Dangerous trojans on the loose

Discussion in 'malware problems & news' started by TNT, Jun 22, 2006.

Thread Status:
Not open for further replies.
  1. CompTechGirl

    CompTechGirl Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    7

    Thanks Londonbeat, I hadn't noticed that the "r" was missing. I will make sure to watch for the legimate program, now that I know it exists.

    Have a great day!
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Gromozon is back in business... :(

    block:

    tordok.com
    szig0z2rqud.com
    et2lmgeeol.com
     
  3. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
    Blocked :) . Thanks TNT :thumb: .
     
  4. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Well,

    TNT is right, it's happening something strange, but we still need to check what it really is.

    There're some commons points with old gromozon infection like:

    - Obfuscated JS code at almost the same way old gromozon scripts were (a bit more complex);

    - Random links to another server, just like Gromozon did

    - Obfuscated executable, that make use of some tricks and download some crypted code that's later decoded in a tmp file by the same obfuscated original executable - like Gromozon agent dll did when downloading fake gif image

    So there are some common points, but still nothing for sure :)
     
  5. CompTechGirl

    CompTechGirl Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    7
    Hey guys,

    Thanks for the heads up. Just curious is the back door key the same as before? Are these guys targeting any ip address or only a certain group again? Thanks for the info.

    Have a great day!
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    They're still targeting Italian IP addresses, though I must say I've seen gromozon targeting Spanish IPs as well before; not sure about this latest one, I'll have to check.
     
  7. CompTechGirl

    CompTechGirl Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    7
    Thanks for your response. I am still hoping to catch this infection on my test machine if possible. That way I will know before any clients get it how difficult it will be to attack and remove. Any ideas how one from canada can get infected? I have no security on the machine. The tordok.com site opens as a plain jane new search engine the other two say page cannot be displayed. I appreciate any help.

    Thanks in advance.
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Some screenshots... Here's all the deobfuscated exploits found on the last gromozon site. The exploits were actually all obfuscated javascript(s), so images 3-8 are in fact not the original pages, but the pages after being manually "deobfuscated".

    One is a 0-day (well let's call it "unpatched"... and not very well known: 7 hits in Google!) against Acer laptops :)ouch:):
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6121

    The original iframe:
    http://img148.imageshack.us/img148/1800/1bg3.gif

    The second nested iframe:
    http://img401.imageshack.us/img401/6181/2ee7.gif

    Number 3 is a MDAC exploit (MS06-014):
    http://img329.imageshack.us/img329/1171/3mi6.gif

    Number 4 is MS06-071:
    http://img296.imageshack.us/img296/7549/4wg7.gif

    Number 5 is the VML exploit:
    http://img329.imageshack.us/img329/12/5ke7.gif

    Number 6 is the WMF exploit:
    http://img105.imageshack.us/img105/9124/6ns8.gif

    Number 7 is the Java ByteVerify exploit:
    http://img176.imageshack.us/img176/7500/7nw6.gif

    Number 8 is the Acer notebooks NEW exploit:
    http://img176.imageshack.us/img176/7342/8bx8.gif

    Notice how it meticulously checks for the presence of AVs through ActiveX while before loading the WMF and Java sploits. It checks

    Norton
    Windows Defender
    Bitdefender
    AVG
    Panda
    F-prot
    Norman
    KAV
    NOD32
    Avast
    Antivir
    Ewido
    VBA32

    Plus a couple of others I haven't identified, and it loads those only if these are not detected.

    Oh and by the way, these are the exploits loaded with IE 6 as detected user agent... with other browsers they load different ones...
     
  9. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Hey TNT, looks like CounterSpy was impressed with your last post here. :)

    http://sunbeltblog.blogspot.com/2007/01/gromozon-is-back.html
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    That's nice, especially since I am a spyware researcher for them. :D
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,748
    Location:
    Texas
  12. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    :D :D :D
     
  13. CompTechGirl

    CompTechGirl Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    7
    Hey all, just wondering the latest status on gromozon. I tried to download gromo via a zip file sent to me and it didn't infect anything from what i can see. Is there anything I should be looking for specifically that would show me that it is infected? Or would having a router connected block it from downloading the actual infection onto my machine? TNT Thanks for your post with all the pics in it.
    Another weird thing, I downloaded "www.google.com" from limewire, but it appears to be a different infection I don't have AV on my test computer its just a fresh install of windows xp pro... but when i scanned the www.google.com file with AVG it came up listed a trojan. (trojan horse clicker.CAH)

    Have a Great day!
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    There might be a lot of reasons why the malware didn't infect your computer, but I think in this specific case was because the infection starter is only a downloader and the remote files are not present anymore on the server (in fact, that server is not not redirecting to gromozon but to a rustock.b infection). In other words, the malware did probably start and try to connect to the server to pull down all the other pieces, but since it didn't find them the infection just 'died'. At least that seems the most logical explanation to me. :)
     
  15. EASTER.2010

    EASTER.2010 Guest

    If that's true then please pass along my best regards to another Malware Researcher over there in sunny Florida. :cool:

    Say HI to The Keeper Of The Histories or better known as webhelper for me, appreciate it. Thanks
     
  16. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ok, I will tell Patrick you said hi. :)
     
  17. GmG

    GmG Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    48
    Location:
    Italy
    new Gromozon site

    ifiplqkg.com @ 195.234.159.130
    vaozkn4yi.com @ 195.234.159.131
    bsuzmfqidmi.com @ 195.234.159.132
    uqbvru5am.com @ 195.234.159.133
    xuwdezt1.com @ 195.234.159.136
    ufvjeev4jrmk.com @ 195.234.159.136
    szig0z2rqud.com @ 195.234.159.137
    alte6yacvjac.com @ 195.234.159.138
    xjjhd6zk6.com @ 195.234.159.140
    xjgbm5sec6r.com @ 195.234.159.141
    et2lmgeeol.com @ 195.234.159.151
    szme9fqgwgg2.com @ 195.234.159.155
    lqmubivaei.com @ 195.234.159.159
    bxbo9tgcgqu.com @ 195.234.159.161
    ib2iql8q5lkb.com @ 195.234.159.167
    nzebisrizh.com @ 195.234.159.170
    glgwzqmeqkt.com @ 195.234.159.177
    wbl2ishoweqf.com @ 195.234.159.196
     
  18. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Thanks GmG. :thumb:
     
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    New domain: ubfajyin.com
     
  20. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    New IP:
    Code:
    IP Address 195.234.159.199  
    Status Succeed  
    Country Israel  
    Network Name LINO-NET  
    Owner Name Sonet Network  
    From IP 195.234.159.0  
    To IP 195.234.159.255  
    Allocated Yes  
    Contact Name Joe Links  
    Address Calle Julio Perez Irizarry #23 
    Hormigueros 
    PR 06660 
    Email joe_links@hotpop.com  
    Abuse Email    
    Phone +1787890551  
    Fax    
    Whois Source RIPE NCC  
    Host Name ubfajyin.com  
    
     
  21. GmG

    GmG Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    48
    Location:
    Italy
    New domain:

    atgcges51x.com @ 195.234.159.153
    deredvfy.com @ 195.234.159.156
    hid6vxglr.com @ 195.234.159.169
    ivdsdfhsy.com @ 195.234.159.191
    qacegw9j.com @ 195.234.159.132
    sxuqxwxuaa4.com @ 195.234.159.190
    syxjjbift.com @ 195.234.159.177
    wqvv3wau.com @ 195.234.159.159
     
  22. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    The whole Lino-Net netblock needs to be blocked.
     
  23. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,740
    TNT how would you block the whole Lino-Net? For some reason Hostman will not let me add anymore entries:eek:
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Through a firewall.
    195.234.159.0/24 (195.234.159.0 -195.234.159.255) - block incoming and outgoing connections for this netblock.
     
  25. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,740
    Thank you very much;)

    You guys are really stayin on Grozomon's tail:thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.