Rootkit leaves false trail to 'accuse' Prevx of infections

In hackers' latest move in the cat and mouse game with security companies, the hackers that created Gromozon redesigned the malware last week to include pop-ups and other fake clues to trick the infected user into thinking United Kingdom-based Prevx is the source of infection.

Prevx has lead the fight against Gromozon since it began popping up on Italian users' systems in May. This complicated and nasty package of software relies on a rootkit to remain on infected systems and at the time was difficult to remove through traditional means, said Jacques Erasmus, director of malware research for Prevx.

"At that time there wasn't any tool to remove it, there was a long manual procedure that didn't work very well most of the time," he said. "So we decided to spend some time to make a tool to remove it."

Prevx worked this summer studying Gromozon and the moves its creators were making with the malware. In early September, the company released a tool specifically designed to remove it from systems. That month, users flocked to the site and Prevx logged between 1,500 to 2,000 downloads of the tool each day.

The tool worked so well that it forced the Gromozon creators' hands - by late September the hackers released a new version that blocked users from accessing the Prevx site and blocked an infected system from opening the tool from alternative means such as a memory stick.

"At that point, our tool was pretty much useless because people that were infected couldn't run it," Erasmus said. "We used the approach of using random file names and packing with a very sophisticated packer to encrypt the file. It seems to have worked."

The methods did work, as evidenced by the malware creators' latest last-ditch efforts to foil Prevx.

"They decided they couldn't really block our tool any more, so they accused us of writing the rootkit," Erasmus said.

When a user attempts to use any kind of tool to disable Gromozon, a pop-up appears that seems to be signed by "Marco Guiliani & Prevx.com Team."

"Also inside the code of the rootkit there's a lot of references saying like, for instance, ‘Written by Marco Guiliani,' who is one of our researchers. And ‘Internal, do not distribute, Copyright Prevx,'" Erasmus said. "They're really into targeting us at the moment, which is good in some ways and bad in other ways because you never know what is coming next."

He said Prevx first heard about the problem when Guiliani began getting ICQ messages from irate users who "found" his contact code in the malware. Now the company is fighting to get the word out that this is a malevolent hoax, he said.

"In general, most people can see that it is a hoax, but definitely we are trying to make as many people aware as possible that it is not us doing this," he said.

Even other antivirus companies are coming to Prevx's defense to get the word out. Today the researchers at F-Secure posted a blog about the latest tack from Gromozon's writers. F-Secure warned readers about the pop-up and credited Guiliani as being "one of the first researchers to study Gromozon in depth and to provide a disinfection tool."

"Of course, Prevx and Marco Giuliani have nothing to do with the malware. On the contrary, they are active members of the community that struggles everyday for computer users' safety," wrote Paolo Monti on the F-Secure blog. "It will be really interesting to see what Gromozon's next move will be."

Click here to email Ericka Chickowski.

Sign up to our newsletters