Gromozon has evolved

Gromozon, just about the nastiest piece of malware/spyware we’ve ever seen, dropped off the radar recently (I had described it in an interview with Search Security as a piece of malware that “drips blood”).

However, it’s techniques have evolved. The same people behind it are now using a variant of the Rustock trojan, Rustock.b (Rustock.a has been around since around June).

Now, we’ve only seen Gromozon in Italy (researchers — you need an Italian IP to get the malware). Why Italy, you ask? I would guess poor legislation and enforcement, and a plethora of vulnerable machines.

Symantec actually had a pretty good writeup on this trojan.

- Rootkit detectors can detect hidden processes, but Rustock.A has no process. The malicious code runs inside the driver and in kernel threads.

- Rootkit detectors find hidden files, so Rustock.A uses NTFS Alternate Data Stream

to hide its driver into the "\System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.

- Some detectors check for the presence of system hooks by analyzing native API

and scanning for hooked functions, however Rustock.A does not hook directly any native API.

- Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]

- Rootkit detectors try to detect hidden drivers, but Rustock.A removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list so that this enumeration fails.

- Last, but perhaps not least, the SYS driver is polymorphic and changes its code from sample to sample.

Moreover, the malware contains aggressive rootkit technologies because it scans for the following strings in loaded programs, and then changes its behavior to avoid any detection:

- BlackLight

- Rootkitrevealer

- Rkdetector

Note the statement “Rustock.A has no process. The malicious code runs inside the driver and in kernel threads,” and then the statement that it changes its behavior to avoid detection by the popular rootkit detection programs BlackLight, Rootkitrevealer and Rkdetector. And, “It even seems able to achieve all of its stealth functionality without any problems on a beta version of Microsoft Windows Vista.”(Note that despite vehement opinions otherwise, this is one more reason why Microsoft needs to release the 64 bit Patchguard APIs earlier than 2008. We cannot even imagine what future threats might look like.)

So you get the picture? This is one really nasty little bastard. I feel sorry for Italians!