Over the last few weeks we've been tracking attacks coming from Gromozon.com. These attacks have actually been happening for a few months now, but the number of reports has recently escalated. In particular, a variety of Italian blogs and message boards have been spammed with links to hundreds of different URLs over the last week. These URLs all eventually point to gromozon.com and after an extensive trail of code downloading other code, one ends up infected with LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.
When you visit one of these malicious links, it eventually loads a page from gromozon.com that determines which browser you are using. If you are using Internet Explorer, it attempts to exploit a Internet Explorer vulnerability. The exploit has changed over time, but is currently MS06-006. With Firefox, it prompts you to download a file called www.google.com. This isn't a URL, but a file named www.google with the extension .com.
The is just the first executable in a long chain. The www.google.com executable has a DLL embedded inside of itself, which we'll call the BHO. The BHO is a Browser Helper Object that loads itself in Internet Explorer. The BHO contacts another domain and downloads another file that pretends to be a GIF. The file has a GIF header, but is actually appended by encrypted data that is decrypted by the BHO, resulting in another executable, which we can call the "bundle". Still with me?
The bundle then has two executables inside of itself. We'll call one the EFS executable; the second is a variant of LinkOptimizer. LinkOptimizer dials a high-cost phone number and displays pop-up advertisements as you browse the Internet and the EFS executable is used to check for updates to itself from another domain. The EFS executable uses the Windows Encrypted File System (EFS) to hide itself and prevent people from finding and deleting the file.
The use of EFS isn't the only interesting technique being utilized. Over the past few months, the chain of executables has varied. For example, a previous version also included a file that hid itself as an ADS (Alternate Data Stream) that had rootkit abilities. In addition, all the strings are encrypted using RC4 and we've colloquially dubbed all of these threats the "spaghetti threats".
This isn't because it has been targeting Italian computer users, but because the code in every executable is like a plate of spaghetti. The code has many nonsensical code paths full of jumps and calls, interspersed in an attempt to make it difficult to analyze. Clearly, the authors aren't your average malware writers.
They've even done a clever social engineering trick. The front page of gromozon.com displays the following message:
This is of course a lie, as the site is up and functioning. Please don't visit the page yourself, as this group has used multiple exploits in the past and one small change could mean you will get infected. The investigation of this group is far from over. We still have lots of lingering questions;for example, some of the threats have domains that are never utilized, but definitely registered by the group. These domains currently resolve to IP addresses in IANA reserved blocks and one even resolves to an IP address of a governmental system.
UPDATE: If you are infected with this threat, you can remove it using Symantec's LinkOptimizer Removal Tool.