Rootkit

November 10, 2006 Corrine at the Security Garden wrote asking people to help bring the latest Gromozon shenanigans to light.

PC al Sicuro

Marco:

Finally some good news. We succesfully obtained shutdown of one of the servers which are spreading Gromozon. Server, hosted in the U.S., was taken offline today and it’ll be taken under investigation.
We at Prevx will continue monitoring situation for new Gromozon variants, providing technical stuff. Now, finally, there’s who’ll manage legal stuff too.
Our thanks go to who helped us taking down the website.

From acorns big trees grow.

Update from PC al Sicuro

During these hours, it looks like that almost all domains used to spread Gromozon - except two - are down.

{ 0 comments }

The sleeze behind the Gromozon infection have inserted code into the program making their nasty creation appear to be authored by a legitimate security researcher, Marco Giuliani.

In fact, Marco Giuliani created a Gromozon removal tool for PrevX which I previously blogged as “Gromozon Rootkit.”

SunbeltBLOG
Marco’s site: PC Al Sicuro

DiggIt Direct link

{ 0 comments }

Wilders Security Forum topic:
Marco Giuliani has written about this malware which emerged from a domain called Gromozon from which the Rootkit received it’s name.

Most people need guidance as to whether or not to attempt to remove such infections or reformat, so consider going to a security site and receiving assistance from volunteer malware fighters if you believe your PC has been compromised.

There are too many to name here, but a short list can be found in the right side panel here under Security Forums.

On a related note, Sophos has released a free anti-rootkit tool which joins others already offered by F-Secure, Grisoft, BitDefender, and Sysinternals among others.
List of available products at AntiRootkit.com

09-01-06

Update

Prevx has released a standalone Removal Tool

{ 0 comments }

F-Secure
Wednesday, May 17, 2006
Posted by Kimmo @ 13:34 GMT
How’s your poker face?

Last Wednesday evening, the 10th of May, we received an interesting sample from a user. It was a normal PE executable named RBCalc.exe and the submitter described it as a rootkit. We proceeded with the sample as usual, beginning analysis on it. It wasn’t long at all before we noticed it contained a nasty surprise. RBCalc.exe, also known as Rakeback calculator, was actually a Trojan. When RBCalc.exe is run, it silently drops four executable files into the user’s %SystemRoot%\system32 folder and executes them.

The purpose of the dropped executables is to collect login information for various online poker websites from the user’s computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry.

The serious thing here was that RBCalc.exe was distributed by checkraised.com - a website that provides tools, articles and other various applications to all poker players. As a result, many online poker players could have been affected by this targeted attack.

Monday, May 15, 2006
Posted by Mikko @ 04:07 GMT

Relating to our earlier post on the RBCalc rootkit, we’ve received some questions on what the malicious RBCALC.EXE application looked like.
Here’s some screenshots:

We’ve also updated our technical description of this backdoor, complete with a list of poker applications that are targeted:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

CheckRaised:

NOTICE: POSSIBLE VIRUS IN RBCALC. PLEASE READ

In December 2005 we contracted a programmer to create a rake calculator for us. The rake calculator (known as rbcalc, rbcalc.exe) was an executable file that a player would run on his machine to calculate rake from hands he previously played (stored in hand history files or a poker tracker database).

It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc.

The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.

If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.