Dangerous trojans on the loose

Discussion in 'malware problems & news' started by TNT, Jun 22, 2006.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Just for the record, isn´t it true that a HIPS like SSM can protect you against all this stuff? Also, it seems that you get alerts about just about everything that tries to install, at least if you´re patched I assume. So not really scary. The only striking thing is that AV scanners can´t detect a lot of these trojans, so another proof why you really need to have a HIPS or sandboxing solution. :rolleyes:
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, at least in my experience. I executed some of these trojans in Sandboxie and none was ever able to escape from it. Also, Core Force (unless badly configured of course) stops the exploits dead in their tracks.

    However note that malware can be (and has been several times) created so that it won't execute in a "sandboxed" environment, only a real one: fine for "protection" purposes, but faulty to see whether something is really malicous or not.

    What alerts? It does almost everything in the background. In fact, everything with something like IE6. All you can notice is some system slowdowns.
     
    Last edited: Aug 24, 2006
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You might also want to test SSM and Neoava Guard against these sites, would be interesting to see how they performed, but I´m sure they will block everything.

    I mean about the activex controls and the google.com file, they will not load silently, correct?
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    EraserHW,

    Thank you for the great analysis report.

    One thing that was very surprising to me was that it wouldn't run in a virtual environment. I thought programs couldn't detect if they were run in a virtual environment. Can they break out of a virtual environment?
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yeah, but that's just two examples. All the other exploits work in the background, and they install the same thing. So even if, say, you're vulnerable in IE and you see an ActiveX prompt which you refuse, you're gonna get infected and rookited anyway.
     
  6. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I'm really pleased to have done something interesting :)

    yes, some malware can detect if it's running in a Virtual Machine or not. There are several ways to detect if it's running inside a VM, for example (one stupid example) using some istructions that a VM can't emulate :)

    Regards,
    Marco
     
  7. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Excellent document, EraserHW. Well written.
    You might want to add this whois to it.

     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Anything to this "Gromozon Rootkit" stuff?

    http://www.pcalsicuro.com/gromozon.pdf

    Anyone tried just putting the gbeb http link referred to in their firewall's (or PerrGuardian's) blocklist? Pete
     
  9. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Re: Anything to this "Gromozon Rootkit" stuff?

    There's certainly something to it. I don't know if anyone is using blocklists on the gbeb.
    At this point in time, the advice for a 'normal' user might be to format if you get it.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    I look forward to seeing updated scan results of this malware :)
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It's been in my blocklist I post in here since I discovered it in May. Why get bad blocklists when you can use mine? :D
    I agree.
     
  12. controler

    controler Guest

    EraserHW


    Do I need to allow Acrobat to install service/drive with PG to download the file? Otherwise I am not able to.

    controler
     
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    This may not apply to your case but it is a very slow download even on Broadband and to some it might appear not to be downloading especially if they are on dial-up :doubt:
     

    Attached Files:

  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  15. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I'll fix speed problem on the server :) sorry :(

    @SirMalware: yeah, I've some things to add to the paper in the release 0.3 :) Thanks for your infos :)
     
  16. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Someone mentioned earlier in this thread that submitting files to virustotal will allow all of the antimalware vendors to get the samples . I have found this not to be case (or they just don't care) . Some work we did here : http://www.castlecops.com/t162898-CMMONSVC32_EXE.html resulted in many new samples being submitted to virustotal , but here : http://www.castlecops.com/t164130-submit_new_varients.html you can see that most providers had not picked them up 2 weeks later .

    I would suggest using virustotal as a testing point for new malware and a benchmarking tool for new threat response time only . If you want the "good guys" to get the samples , upload the samples directly to them .

    @TNT If it is all right with you I would be interested in having the samples collected so far and/or links to where I can get them myself (you mentioned that they are changing frequently) . There are a few antimalware providers I want to double check with to confirm that they have these . PM me if this is ok with you and I will PM you my email address . Thanks .

    BTW its cool reading about the use of virtual environments and sandboxes for malware research . I only do it as a hobby and still use the method of intentional infecting my unsecured xp sp1 test machine , pulling out its hard drive , slaving it to my work machine and collecting the samples from there . Super low tech but super effective for crippling rootkits and stubborn malware . I submit malware samples to any providers that both make themselves accessible and provide free versions to home users .
     
    Last edited: Aug 25, 2006
  17. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    ok, fixed download bandwidth problem

    now download should be really faster.
     
  18. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Last edited: Aug 25, 2006
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  20. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    :D :D
     
  21. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    I just tested that "Bright Yellow Box" brand. (with updates) Same thing, "Access Denied". It couldn't get rid of anything. :thumbd:

    Apparently, this stuff is now targeting all the specialty rootkit/removal tools out there, I was just at another forum where it was stated that IceSword or Avenger don't even work anymore. :(
     
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    yep but if you edit some editable byte into the sw with an hex editor, then the software will work again. It's a checksum scanner.
     
  23. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I was looking more deeply at Symantec writeup.

    Imho there are some things that are wrong/inaccurate

    For Trojan DLL here I hope/believe they want to say "rootkit". Here is the most important (and only) key of rootkit.

    List isn't complete as far as I know, this is only a really small number

    Here there's an error, because the second line isn't the 'System' subdir but 'Microsoft Shared' afaik.

    Regards,

    Marco :)
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, thanks again for the amazing work you're doing here. :)
     
  25. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Any examples of this?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.