Dangerous trojans on the loose

Thanks Londonbeat, I hadn't noticed that the "r" was missing. I will make sure to watch for the legimate program, now that I know it exists.

Have a great day!

 

Gromozon is back in business...

block:

tordok.com
szig0z2rqud.com
et2lmgeeol.com

 

Blocked . Thanks TNT .

 

Well,

TNT is right, it's happening something strange, but we still need to check what it really is.

There're some commons points with old gromozon infection like:

- Obfuscated JS code at almost the same way old gromozon scripts were (a bit more complex);

- Random links to another server, just like Gromozon did

- Obfuscated executable, that make use of some tricks and download some crypted code that's later decoded in a tmp file by the same obfuscated original executable - like Gromozon agent dll did when downloading fake gif image

So there are some common points, but still nothing for sure

 

Hey guys,

Thanks for the heads up. Just curious is the back door key the same as before? Are these guys targeting any ip address or only a certain group again? Thanks for the info.

Have a great day!

 

They're still targeting Italian IP addresses, though I must say I've seen gromozon targeting Spanish IPs as well before; not sure about this latest one, I'll have to check.

 

Thanks for your response. I am still hoping to catch this infection on my test machine if possible. That way I will know before any clients get it how difficult it will be to attack and remove. Any ideas how one from canada can get infected? I have no security on the machine. The tordok.com site opens as a plain jane new search engine the other two say page cannot be displayed. I appreciate any help.

Thanks in advance.

 

Some screenshots... Here's all the deobfuscated exploits found on the last gromozon site. The exploits were actually all obfuscated javascript(s), so images 3-8 are in fact not the original pages, but the pages after being manually "deobfuscated".

One is a 0-day (well let's call it "unpatched"... and not very well known: 7 hits in Google!) against Acer laptops ouch:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6121

The original iframe:
http://img148.imageshack.us/img148/1800/1bg3.gif

The second nested iframe:
http://img401.imageshack.us/img401/6181/2ee7.gif

Number 3 is a MDAC exploit (MS06-014):
http://img329.imageshack.us/img329/1171/3mi6.gif

Number 4 is MS06-071:
http://img296.imageshack.us/img296/7549/4wg7.gif

Number 5 is the VML exploit:
http://img329.imageshack.us/img329/12/5ke7.gif

Number 6 is the WMF exploit:
http://img105.imageshack.us/img105/9124/6ns8.gif

Number 7 is the Java ByteVerify exploit:
http://img176.imageshack.us/img176/7500/7nw6.gif

Number 8 is the Acer notebooks NEW exploit:
http://img176.imageshack.us/img176/7342/8bx8.gif

Notice how it meticulously checks for the presence of AVs through ActiveX while before loading the WMF and Java sploits. It checks

Norton
Windows Defender
Bitdefender
AVG
Panda
F-prot
Norman
KAV
NOD32
Avast
Antivir
Ewido
VBA32

Plus a couple of others I haven't identified, and it loads those only if these are not detected.

Oh and by the way, these are the exploits loaded with IE 6 as detected user agent... with other browsers they load different ones...

 

Hey TNT, looks like CounterSpy was impressed with your last post here.

http://sunbeltblog.blogspot.com/2007/01/gromozon-is-back.html

 

That's nice, especially since I am a spyware researcher for them.

 

Hey all, just wondering the latest status on gromozon. I tried to download gromo via a zip file sent to me and it didn't infect anything from what i can see. Is there anything I should be looking for specifically that would show me that it is infected? Or would having a router connected block it from downloading the actual infection onto my machine? TNT Thanks for your post with all the pics in it.
Another weird thing, I downloaded "www.google.com" from limewire, but it appears to be a different infection I don't have AV on my test computer its just a fresh install of windows xp pro... but when i scanned the www.google.com file with AVG it came up listed a trojan. (trojan horse clicker.CAH)

Have a Great day!

 

There might be a lot of reasons why the malware didn't infect your computer, but I think in this specific case was because the infection starter is only a downloader and the remote files are not present anymore on the server (in fact, that server is not not redirecting to gromozon but to a rustock.b infection). In other words, the malware did probably start and try to connect to the server to pull down all the other pieces, but since it didn't find them the infection just 'died'. At least that seems the most logical explanation to me.

 

If that's true then please pass along my best regards to another Malware Researcher over there in sunny Florida.

Say HI to The Keeper Of The Histories or better known as webhelper for me, appreciate it. Thanks

 

Ok, I will tell Patrick you said hi.

 

new Gromozon site

ifiplqkg.com @ 195.234.159.130
vaozkn4yi.com @ 195.234.159.131
bsuzmfqidmi.com @ 195.234.159.132
uqbvru5am.com @ 195.234.159.133
xuwdezt1.com @ 195.234.159.136
ufvjeev4jrmk.com @ 195.234.159.136
szig0z2rqud.com @ 195.234.159.137
alte6yacvjac.com @ 195.234.159.138
xjjhd6zk6.com @ 195.234.159.140
xjgbm5sec6r.com @ 195.234.159.141
et2lmgeeol.com @ 195.234.159.151
szme9fqgwgg2.com @ 195.234.159.155
lqmubivaei.com @ 195.234.159.159
bxbo9tgcgqu.com @ 195.234.159.161
ib2iql8q5lkb.com @ 195.234.159.167
nzebisrizh.com @ 195.234.159.170
glgwzqmeqkt.com @ 195.234.159.177
wbl2ishoweqf.com @ 195.234.159.196

 

Thanks GmG.

 

New domain: ubfajyin.com

 

New IP:

Code:

IP Address 195.234.159.199  
Status Succeed  
Country Israel  
Network Name LINO-NET  
Owner Name Sonet Network  
From IP 195.234.159.0  
To IP 195.234.159.255  
Allocated Yes  
Contact Name Joe Links  
Address Calle Julio Perez Irizarry #23 
Hormigueros 
PR 06660 
Email joe_links@hotpop.com  
Abuse Email    
Phone +1787890551  
Fax    
Whois Source RIPE NCC  
Host Name ubfajyin.com  

 

New domain:

atgcges51x.com @ 195.234.159.153
deredvfy.com @ 195.234.159.156
hid6vxglr.com @ 195.234.159.169
ivdsdfhsy.com @ 195.234.159.191
qacegw9j.com @ 195.234.159.132
sxuqxwxuaa4.com @ 195.234.159.190
syxjjbift.com @ 195.234.159.177
wqvv3wau.com @ 195.234.159.159

 

The whole Lino-Net netblock needs to be blocked.

 

TNT how would you block the whole Lino-Net? For some reason Hostman will not let me add anymore entries

 

Through a firewall.
195.234.159.0/24 (195.234.159.0 -195.234.159.255) - block incoming and outgoing connections for this netblock.

 

Thank you very much

You guys are really stayin on Grozomon's tail