RSS

Spaghetti Threatens Italian Computers

David Utter
Staff Writer
2006-08-31

Insider Reports RSS Feed

A convoluted puzzle of malicious code lays at the end of URLs being spammed into Italian blogs and forums, as attackers deploy a lengthy string of code that leads to malware.

Spaghetti Threatens Italian Computers

For people who followed links from an assortment of postings those Italian sites, the path may have led them to gromozon.com (do not visit that site!) That final destination delivers a nasty piece of programming called LinkOptimizer.

Symantec's Eric Chien posted to the company's Security Response Weblog about the malware's effects. Once in place on a PC, it will dial "a high-cost phone number and then displays advertisements when browsing the Internet."

Visitors who end up at the malicious site can be victimized if they are running Internet Explorer or Firefox. It appears to be a little more dangerous on the IE side, as Chien explained the site will try to detect the browser visiting it and "attempt to exploit" an IE vulnerability. That has changed several times, and Chien noted that it currently tries to attack the flaw described in Microsoft Security Bulletin MS06-006.

That exploit is just the start of one's problems. Once the exploit has been triggered, it loads an object into IE. In turn, that object downloads a GIF that has an encrypted string attached. The object decrypts that string, and now a new executable bundle is on the system.

Chien recounted what would happen from that point:

The bundle then has two executables inside of itself. We'll call one the EFS executable; the second is a variant of LinkOptimizer. LinkOptimizer dials a high-cost phone number and displays pop-up advertisements as you browse the Internet and the EFS executable is used to check for updates to itself from another domain. The EFS executable uses the Windows Encrypted File System (EFS) to hide itself and prevent people from finding and deleting the file.

Since the chain of executables has varied over time, including one iteration that functioned as a rootkit, Chien and company have dubbed these "spaghetti threats," which he explained:

This isn't because it has been targeting Italian computer users, but because the code in every executable is like a plate of spaghetti. The code has many nonsensical code paths full of jumps and calls, interspersed in an attempt to make it difficult to analyze. Clearly, the authors aren't your average malware writers.

More threats from those behind Gromozon could be forthcoming, as Symantec is still investigating the group. They have other domains registered that have not been utilized by some of the threatening code they have attempted to use in other attacks.

---
Tag: Gromozon

Add to

Del.icio.us |

Digg |

Yahoo! My Web |

Furl

Get all the updates in RSS:

About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials