Content

Gromozon rootkit has infected 250,000 PCs

Share

A leading malware research firm in the UK warned on Friday that the nearly undetectable Gromozon rootkit has infected a quarter of a million computers.

Also known as the LinkOptimizer rootkit, the malware was initially distributed through Gromozon.com but is now found on an increasing number of websites. The sneaky bit of software is typically downloaded by unsuspecting web users who visit sites that either contain or link to the rootkit.

It attacks computers by downloading a script that checks for running antivirus software and creating a workaround to prevent detection. It then downloads a file entitled "www.google.com" onto the PC, taking advantage of user trust in the Google name in order to entice users to click the link. Once the link is clicked, the infection is triggered.

From there the rootkit will attempt to download additional nasty bits of executables, including ActiveX control malware and Java exploits.

Information security researchers have become increasingly worried over stealthy rootkit attacks in recent months. In Gromozon's case, the malware hides its source code using Alternate Data Streams while encrypting hidden code and data files.

"Gromozon is just one of a growing wave of malicious software which is bypassing most security products with ease," said Mel Morris, CEO of Prevx. "In fact, despite claiming that this infection is ‘easy' to remove, one market leading security vendor is still unable to detect any component of this attack."

In conjunction with the announcement on Friday researchers from Prevx released a free detection and removal tool that gives users the ability to check their PCs for the presence of the Gromozon/LinkOptimizer rootkit.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.