Prevx has lead the fight against Gromozon since it began popping up on Italian users' systems in May. This complicated and nasty package of software relies on a rootkit to remain on infected systems and at the time was difficult to remove through traditional means, said Jacques Erasmus, director of malware research for Prevx.
"At that time there wasn't any tool to remove it, there was a long manual procedure that didn't work very well most of the time," he said. "So we decided to spend some time to make a tool to remove it."
Prevx set to work over the summer studying Gromozon and the moves that its creators were making with the malware. In early September the company released a tool specifically designed to remove it from systems. That month users flocked to the site and Prevx logged between 1,500 to 2,000 downloads of the tool each day.
The tool worked so well that it forced the Gromozon creators' hands—by late September the hackers released a new version that blocked users from accessing the Prevx site to download the tool and blocked the system from opening the tool from alternative means such as a memory stick.
"At that point our tool was pretty much useless because people that were infected couldn't run it," Erasmus said. "We used the approach of using random file names and packing with a very sophisticated packer to encrypt the file. It seems to have worked."
The methods worked, as evidenced by the malware creators' latest last-ditch efforts to foil Prevx. "They decided they couldn't' really block our tool any more, so they accused us of writing the rootkit. Erasmus said.
"When a user attempts to use any kind of tool to disable Gromozon, a pop-up appears that seems to be signed by "Marco Guiliani & Prevx.com Team.
"Also inside the code of the rootkit there's a lot of references saying like, for instance, ‘Written by Marco Guiliani,' who is one of our researchers. And ‘Internal, do not distribute, Copyright Prevx.'" Erasmus said.
"They're really into targeting us at the moment, which is good in some ways and bad in other ways because you never know what is coming next."
He said that Prevx first heard about the problem when Guiliani began getting ICQ messages from irate users who "found" his contact code in the malware and were writing to berate him. Now the company is just fighting to get the word out to users that this is a malevolent hoax, he said.
"In general most people can see that it is a hoax, but definitely we are trying to make as many people aware as possible that it is not us doing this," he said.
"In fact, even other antivirus companies are coming to Prevx's defense to get the word out. Today the researchers at F-Secure posted a blog about the latest tack from Gromozon's writers. F-Secure warned readers about the pop-up and credited Guiliani as being "one of the first researchers to study Gromozon in depth and to provide a disinfection tool."
"Of course, Prevx and Marco Giuliani have nothing to do with the malware. On the contrary, they are active members of the community that struggles everyday for computer users' safety," wrote Paolo Monti on the blog. "It will be really interesting to see what Gromozon's next move will be."
Rootkit leaves false trail to 'accuse' Prevx of infections
By Ericka Chickowski on Nov 10, 2006 11:23PM
In their latest move in a game of cat and mouse with security companies, the hackers that created Gromozon redesigned the malware over the last week to include pop-ups and other fake clues to trick the infected user into thinking UK-based Prevx is the source of infection.
Got a news tip for our journalists? Share it with us anonymously here.