Dangerous trojans on the loose

have a look:

Avenger.exe

MD5: 632f23bff4bc7bb9f880e5c6e144c0d6
CRC: 98F74968

http://www.pcalsicuro.com/images/before.jpg

Avenger2.exe

MD5: b9448cca135e2d06f1d64cfd0c6f3321
CRC: E780636B
http://www.pcalsicuro.com/images/after.jpg

Regards,

Marco

 

Nice, Thanks.

 

I've discovered this thread 2 days ago, and I want to congratulate you, TNT, for your work here - and EraserHW too, who provided a brilliant analysis .

I decided to try it, to see it whith my own eyes : This stuff is crazy ; although the behaviour of the malware often changes, I've never got the LinkOptimizer spyware files, after trying 7-8 times, for some reasons I've never had files created in C:\Windows directory (got the fake services though).


Here again, that's just another proof of the usefulness of HIPS, which can prevent it (by preventing the 1st file to start) in case the files dropped (.exe or .com) are not detected by Av

nicM

 

eheh

maybe gromozon writers read my report

They closed the bridge server with the obfuscated JavaScript. Now they directly load the JS from the first webpage

Ok, another night at work

 

For those who infect themselves with this paticular rootkit infection, as an experiment for removal, I am wondering what your results would be if you ran AVZ4 Anti-Virus in your infected virtual environment. I am going to try it in mine. Don't forget to get the updates.

http://z-oleg.com/avz4en.zip

 

ok nope, only obfuscated the address:

http://www.pcalsicuro.com/images/referer.jpg

 

The exploits are now served also from: cvoesdjd(dot)com

 

cvoesdjd.com
Same thing.

 

Yep. All netcathost should be blocked. Domain restrictions are frankly not enough for this.

 

I don't know why but a bird told me that 20pages's pdf will become about 30

 

IE6 with limited rights, with Active Scripting enabled, no prompts, no infections.

IE6 with limited rights, with Active Scripting disabled, no prompts, no infections.

Opera 9 with or without Javascript, no prompts, no infections.

Firefox with or without NoScript, the same as above.

OffByOne, nothing, not even a peep.

 

What, typing just cvoesdjd.com in the address bar?

 

No. With typing just cvoesdjd.com in the address bar on all browsers as configured above, nothing happens. No fireworks. Going to td8eau9td.com/page_new.php with IE6, it tries hard to install the FreeAccess.ocx Active-X file, but it can't, and it's not able to re-direct the page to mioctad.com even though you see it briefly in the bottom taskbar.

I still want to see what kind of results different people have deleting these files while running AVZ4.

 

Of course... The malware-loading page is not there... It uses the same method as the other ones, page_new.php with the number parameter.

It's not able to redirect?

What kind of redirection is this, meta refresh, javascript, HTTP 3xx? Maybe you just blocked access to that domain. It sounds like it, especially since it shows "connecting to..."

 

Now some of the pages go to js.pceb.cc instead of js.gbeb.cc (do not open either, dangerous) and thisloads an "inside" iframe on vip13.biz (do not open).

EDIT: Ok, this is interesting: with no referrer, it just loads the one with the vip13.biz. With the referer ref=<something> the most dangerous and complex one from td8eau9td.com; I'm not sure of the reason, maybe to fool analysis, I guess.

 

Don't succumb to this new attack, put on your armor people....
Gromozon Survival List:

1.) Windows XP Service Pack 2 installed
2.) All of MS Critical Updates installed
3.) Windows Limited Rights Account
4.) IE6 with Limited Rights (For a Windows account with Admin Rights)
5.) or a major 3rd party browser with Javascript unticked (just to be safe)
6.) Firewall

....and you'll walk away unscathed. I just did.
(And not in a virtual environment either.)

 

http://www.marketwire.com/mw/release_html_b1?release_id=159395
http://www.prevx.com/gromozon.asp

 

This is very cool. Congratulations Marco and Prevx for studying this nasty malware and coming up with a solution. I hope that my help, however small, was worth something. Now we should keep an eye on these criminals and make sure that this nasty network will be shut down.

 

New gromozon distributing domain: lah3bum9.com.

So far:
gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com

JavaScript loaders:
js.gbeb.cc
js.pceb.cc

 

For those who haven't added this IP range to your firewall -
Block:
195.225.176.0/22

Code:

<ip address/hostname>
[color=red][b]195.225.177.201[/b][/color]
[color=blue][b]lah3bum9.com[/b][/color]
Host unreachable

<net block>
[color=red][b]195.225.176.0 - 195.225.179.255[/b][/color]

<owner>
NetcatHosting
Ukraine
* Abuse contacts: abuse@netcathost.com *

<administrative contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<technical contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<additional data>
NETCATHOST
Source: whois.ripe.net

 

How are these gutter weasels able to include javascript redirects into popular websites?
Aren't there filters to prevent javascript from being posted on comments and such?
Or do the comments just include regular links to the malicious site containing the JS redirects?

 

BTW: I'm updating my pdf. Just added another page and I'm going to add some other info.

Marco

 

You mean the comment spam they post to guestbooks and blogs? They are regular links to pages on thousands of different domains (all created by them) that include the obfuscated JS redirect to the actual malware hosting sites.

 

Thanks TNT.
So the visitor to the popular website has to click on the link in the comment spam on the popular website for the ordeal to begin.

What is the social engineering aspect of the links in general?
How are they enticing people to click?
Does the comment spam say something like "free porn" or is it related to the site to try and fool people?

 

Some of it says free porn, especially when it comes to older stuff, but most of it doesn't: the comment spam is actually to increase search engine rankings; they also randomly copied an incredible amount of text from random sources to make it easier for people to find these pages through search engines. It's pretty obvious all the text included has no meaning whatsoever in context, as searching with two completely unrelated words such as "giubbotto" (jacket) and "spyware" (in the same search) on msn.com for instance leads almost only to these sites.