http link referred to in their firewall's (or PerrGuardian's) blocklist? Pete

[IMM]

Quote:

Anything to this "Gromozon Rootkit" stuff?

There's certainly something to it. I don't know if anyone is using blocklists on the gbeb.
At this point in time, the advice for a 'normal' user might be to format if you get it.

[Marcos]

I look forward to seeing updated scan results of this malware :-)

[TNT]

Quote:

Originally Posted by imm

There's certainly something to it. I don't know if anyone is using blocklists on the gbeb.

It's been in my blocklist I post in here since I discovered it in May. Why get bad blocklists when you can use mine?

Quote:

Originally Posted by imm

At this point in time, the advice for a 'normal' user might be to format if you get it.

I agree.

[controler]

EraserHW


Do I need to allow Acrobat to install service/drive with PG to download the file? Otherwise I am not able to.

controler

[Bubba]

Quote:

Originally Posted by controler

Do I need to allow Acrobat to install service/drive with PG to download the file?

This may not apply to your case but it is a very slow download even on Broadband and to some it might appear not to be downloading especially if they are on dial-up

[TNT]

If you experience problems with that, try http://rapidshare.de/files/30707949/gromozon.pdf.html

[EraserHW]

I'll fix speed problem on the server sorry

@SirMalware: yeah, I've some things to add to the paper in the release 0.3 Thanks for your infos

[nosirrah]

Someone mentioned earlier in this thread that submitting files to virustotal will allow all of the antimalware vendors to get the samples . I have found this not to be case (or they just don't care) . Some work we did here : http://www.castlecops.com/t162898-CMMONSVC32_EXE.html resulted in many new samples being submitted to virustotal , but here : http://www.castlecops.com/t164130-su..._varients.html you can see that most providers had not picked them up 2 weeks later .

I would suggest using virustotal as a testing point for new malware and a benchmarking tool for new threat response time only . If you want the "good guys" to get the samples , upload the samples directly to them .

@TNT If it is all right with you I would be interested in having the samples collected so far and/or links to where I can get them myself (you mentioned that they are changing frequently) . There are a few antimalware providers I want to double check with to confirm that they have these . PM me if this is ok with you and I will PM you my email address . Thanks .

BTW its cool reading about the use of virtual environments and sandboxes for malware research . I only do it as a hobby and still use the method of intentional infecting my unsecured xp sp1 test machine , pulling out its hard drive , slaving it to my work machine and collecting the samples from there . Super low tech but super effective for crippling rootkits and stubborn malware . I submit malware samples to any providers that both make themselves accessible and provide free versions to home users .

[EraserHW]

ok, fixed download bandwidth problem

now download should be really faster.

[EraserHW]

http://www.symantec.com/enterprise/s...803-99&tabid=2

Symantec released an analysis of the threat!

quite similar to mine. Even if the one from Symantec will be more official than mine, I'm proud about my paper and because I've pointed out a dangerous threat that otherwise was infecting a lot of people.

[TNT]

Quote:

Originally Posted by EraserHW

http://www.symantec.com/enterprise/s...803-99&tabid=2

Symantec released an analysis of the threat!

quite similar to mine. Even if the one from Symantec will be more official than mine, I'm proud about my paper and because I've pointed out a dangerous threat that otherwise was infecting a lot of people.

Threat removal: "easy". What are they smoking?

[EraserHW]

Quote:

Originally Posted by TNT

Threat removal: "easy". What are they smoking?

[SirMalware]

Quote:

• Removal: Easy

I just tested that "Bright Yellow Box" brand. (with updates) Same thing, "Access Denied". It couldn't get rid of anything.

Apparently, this stuff is now targeting all the specialty rootkit/removal tools out there, I was just at another forum where it was stated that IceSword or Avenger don't even work anymore.

[EraserHW]

yep but if you edit some editable byte into the sw with an hex editor, then the software will work again. It's a checksum scanner.

[EraserHW]

I was looking more deeply at Symantec writeup.

Imho there are some things that are wrong/inaccurate

Quote:

"AppInit_DLLs" = "[TROJAN .DLL FILE]"

For Trojan DLL here I hope/believe they want to say "rootkit". Here is the most important (and only) key of rootkit.

Quote:

Note: [RESERVED DOS NAME] can be one of the following reserved DOS device names:

com1
com2
com3
com4
tty
prn
nul
lpt1

List isn't complete as far as I know, this is only a really small number

Quote:

%ProgramFiles%\Common Files\System\[RANDOM LETTERS].exe
%ProgramFiles%\Common Files\System\[RANDOM LETTERS].exe

Here there's an error, because the second line isn't the 'System' subdir but 'Microsoft Shared' afaik.

Regards,

Marco

[TNT]

Quote:

Originally Posted by EraserHW

I was looking more deeply at Symantec writeup.

Imho there are some things that are wrong/inaccurate



For Trojan DLL here I hope/believe they want to say "rootkit". Here is the most important (and only) key of rootkit.



List isn't complete as far as I know, this is only a really small number



Here there's an error, because the second line isn't the 'System' subdir but 'Microsoft Shared' afaik.

Regards,

Marco

Well, thanks again for the amazing work you're doing here.

[SirMalware]

Quote:

yep but if you edit some editable byte into the sw with an hex editor, then the software will work again. It's a checksum scanner.

Any examples of this?