Video Screencast Help
Security Response

Gromozon Is “Live” - Update

Created: 08 Mar 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:51:26 GMT
Elia Florio's picture
0 0 Votes
Login to vote

Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.

This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.

Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the moment, only machines with Italian IP addressesbecause the Gromozon gang has implemented a series of sophisticatedchecks on server side to verify the real origin of users and somebrowser settings.

The second advanced countermeasure implemented by the Gromozon gangto make an analyst's job more difficult is the usage ofsession-generated exploits. When an Italian user is redirected to theexploit page, the final URL will look like this one:

hxxp://udh2lijx.com/965c4fe381c17d7e9fd6/fadbh/[malicious_page].php

Now, incredibly, part of this URL is random generated per session.Every time a single user hits a malicious Gromozon domain, the remoteserver will generate a set of malicious links with exploits ready to beserved only for that single user. This exploit session will be validfor some hours and, after that, all the malicious links generated willdisappear. The domain will stay online, but without an exact URL itwon’t be useful for analysis. This trick tries to make it difficult toreproduce and track the infections reported by the users. A long listof Gromozon domains used in the past and at the moment is reported on this page.

The exploit modules that we observed at the moment on Gromozon servers include the usual list that we reported in our Linkoptimizer writeup, plus the new exploit for Acer laptop. The patch for this vulnerability is available at this link http://support.acer-euro.com/drivers/utilities.html#APP.

We recommend extreme caution while surfing and, as always, usersshould avoid visiting suspicious domains. The target seems to be Italyat the moment, but the server configuration could be easily changed totarget any other IP addresses.