Over the last few weeks we've been trackingattacks coming from Gromozon.com. These attacks have actually beenhappening for a few months now, but the number of reports has recentlyescalated. In particular, a variety of Italian blogs and message boardshave been spammed with links to hundreds of different URLs over thelast week. These URLs all eventually point to gromozon.com and after anextensive trail of code downloading other code, one ends up infectedwith LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.
Whenyou visit one of these malicious links, it eventually loads a page fromgromozon.com that determines which browser you are using. If you areusing Internet Explorer, it attempts to exploit a Internet Explorervulnerability. The exploit has changed over time, but is currently MS06-006.With Firefox, it prompts you to download a file called www.google.com.This isn't a URL, but a file named www.google with the extension .com.
The is just the first executable in a long chain. The www.google.comexecutable has a DLL embedded inside of itself, which we'll call theBHO. The BHO is a Browser Helper Object that loads itself in InternetExplorer. The BHO contacts another domain and downloads another filethat pretends to be a GIF. The file has a GIF header, but is actuallyappended by encrypted data that is decrypted by the BHO, resulting inanother executable, which we can call the "bundle". Still with me?
The bundle then has two executables inside of itself. We'll call onethe EFS executable; the second is a variant of LinkOptimizer.LinkOptimizer dials a high-cost phone number and displays pop-upadvertisements as you browse the Internet and the EFS executable isused to check for updates to itself from another domain. The EFSexecutable uses the Windows Encrypted File System (EFS) to hide itselfand prevent people from finding and deleting the file.
The use of EFS isn't the only interesting technique being utilized.Over the past few months, the chain of executables has varied. Forexample, a previous version also included a file that hid itself as anADS (Alternate Data Stream) that had rootkit abilities. In addition,all the strings are encrypted using RC4 and we've colloquially dubbedall of these threats the "spaghetti threats".
This isn't because it has been targeting Italian computer users, butbecause the code in every executable is like a plate of spaghetti. Thecode has many nonsensical code paths full of jumps and calls,interspersed in an attempt to make it difficult to analyze. Clearly,the authors aren't your average malware writers.
They've even done a clever social engineering trick. The front page of gromozon.com displays the following message:
This is of course a lie, as the site is up and functioning. Pleasedon't visit the page yourself, as this group has used multiple exploitsin the past and one small change could mean you will get infected. Theinvestigation of this group is far from over. We still have lots oflingering questions;for example, some of the threats have domains thatare never utilized, but definitely registered by the group. Thesedomains currently resolve to IP addresses in IANA reserved blocks andone even resolves to an IP address of a governmental system.
UPDATE: If you are infected with this threat, you can remove it using Symantec's LinkOptimizer Removal Tool.