Unfortunately Gromozon is not a single infection, but a blended attack designed
to bypass traditional anti-malware tools. The end result meaning that the
machine is not only infected by several well known Trojans but also a highly
dangerous Rootkit. Traditional AV vendors are at the moment dealing with the
known infections but overlooking the rootkit.
The path of infection is thus:
• On visiting an infected website an obfuscated JavaScript is run.
• The user is forwarded to another site which contains a further obfuscated
JavaScript. This connects to a network of websites which are used to launch the
infection routine. These websites are constantly changing and since May 2006
have become considerably more numerous
• A server side script is run to analyse the user agent (web browser) under
which the user is visiting. Different attack methods are then launched depending
on whether the user is running Opera, Firefox or Internet Explorer.
For Internet Explorer, the victim is presented with the option to install an
ActiveX control called FreeAccess.ocx This is actually copied into the Windows
system32 folder as a randomly named DLL.
Firefox and Opera undergo a very clever piece of social engineering. What
appears to be a link to www.google.com is presented to the victim. This
unfortunately is not a hyperlink but in fact a cleverly hidden .com file. Once
accepted and run, a randomly named DLL is again installed to the windows
system32 folder.
• Once the DLL agent is installed, various pieces of Adware are downloaded and
installed onto the machine. Examples are the Bravesentry and LinkOptimizer
Trojans. The real payload is then downloaded to the victim's computer. Both a
Rootkit and service component are installed along with a hidden windows user
account. The main purpose of this is to enable the Adware which was previously
installed to be hidden from any Anti-malware tools installed on the machine
Program Information Category:
Tools and Utilities Type:
Free Version: 1.0 Size: 720KB Works on: Windows