NEWS FROM THE LAB - Thursday, November 9, 2006

Gromozon vs. Marco Giuliani Posted by Paolo @ 14:28 GMT

Sadly well known among Italian computer users, "Gromozon" is a complex collection of malware that feature rootkit techniques, anti-debugging tricks, and more in order to perform its vicious activities. We detect this collection by many names such as Trojan.Win32.Obfuscated.a or Trojan.Win32.Agent.rk.

At this point you're probably thinking - So, this is rather typical when it comes to really nasty malware, what's the reason behind this particular blog entry?

Well, it seems that the war between Gromozon's authors and security researchers at Prevx has reached a new level - It's personal now.

Marco Giuliani

After being utterly frustrated by the inability to bypass Prevx's dedicated disinfection tool, Gromozon's authors decided to attack on another front. In the latest variants of Gromozon, whenever an analysis tool, such as our F-Secure BlackLight, or more generically a "banned" application is detected, the malware itself will present the user with a lovely message that leads him to believe that the source behind the malware are the guys from Prevx, and especially Marco Giuliani - one of the first security researchers to study Gromozon in depth and to provide a disinfection tool.

Of course, Prevx and Marco Giuliani have nothing to do with the malware. On the contrary, they are active members of the community that struggles everyday for computer users' safety.

It will be really interesting to see what Gromozon's next move will be...