Gromozon Rootkit Removal Tool
What is Gromozon and how did it manage to bypass my current security tools?
Unfortunately Gromozon is not a single infection, but a blended attack designed to bypass traditional anti-malware tools. The end result meaning that the machine is not only infected by several well known Trojans but also a highly dangerous Rootkit. Traditional AV vendors are at the moment dealing with the known infections but overlooking the rootkit.
The path of infection is thus:
– A server side script is run to analyse the user agent (web browser) under which the user is visiting. Different attack methods are then launched depending on whether the user is running Opera, Firefox or Internet Explorer.
For Internet Explorer, the victim is presented with the option to install an ActiveX control called FreeAccess.ocx This is actually copied into the Windows system32 folder as a randomly named DLL.
Firefox and Opera undergo a very clever piece of social engineering. What appears to be a link to www.google.com is presented to the victim. This unfortunately is not a hyperlink but in fact a cleverly hidden .com file. Once accepted and run, a randomly named DLL is again installed to the windows system32 folder.
– Once the DLL agent is installed, various pieces of Adware are downloaded and installed onto the machine. Examples are the Bravesentry and LinkOptimizer Trojans. The real payload is then downloaded to the victim’s computer. Both a Rootkit and service component are installed along with a hidden windows user account. The main purpose of this is to enable the Adware which was previously installed to be hidden from any Anti-malware tools installed on the machine
Download: Gromozon Rootkit Removal Tool