You know you're doing a good job when the bad guys bite back...

Check this out:
http://www.techworld.com/security/news/index.cfm?newsID=7280

Basically what has happened is some bad guys created and released malware called Gromozon. Then, a security company called Prevx was among the first in the world to release a tool that successfully cleaned the Gromozon infection off computers.

Those behind Gromozon upped the ante, revising their malware, adding a rootkit and blocking access to Prevx and several other sites. Prevx responded by updating *their* tool.

Now, in a very unusual twist, those behind Gromozon have changed their malware again, but this time if anybody tries to get rid of Gromozon using various antimalware tools, the following window appears:

Very cheeky, yes? Of course, Marco and the Prevx.com team have got nothing to do with the window that has popped up. It is no more than a trick by the low-lifes behind Gromozon.

To paraphrase Robert Burns:

'The best laid schemes o' mice an' men
Gang aft agley' (Oft go awry)

Those behind Gromozon may be their own worst enemies. Already word of their shenanigans has appeared on Digg, pcalsicuro.com, f-secure, securitygarden.blogspot.com, antirootkit.com, sunbeltblog.blogspot.com and vitalsecurity.org.

I'm sure the Gromozon guys thought it was funny at the time, but here's the thing about pushing malware - the most deadly events for malware purveyors are recognition and publicity - and boy, are these guys getting that. The real smart criminals behind malware have learned to fly under the radar and do everything they can to avoid attention, and detection, and publicity. Are those behind Gromozon smart? Well, they can write code, but as their behaviour proves, being brainy does not make you smart.

The more people know about Gromozon, and the more people promote and host Prevx's repair tool; the more people blog and say "look at what the idiots behind Gromozon are doing", and the more people spread the word about how to get Gromozon off systems and defeat the tricks Gromozon uses to try and thwart removal, and more the more the anti-malware community join together to fight those behind Gromozon, the harder it is going to be for the Gromozon guys to succeed.

Not only that, by drawing the ire of the anti-malware community those behind Gromozon have awoken a bit of a sleeping giant. As you will see from the Security Garden blog entry already mentioned, the dialogue box is not the only trick being used. Some sites that infect systems with Gromozon are mentioning Marco in the page's code. I'm loving the reference to Interpol that Corrine quotes.

Good on ya Gromozon guys... I think you have just shot yourselves in the foot - are you jumping from fright every time there's a bang on your door, or a car pulls into your driveway, or the phone rings? Perhaps you should be getting nervous if Interpol really are getting involved Big Smile

Published Sat, Nov 11 2006 11:33 by sandi

Comments

# re: You know you're doing a good job when the bad guys bite back...

Saturday, November 11, 2006 2:41 AM by Stubbs100

Thanks for making your readers aware of this. It is true the writers of Gromozon have started to target Prevx1 and Marco. We picked up on this via Marco as the infection is only targeting Italian website and the concern is this is only a proof of concept malware. It would appear the writers are testing this particularly malicious rootkit to see just how many systems they can infect and the assumption is when they feel it is ready they will launch this on a much wider scale. Prevx Support