If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Real Tech News)   Gromozon: aka, one nasty rootkit   (realtechnews.com) divider line 108
    More: Scary  
•       •       •

24662 clicks; posted to Main » on 24 Aug 2006 at 12:12 PM (7 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



108 Comments   (+0 »)
   

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2006-08-24 12:07:08 PM
Oh no, Gromozon is destroying Tokyo!!!
 
2006-08-24 12:17:13 PM
Gramophone is destroying Tokyo?
 
2006-08-24 12:17:13 PM
www.haikosfilmlexikon.de
 
2006-08-24 12:20:24 PM
www.public.asu.edu

TFPDF:The last weapon in the attacker's arsenal is the rootkit
 
2006-08-24 12:20:31 PM
www.myimagebuddy.com
 
2006-08-24 12:21:43 PM
Hey, that's pronounced Go-mo-jee-on

/just getting ahead of the the nippophile nazis
 
2006-08-24 12:21:55 PM
www.beefyness.com
 
2006-08-24 12:22:23 PM
Wait, I though Windows was "secure" now...At least that's what MS keeps telling me.
 
2006-08-24 12:22:31 PM
This is why everyone should switch to AmigaOS.
 
2006-08-24 12:23:07 PM
Have we already farked the PDF on what it actually does?
 
2006-08-24 12:23:16 PM
but it's a dry heat

Gamera is really neat,
He is full of turtle meat,
We all love you, Ga-mer-a!
 
2006-08-24 12:26:06 PM
What a completely horrible article.
 
2006-08-24 12:26:13 PM
Suse 10

/preemptive
 
2006-08-24 12:27:35 PM
That's why I use the abacus. I just add the zeroes and ones manually, and, presto, surfing the InterTubes is completely safe!
 
2006-08-24 12:28:49 PM
The reason I use Linux when I search that intraweb thingy.
 
2006-08-24 12:29:23 PM
img99.imageshack.us
 
2006-08-24 12:29:40 PM
Hrm, I don't like gorgonzola cheese either. Something with words that start with "g", has 3 "o's" and a "z" in it.
 
2006-08-24 12:29:45 PM
meshman:

What a completely horrible article.

The PDF it linked was VERY interesting.
 
2006-08-24 12:30:11 PM
Hey, it's not just a truck you can dump things on!
 
2006-08-24 12:30:52 PM
slayer199: The PDF worked for you? It was farked for me...can you clarify wtf the article is trying (but fails) to say?
 
2006-08-24 12:30:59 PM
I read the full PDF.

That is one piece of badass malware.
 
2006-08-24 12:31:07 PM
Hmmm, this ADS thing looks interesting though...
 
2006-08-24 12:31:29 PM
Dr. Frisbee: The reason I use Linux when I search that intraweb thingy.

Using Linux to surf the Internet is like masturbating with a cheese grater.

/Linux lover
//but the truth is the truth
 
2006-08-24 12:32:30 PM
One suggestion to all... use GMER! It is a great AV/Rootkit detector/removal app.....and free.
 
2006-08-24 12:33:50 PM
It is a 20 page pdf. so just let it load a while. It is an interesting analysis, but I couldn't find anything really credible about it spreading, like a CERT header or something, they did link to an isc.sans article. Anyone have any other better articles?
 
2006-08-24 12:34:03 PM
boot20: The PDF worked for you? It was farked for me...can you clarify wtf the article is trying (but fails) to say?

Here's a mirror. (no pop)
Let's hope I can stand the load.
 
2006-08-24 12:34:42 PM
as far as the alternate data strems go, they have been around since NT 4 and NTFS started... check out http://www.heysoft.de/nt/ep-lads.htm it is a tool to list ADstreams
 
2006-08-24 12:35:19 PM
err NT 3.5 :)
 
2006-08-24 12:37:38 PM
Using Linux to surf the Internet is like masturbating with a cheese grater.

Haha
It's not that bad. I have most of the plug-ins so I can do anything I want on Linux that I would normally do on my Windows OS. Of course I normally don't do anything fancy. A couple news sites, Fark, maybe some youtube goodies, what-not.

Of course I do dual boot, so if there ever is a problem I could just go back to Windows. I just don't feel safe on the web with it. Even normally "safe" sites can get you crap. And if I do use Windows, I use Firefox or Opera.
 
2006-08-24 12:39:20 PM
Dr. Frisbee: The reason I use Linux when I search that intraweb thingy.

Not sure if this was meant to be ironic, but that's probably not going to help much. Linux and UNIX rootkits are pretty sophisticated, but what sets some of these apart is the degree of specialization that malicious people have gone through in deploying these programs. As users have become better at installing and using protective, heuristic measures like anti-malware and anti-virus programs, malware authors have adapted their strategies.

I'm relatively impressed that at least in this example the attacker automated so many methods of attack. As the article points out, the vector in all cases is Javascript, but the work is being done on the server.
 
2006-08-24 12:39:24 PM
trezor: That is one piece of badass malware.


I concur - pretty complex in design, but not really beaking new ground in inefection vectors, or hiding. Last year's tech, at best.
 
2006-08-24 12:39:55 PM
www.otherimagespress.com

Some people could benefit from rootkits.
 
2006-08-24 12:40:03 PM
boot20: The PDF worked for you? It was farked for me...can you clarify wtf the article is trying (but fails) to say?



Sure:

EVERYBODY PANIC!!!!
 
2006-08-24 12:41:40 PM
Starboard: I concur - pretty complex in design, but not really beaking new ground in inefection vectors, or hiding.

The big question is what advances are being made in behavioral analysis technologies that can detect these types of issues, and what countermeasures are being taken by malicious users to subvert detection.
 
2006-08-24 12:42:13 PM
Muddle: Using Linux to surf the Internet is like masturbating with a cheese grater.

If you have a problem with Linux surfing the web, then you simply need to get a better browser, not a better OS.

And you avoid this rootkit.
 
2006-08-24 12:42:54 PM
Muddie: I don't notice a difference since I don't allow javascript or flash. Clientside scripting is farking evil.

Oh and it is an interesting PDF, but I honestly haven't seen much in the way of it spreading in the wild. It also seems to me that a simple host.deny would mitigate the threat significantly.
 
2006-08-24 12:44:29 PM
Solution: Use Firefox with the NoScript plugin.
 
2006-08-24 12:45:27 PM
What I want to know is this:

Who fronted the cash to development this... thing?

Does anyone have a reasonable, educated guess what time and resources went into developing something like Gromozn?
 
2006-08-24 12:45:31 PM
LocalCynic: he big question is what advances are being made in behavioral analysis technologies that can detect these types of issues, and what countermeasures are being taken by malicious users to subvert detection.


That's a loaded question, if I ever saw one. Here's the bleeding edge of rootkits:
http://invisiblethings.org/papers.html

Expect to see this in the wild early next year.
 
2006-08-24 12:46:09 PM
The one thing I'm curious about: what symptoms would the normal luser actually see, other than a crash? What is the purpose of this [ rather expensive implementation of ] malware? I mean, they keep registering domain names, so either someone's rich and bored, or someone's selling something.

What are they selling? And where can one get a sniper rifle to remove the CEO of that company?
 
2006-08-24 12:47:27 PM
They're just taking a page out of Zombo's book.

At Zombocom, you can do anything!

At Gromozon, it can do anything to you!
 
2006-08-24 12:50:05 PM
Anybody ever tried to load so many rootkits that the crackers in your system starts stealing each other's passwords?
 
2006-08-24 12:52:27 PM
muninsfire

These droppers are only in it for the money. Their whole purpose is to give more vectors for spam attacks, viruses, and installing their affiliate popup generators on your computer. It's one of those numbers games; they do one or two computers, it's not worth it, but a few ten thousand, and suddenly, it's pretty lucrative.
 
2006-08-24 12:57:31 PM
goldoche: Anybody ever tried to load so many rootkits that the crackers in your system starts stealing each other's passwords?

No, I skipped over installing Windows ME.
 
2006-08-24 12:58:43 PM
I always wondered if one could hack the hacker's PC by directing some code at their computer from a fake "trojan'ed" PC and inflict some sort of overflow attack or something. In other words, hack their trojan client when they try to connect to you.
 
2006-08-24 12:58:50 PM
LocalCynic

That may be true, but not many people will bother to program one for Unix or Linux and put it on a website. The install base is too small, and cracking those OSes is not all that easy.
 
2006-08-24 01:00:07 PM
LocalCynic: The big question is what advances are being made in behavioral analysis technologies that can detect these types of issues, and what countermeasures are being taken by malicious users to subvert detection.


You're always going to have domain and IRC channels, for control, to be blocked. And more importantly you're always going to have binary signatures that can be matched and real-time blocked by network and desktop components. I'm not even remotely sweating some new scare.
 
2006-08-24 01:01:28 PM
goldoche

Actually, a guy I chat with from time to time on IRC did exactly that. Installed every spyware program he could find. Eventually, he could only load windows into vga mode, and all but about a 20 or so pixel row of the IE window was spyware toolbars. Took about 10 minutes to boot windows, and IE simply would not load any pages, it would just give weird javascript errors and the like.
 
2006-08-24 01:02:52 PM
Starboard: That's a loaded question, if I ever saw one.

Yes and no. Yes in that I'm assuming that certain behaviors are suspect, but no in that I think a pound of prevention is worth an ounce of cure. I don't think we've quite reached the point of integration where the "Blue Pill" virtualized attack would work. It's a theoretical possibility, but it still would require a classical rootkit technique like unhooking and thread injection. I don't see where you can get to the logical step of a virtualized process infecting the host OS unless you have a service that allows said ability.

My point in sum was that our current security paradigm focused exclusively on prevention and removal, with little emphasis on detection and containment, isn't going to work for much longer.
 
2006-08-24 01:03:07 PM
SWOrah: if one could hack the hacker's PC by....
Yup. Can be done, and has been done. Sometimes, with hilarious results.
 
Displayed 50 of 108 comments

First | « | 1 | 2 | 3 | » | Last | Show all



This thread is closed to new comments.

Continue Farking
Submit a Link »






Report