Dangerous trojans on the loose

Download GMER 1.0.12, rename gmer.exe -> test.exe & start test.exe

 

Can anybody list all current known "gromozon" ip's with the subnetmasks which we can add to a routers firewall? Its chaotic to scroll through all the pages to hunt for ip addresses.
Even better would be a topic with only the gromozon ip list, so people can quickly update their firewalls.
Just an idea, if it is a stupid one, the mods can just remove this post.

 

I did not check all those links to Gromo posted above but i did address bar many of them posted here and you will now discover MANY OF THEM HAVE BEEN CLOSED DUE TO VIOLATIONS! (ShadowSurfed the URL's) LoL

Waiting to see what server or datacenter over there might host them again. This is almost similar in fashion to our old nemisis COOLWEBSEARCH who bought a ton of Domains to serve up their wares in the past.

REGARDS EASTER

 

The 'Account closed due terms violation.' message is a fake.

Nothing happens on the "front" page.
The exploits/trojans are still on a "subpage".

 

New domain:

rrsmcoooz.com

 

http://www.pcalsicuro.com/main/2006/11/rimanendo-in-team-di-gromozon/

 

I'll camp out on them then. Maybe my reflexes were too rapid. Normally i work by first site. Indeed if that is the case they sure have an abundance of webby addys to push out their craft.

Thanks for tip!

 

New domain: nzrxadrux.com @ 195.225.177.192

 

New domain: izohxdu7lah.com (195.225.177.192)

 

This malware spreads very quickly
I´ve cleaned(errr... formated ) 10 PCs infected with this crap

 

New domain: yypp6pwk.com (195.225.177.192)

 

http://www.pcalsicuro.com/main/2006/11/dopo-la-parte-tecnica-ora-la-legge/

 

http://www.pcalsicuro.com/main/

Block IP Range:
85.255.112.0 - 85.255.127.255
81.29.240.0 - 81.29.242.63

 

I have to say that since I became interested in "geeking" around 5/6 years ago, this has been the most interesting thread I have ever followed (and I lurk on several forums). It is now 5 months since TNT started this thread and I follow it religiously. I add to my Hosts file and to my KIS firewall everything I read on here. My heartfelt thanks are due to TNT, EraserHW and SirMalware, plus many others who have contributed. Your efforts are appreciated more than you know!

 

I have been reading your page and I see many places where you mention it is a subpage, not index.html. Is there a way to find out the subpages. Due to not reading closely, i have been up for several hours... trying to infect my test computer using the main pages. oops. Please pm me the site to get infected please and thank you .

I know my friend who pointed me to the site ... would really appreciate it too, as he also was trying to use the main pages to get infected.. I am presuming you meant the subpages as being "gromozon.com/subpage"

Thanks again in advance for your help with this.

 

Actually CompTechGirl, most of the domains mentioned have stopped working for more than a week now, and the few that were still working the last time I checked had server-side detection of the IP and didn't spit out the exploits if the IP was not Italian. Why most of the domains have stopped working? Who knows, but it's certainly not bad news. I hope the few remaining ones are gonna stop working too, and especially I hope those were 'forced' shutdowns, not just a decision by the gromozon jerks.

 

That's great and not so great. I had a client infected with this thing, but wasn't able to defeat it. I was really hoping to be able to study this infection and practice removal if possible. Any chance you or someone could send one of the infection samples to me anyways? I would really appreciate it. LOL, maybe I'll have to find a way to spoof an italian ip address and visit the still active sites.

so the current closed sites that bring up abusecenter.org -- those are really closed sites now? I am still trying to catch up on some lost sleep hunting for this thing... so it goes :S

Thanks for all your work on this trojan so far. It has definitely been very interesting reading all the posts on it.

 

The redirection to abusecenter.org (a FAKE antispam site) was always brought up (or at least for the last few months) unless they detected the IP as Italian; this was done by the "redirection" pages, not the pages were the exploits were loaded. As for the actual exploits pages, there were two types: one that loaded the exploits if you got directly to them, no matter what was the IP. This was the type that for instance td8eau9td.com and xearl.com loaded. The other one, used by guerdonde.com and a couple of newer ones, loaded the exploits only if the IP was detected as Italian.

 

Just an info to everyone:

if you try to connect to my website pcalsicuro.com most likely you'll receive a timeout and unreachable website.

Since this morning the server where I'm hosted is under a DoS attack.

Since this afternoon all traffic that comes from outside Italy is filtered and can't reach this server (and so my website). Italian people, bigger part of them, can connect to my website.

I'm sorry for this trouble.

Marco

 

Disgusting...

I will quote what the page here says: http://msmvps.com/blogs/spywaresucks/archive/2006/11/11/274704.aspx

Good on ya Gromozon guys... I think you have just shot yourselves in the foot - are you jumping from fright every time there's a bang on your door, or a car pulls into your driveway, or the phone rings?

 

Marco

You are not the only one.

They have discovered our hidden forum where we have been cleaning this rootkit - they have blocked the domain in the rootkit for newer infections, and we too suffered a Minor DoS attack which lasted about 4 hours.

The firewall did contain the attack and the server remained up and active.

We did complain to the ISP of the attacking machine - so that might have been why the attack stopped. Or it is possible it switched to attacking you at that time.

 

When was the last time any of you folks got a new Gromozon infection ?


BTW I heard that the reason why virtually all Gromozon infection urls went dead back awhile todate being that 1 day the American server got taken down followed by the Italian server the next day by certain means.

So if anyone knows of any other sources of this infection LMK so i can forward to some interested parties to see if history can hopefully repeat itself

 

Agreed. Go for it. So far is proven it's weight in the mix. In some of my own research even the command-line shell (cmd) was compromised, effectively making of no effect various cmd tools to even detect hiddens, RKUnhooker reveals Code (InLine Hooks etc.) and also strikes them down, returning Code Instructions to their Default Values again. Depending on the severity of the intrusion, it's not impossible for MOST all other security proggies to get smothered and disabled, but there seems to always be at least a couple or a few who are up to the challenge of rescuing the system.

 

Hey, I just wanted to pass on some weird happenings... although, you may already know this. On some of the pages, it shows "Page cannot be displayed", but there is a scroll bar !?!

If you use the scroll bar and move down the page, there are links down the sides, mostly the "page cannot be displayed thing" is pasted on top of something else. So, you cannot see the whole page. But, I didn't get infected from visiting the sites. One site from following a link tried to activex install winantivirus.

anyone know the backdoor key to the two remaining sites? I think i narrowed down which sites still exist (i could be wrong), but the /page_new.php doesn't get anywhere. Thanks in advance.


Has anyone heard anything new on gromozon in the last while? Is there is any news reports?

also, wanted to ask one silly question. Virus Burster is a zlob trojan pretending to be an AV, so why does Virus total send a sample to them?? or is there a valid program with the same name somewhere out there?

 

Hi CompTechGirl

Virus Burster is a trojan but VirusBuster (without the 'r') is a legitimate Antivirus.

Londonbeat