Gromozon Evolution: From Spaghetti to Lasagna
Since we last talked about Trojan.Linkoptimizer (a.k.a. Gromozon) and the Italian Spaghetti saga, there have been some significant developments. What we had originally dubbed "spaghetti threats" now look much more like multi-layered "lasagna threats". Several new features and improvements were integrated into the latest incarnation of this Trojan by the authors, who are probably getting paid well for all of their efforts.
How do users get infected with Linkoptimizer/Gromozon variants? We noticed that the complicated distribution scheme of Trojan.Linkoptimizer (shown in Figure 1) introduced a few significant changes, compared to the original scheme of the previous blog article. Here are the new things that we noticed:
- New distribution domains were added to the list because gromozon.com gained too much bad publicity! (Check out our updated Trojan.Linkoptimizer writeup for a list of the dangerous domains.)
- The downloaded file is no longer named www.google.com and is created from a random list (e.g. www.free.com, www.super.com, www.auto.com).
The infection starts from the very bottom layer with a spammed email that contains real news or an advertisement together with a link, which leads to a random Web page, hosted on www.geocities.com. Here is an example of a spammed email:
The infection may also spread through public forums, bulletin boards, and guestbooks, where the distributors of Linkoptimizer have injected several malicious links. We recommend that you do not underestimate the risks of this type of attack, since it has proven to be extremely efficient in the distribution of the Trojan. For example, many users get infected simply by searching Google for legitimate Italian words, such as "stampanti A3 getto" (translation: printers A3 jet). Since many malicious links are embedded in legitimate Web pages, search results may often lead to a Linkoptimizer-infected Web site (as shown in Figure 3).
Many readers have asked why Trojan.Linkoptimizer is so special and why it was so difficult to remove, compared to other threats. The thing that makes Trojan.Linkoptimizer a nightmare for antivirus researchers is the long series of tricks and new techniques used by the authors to make the analysis and removal of the threat very complicated. We have briefly summarized the techniques used by Linkoptimizer, which should explain why antivirus companies have had to put in some extra effort to update their antivirus technologies to fight this malware.
Anti-reverse engineering: The code is scrambled with a technique that we call "spaghetti jumps." It's very difficult for a researcher to analyze the complete execution flow of the malicious programs. Moreover, the executables come with random ImageBase properties, random names, random appended data, and all the text strings are encrypted with an RC4 algorithm using random encryption keys.
Anti-VMware and Anti-debugging: Malicious samples don't run in VMware environments and (of course) they can detect the presence of popular debuggers like Softice, WinDbg, and Ollydbg by using INT41/INT3 tricks or by checking for the presence of debugger drivers.
Anti-monitoring: We already knew that Linkoptimizer does not like programs like Filemon, Regmon, and Ethereal, but the new variants will not run if they detect the presence of programs like Microsoft Visual Studio, ProcessGuard, CommView, Coreforce, or DriverStudio installed on the computer.
Anti-anti-rootkit: Is your favorite anti-rootkit tool not starting on your computer anymore? You’re probably infected with Trojan.Linkoptimizer! In fact, the Trojan removes the "SeDebugPrivilege" from administrators and keeps an updated list of popular rootkit programs that will be terminated immediately after they are executed. In addition, it may also block access to several security-related domains in order to prevent removal tools from being downloaded.
Anti-removal: Linkoptimizer raised a big challenge, making the removal of its components the hard part of the antivirus job. We had first seen the Trojan hiding itself inside alternate data streams, or by using EFS (encrypted file system) on computers with NTFS partitions. On FAT32 systems, the Trojan copies itself using reserved MS-DOS names (for example: com, lpt, prn) and sets invalid file attributes to prevent the manual deletion of its files. Finally, the last variant analyzed uses rootkit techniques to both hide itself and also to run a malicious monitoring system that constantly checks the integrity of the Trojan installation. Every single remediation action performed by the user or by an antivirus program will be reverted by the monitoring thread that implements the "counter-countermeasure".
However, despite all these tricks, Symantec antivirus products that have been updated with the latest definitions can both detect and remove Trojan.LinkOptimizer. This isn't a simple task, as we must bypass all the above tricks. Just be sure you have updated definitions, as we will continue to update our remediation abilities for this Trojan as often as it introduces new tricks. If you aren't using a Symantec antivirus product, we also provide a free fixtool you can download.