Dangerous backdoor in Acer laptops

Discussion in 'other security issues & news' started by ronjor, Jan 9, 2007.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,778
    Location:
    Texas
    Story
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Thanks Ronjor:thumb:
    i checked my sister's laptap with the test page and the laptop is safe woot!
    lodore
     
  3. MerleOne

    MerleOne Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    1,272
    Location:
    France
    Many thanks for pointing out this info. The Acer Patch seems to work fine.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Scary!. :eek:
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi,

    I missed that post. Looking at your screen shot #8 -

    1) it looks like the code uses tftp.exe to connect out? wouldn't a firewall catch that?

    2) if it does connect, it looks like that it downloads an executable?

    Thanks,

    -rich
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yeah, but not the 'regular' Windows firewall.
    Yes, and runs the downloaded executable too. :doubt:
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Wouldn't an application like Process Guard catch the executable before running?

    Thanks,

    -rich
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yeah. Besides, the last time I checked, the gromozon trojans shut down if they detect Process Guard, even if you explictly try to run them. :D
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that info!

    Just curious, why you didn't include this with your original analysis.

    regards,

    -rich
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It didn't do that in the beginning. It evolved very rapidly, and added these 'features' along the way (also, it didn't stop rootkit tools from working initially, it started doing that later on).

    Frankly I didn't notice when it started checking for Process Guard, I never had Process Guard running the few times I had 'sacrifical' machine available to test the infection on (doesn't run in VMWare). I found that info only when Symantec wrote their second write-up. At the time I was not working as a spyware researcher either, so I didn't have that MUCH time or hardware available to analyze, test, decompile, etc.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    So, the interesting thing about gromzon is its ability to serve a great number of diferent exploits depending upon the browser agent and IP detected and its nasty payload. Am I right?
    The dropper can´t do further harm if you have a HIPS, sandbox or firewall with outbound protection?
    Off topic:
    TNT: are you saying that you was hired as a spyware researcher because of your investigation about Gromzon? Congratulations, you have earned your job without doubts.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, things evolve rapidly!

    From your explanation of the code, it's evident how easily this can be blocked on two fronts.

    For the ACER user, knowing this provides some peace of mind until a patch arrives (I guess it has by now)

    I thought of PG - (but any similar program would do the same) - because PG is getting a bum rap since DCS quit supporting it. So, here it is effective against a clever NEW zero-day exploit!

    regards,

    -rich
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, I think it's more interesting for the things it does when it's on the system already (and you can check Marco Giuliani's papers and the Symantec write-ups for that, and also the excellent december issue of Virus Bulletin).

    The number of exploits is, however, interesting its own way, because it seems that a method of serving exploits comparable to the famous "web attacker" (which is a tool with several exploits sold on the 'underground' crackers market) was developed SPECIFICALLY for this particular infection (no other infections use it). In fact, the gromozon exploits are probably more advanced, up-to-date and 'stealth' (because of the work done server-side) than web attacker itself.
    It depends. The dropper DOES do harm even if you have a firewall with outbound protection, because of the BHO component. Some gromozon incarnations started with just a tiny downloader, and a software firewall would be able to stop that, others delivered a bigger payload. Can't remember exactly the behavior of all of them, they changed pretty quickly.

    As for HIPS, maybe some would not be able to block it, but some definitely would. It depends. In many instances of the latest samples, it's the trojan themselves that refuse to even start if they detect a hips or a sandbox.
    Well, I don't know, it was somewhat unexpected, but I'm very happy with the perspective of working full time in the security business (I did do security-related stuff before, but I was a programmer occasionally doing security test and penetration tests).
     
  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I really like PG. :)
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I have to read them. I´ve downloaded them a good time ago.
    I was thinking about WebAttacker too. A sad side of Web 2.0 tools, today, almost any remote server can be hacked and be used to serve exploits in a few minutes.
    Good. Call it "colateral protection" but it is protection in the end :p
    Really nice. Your ocassional job doing security audits has becomed a full-time job in the security industry. Best wishes and good luck as long as you keep us updated with your blacklist :D
     
Loading...
Thread Status:
Not open for further replies.