Security company Prevx has released details of a bizarre mini-war that has developed between itself and the creators of the notorious Gromozon malware website.
On September 1st, Prevx was among the first to release an update for its Prevx1 anti-malware tool to block malware emanating from a web of Trojan-infected websites which turned out to have gromozon.com at its heart.
The purpose of Gromozon appears to have been to infect users of Italian blogs and message boards with software for the purpose of generating fraudulent traffic to websites and, where appropriate, installing a premium-rate dialler. Displaying a range of complex behaviour, an ability to evolve rapidly, and the willingness to defend itself from counter-measures, Gromozon is considered among the most complex malware systems yet to emerge.
On September 20th, Gromozon's authors released a revised set of malware containing a rootkit which attempted to block sites – Prevx included – that had announced filters protecting against it. Prevx released a further tool within days to counter the rootkit subversion, only to discover that subsequent attacks now featured an extraordinary direct attack on the company itself. Anyone attempting to block the tool with anti-malware programs from a range of security companies would be confronted with a dialog box that claimed to be from Prevx, and one of its researchers, Marco Giuliani.
“This program was blocked by our advertisement tool. Please visit http://www.REMOVED.com and make donation. Thanks for cooperation. Marco Giuliani & Prevx.com Team,” it read. There were also references to Prevx embedded in files used by the program, designed to confuse users.
According to Jacques Erasmus of Prevx, Gromozon's creators have taken the companies blocking personally, an unusual occurrence in an industry normally one of criminal impersonality. The current version of Prevx blocked Gromozon successfully, he said.
“It's them getting really frustrated at not being able to get round our tool,” he suggested. “We'll have to wait and see what their next move is.”
The oddity of Gromozon is that it attacks one of the Internet's backwaters, Italy, using levels of sophistication unnecessary to infect users with humble click-fraud tools and premium-rate diallers. This suggested that it was a proof-of-concept, presaging further and more serious attacks in future, Erasmus said.
Gromozon's authors appear to have thought through not only the blocking of the malware, but the need to keep new versions away from security researchers. There was evidence that the malware ran checks on the geographical location of those downloading it in an attempt to avoid being detected by security researchers in places such as the US.
The Gromozon family of websites, which constantly changes, uses a particular hosting company in the Ukraine. “You need to know someone to get an account there,” said Erasmus.
Although the named domain had now been taken down, “Gromozon.com is not being hosted in a country with proper legislation,” which made it difficult to tackle.
Marco Giuliani of Prevx has published a detailed analysis of the Gromozon phenomenon.