| View previous topic :: View next topic |
| Author |
Message |
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5267
|
|
| Back to top |
|
 |
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16506
|
 Posted: Thu Sep 07, 2006 3:46 am Post subject: |
|
|
Why pick on this RK? Is it the most common one?
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5267
|
| Posted: Thu Sep 07, 2006 4:19 pm Post subject: |
|
|
There are a lot of reasons, Ike:
1. There are not that many new public rootkits
2. Because Adware rootkits have the potential of becoming widespread
3. The extremes that are used to to prevent its removal are fascinating and many techniques are used which may potentially produce imitators
4. It disables many rootkit tools - more so than any other rootkit
5. It adapts its infection MO according to the browser being used to widen its net
Another good reason:
http://www.scmagazine.com/us/news/article/591084/gromozon-rootkit-infected-250000-pcs
| Quote: | | A leading malware research firm in the UK warned on Friday that the nearly undetectable Gromozon rootkit has infected a quarter of a million computers. |
For more reading on this threat you can read pdf doc by Prevx Researcher Marco Guiliani
http://pcalsicuro.phpsoft.it/gromozon.pdf - Marco Guiliani
Here are the domains responsible for spreading this threat courtesy of a Wilder's Security Forum member and Prevx, and a connection to these servers is required to develop the full infecton (please block them) :
Infective servers:
gromozon(dot)com
xearl(dot)com
td8eau9td(dot)com
mioctad(dot)com
cvoesdjd(dot)com
lah3bum9(dot)com
Malicious javascript sites:
js.gbeb(dot)cc
js.pceb(dot)cc
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16506
|
| Posted: Mon Sep 11, 2006 4:07 am Post subject: |
|
|
Uhh ... missed your response 'till now Negster. Thanks for the extra tips.
BTW, perhaps I missed it somewhere but besides the host file block list, is there a good defensive strategy? In particular I'm wondering could a HIPS program -- such as WinPatrol -- at least represent an early warning system?
|
|
| Back to top |
|
|
TeMerc
Captain
Premium Member
Joined: Apr 24, 2004
Posts: 557
|
| Posted: Mon Sep 11, 2006 6:06 am Post subject: |
|
|
| Ikeb wrote: | | BTW, perhaps I missed it somewhere but besides the host file block list, is there a good defensive strategy? In particular I'm wondering could a HIPS program -- such as WinPatrol -- at least represent an early warning system? |
I'm not sure Scotty is powerful enough to stop this Gromozon rk. It's very advanced to say the least. I have just finished cleaning off my test box, well.....almost finished. While Scotty did a lot of barking, to which I allowed, because I was looking to get infected, I have been told and had experience with Scotty crashing when it gets overwhelmed by some of the more pervasive malwares.
Not sure I know the actual overpowering mechanism but it failed on me once or twice.
I do plan however on going back to test Scotty and see how he does. I did notice that the hidden files were almost exactly like files Scotty asked me about. Altho based on some experts if I go back to the same site, I'm likely to get a different variant of Gromozon.
_________________
Ultimate Countermeasures Page
Malware Advisor Blog
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16506
|
| Posted: Tue Sep 12, 2006 4:06 am Post subject: |
|
|
To my knowledge Scotty hasn't failed me yet ... not that I deliberately invite malware to infect my computer system. In any case, the HIPS *concept* should in theory detect an RK attack correct? I assume that the RK-cloaked malware invokes processes that are of necessity visible to the OS. If that's true and if WP doesn't measure up due to design flaws, which of the many HIPS programs are recommended?
|
|
| Back to top |
|
|
wawadave
Special Response Team
Special Response Team
Joined: Nov 22, 2002
Posts: 21503
Location: Installing Vista http://tinyurl.com/2l9qyd
|
|
| Back to top |
|
|
TeMerc
Captain
Premium Member
Joined: Apr 24, 2004
Posts: 557
|
| Posted: Tue Sep 12, 2006 6:15 am Post subject: |
|
|
| Ikeb wrote: | | If that's true and if WP doesn't measure up due to design flaws, which of the many HIPS programs are recommended? |
I wouldn't say Scotty has a design flaw in so much it's just not designed to deal with this type of root kit. Very few tools are designed to handle this rk, unless they are specifically rk tools.
In so far as HIPS goes, after reading quite a bit about them I'd not recommend any to the average n00b, tho I realize this does not apply to you.
I have pretty much zero experience other than what I have read, I'd like to try some soon to get a better opinion for myself.
There are some very deep discussions over at Spyware Warrior about them.
_________________
Ultimate Countermeasures Page
Malware Advisor Blog
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16506
|
| Posted: Wed Sep 13, 2006 2:19 am Post subject: |
|
|
When it comes to RKs, I'm a n00b! 
|
|
| Back to top |
|
|
TeMerc
Captain
Premium Member
Joined: Apr 24, 2004
Posts: 557
|
| Posted: Wed Sep 13, 2006 6:33 am Post subject: |
|
|
| Ikeb wrote: | | When it comes to RKs, I'm a n00b! |
I was referring more to your level of Internet\security experience, you're more of an advanced user I'm sure.
And as such, I doubt you would even need any such tool. I currently only run with firewall and av, along with WinPatrol, IE-SPYADs and hosts file. I also use SiteAdvisor as well.
Common sense is the strongest defense against infections.
_________________
Ultimate Countermeasures Page
Malware Advisor Blog
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5267
|
| Posted: Thu Sep 14, 2006 4:19 am Post subject: |
|
|
| TeMerc wrote: | | Common sense is the strongest defense against infections. |
I completely agree with this statement and cannot emphasize how important it is.
This threat uses social engineering to persuade users to accept the downloading of a file called called www.google.com. IE users may also be asked to accept an active-X control object called FreeAccess.OCX. Users should answer 'no' when prompted about these installs. The www.google.com file name was picked to engender trust, in the hope of gaining immediate download approval from users. Its COM extension allows it to be executed just like an EXE file, so it is dangerous. Being an aware surfer that doesn't impulsively answer 'yes' to installation prompts is critical to avoiding these types of threats.
Scotty is not equiped to deal with an all out nuclear bombardment. Remember - Scotty is not a real time monitor but he checks sensitive system components at a preset time interval. Multiple security violations in succession will cause Scotty to go on overload. I think Scotty did his job in warning users that something was wrong, so they could then try to troubleshoot what had happened. He sounded the alarm like a good watch dog.
Many AVs can protect against this threat now but there still may be new variants that can successfully evade detection because they are constantly morphing.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
TeMerc
Captain
Premium Member
Joined: Apr 24, 2004
Posts: 557
|
| Posted: Thu Sep 14, 2006 6:06 am Post subject: |
|
|
| Quote: | | Scotty is not equiped to deal with an all out nuclear bombardment. Remember - Scotty is not a real time monitor but he checks sensitive system components at a preset time interval. Multiple security violations in succession will cause Scotty to go on overload. I think Scotty did his job in warning users that something was wrong, so they could then try to troubleshoot what had happened. He sounded the alarm like a good watch dog. |
Indeed, in my weekend testing with Gromozon, both the files were dropped probably a minute, and Scotty barked twice. Once for the BHO file, which is indicative of Gromo, *****1.dll and then again, with what I'm thinking perhaps, tho can't know for sure the infector file, lpt8.exe, which was either the file itself, which was actually with a rgx extension or Scotty assigned the .exe to the file.
I have a not to BillP and am awaiting his reply. I may go back to grab another payload but this time letting Scotty deny the entry and see how he fairs.
_________________
Ultimate Countermeasures Page
Malware Advisor Blog
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5267
|
|
| Back to top |
|
|
TeMerc
Captain
Premium Member
Joined: Apr 24, 2004
Posts: 557
|
| Posted: Sat Nov 11, 2006 2:08 am Post subject: |
|
|
Yeah, you know those scum who write this stuff have to be annoyed to do something so obviously drastic.
But it shows that the tool is indeed more than effective, its an outstanding tribute to the guys at Prevx.
I just used the tool last nite to remove a Gromo 'kit' I got from one of the latest sites. All cleaned up in a matter of minutes.
_________________
Ultimate Countermeasures Page
Malware Advisor Blog
|
|
| Back to top |
|
|
lkkb
Lieutenant
Joined: Aug 10, 2005
Posts: 166
|
| Posted: Sat Apr 21, 2007 9:36 pm Post subject: RootKit on Win98SE ? |
|
|
Negster22, Ikeb, TeMerc,
Excuse me for posting so late on this topic, have been a little busy else where and that is not a subject needing discussion here, personal problems.
I am still in limbo on Win98SE and may be here for ever. What are the chances of finding any of these removal tools for RKs that will work with my system? So far there have not been any and I feel there may even be a rkt on my system and do not know how to prove if there are. As one new 'n00b' and maybe could be classified as a possible 'experienced user' and not 'advanced user' where the internet/security is concerned. I always respond with a NO when asked to download any thingy that I have not requested, also run SBS&D as well as HJT on my system.
I do not even have IE on my system, removed it, using FF v2.0.0.2 and managed a small stand alone Computer system for about 9 years before I retired/w full responsibility for the system security, I fully understand about being secure.
Any suggestions would be of great help,
_________________
TIA, CU L8R, > 'Lkkb' <IP-III 850MHz, 512Mg, XP HE v5.1/SP-2, IE v7.0, FireFox v2.0.0.14/ wPasswordMaker v1.7.2, NoScript v1.6.5;CFP v3.0.25.378, SBS&Dv1.5, AntiVir v8.01.xxx
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
