Malware Look Alike Spaghetti
A message that asks users to visit a site named Gromozon.com is spamming
blogs and forums in Italy. The site leads to spreading malware on the
users' computers. The malware is called 'LinkOptimizer' that is a
dangerous rootkit application.
The rootkit can affect both firefox and Internet Explorer users. A little
more destructive to IE, it's known to exploit an IE flaw described in
'Microsoft Security Bulletin (MS06-006)'. As the system gets infected it
can make expensive phone calls and display adverts on the PC screen while
browsing the Internet.
The malware installs a special object into Internet Explorer, which
downloads a GIF image, attached with an encrypted sting. As the object
decrypts the sting, it loads malicious executables on the system.
Eric Chien of Symantec explains that the malware contains two executables
- a variant of LinkOptimizer and the EFS or 'Encrypted File System'
executable. The first one dials expensive phone numbers and displays
pop-up advertisements as the user browses the Internet. The EFS executable
helps to check its own updates from another domain. It operates the
'Windows Encrypted File System' to hide itself like a rootkit and so the
user can neither find nor delete the file.
Symantec calls these threats as 'spaghetti threats'. The reason given by
Chien is as follows -
The name chosen is not because the threat targets Italian computer users.
However, it is related to something Italian such as the code in every
executable resembles a plate of spaghetti. In other words, the code is
twisted and full of "jumps and falls" intermingled in a manner that makes
it nearly impossible to analyze and detect. The authors of the executable
are very skilled and are no average malware writers.
Chien further adds that the Gromozon rootkit is a very dangerous malware
because it can't be detected by standard security appliances and leads to
illegal use of a PC that can result in identity fraud.
Mel Morris, CEO of Prevx stated that Gromozon is a malware that evades
security products easily. The company has released a solution tool for
Gromozon rootkit available on its website.
Related article: Malware Authors Turn More Insidious
» SPAMfighter News - 9/11/2006