I’m writing down this post to let you know about targeted attacks we’re facing in Europe, especially in Italy.
The “Italian Job”, (a.k.a. Linkoptimizer, a.k.a. Gromozon) appears to be orchestrated by a well-organized gang, using several aliases to avoid recognition but in the end, still refers to the same malware chain.
An infection by Linkoptimizer could triggered by
- A downloaded malware. It uses attractive filenames, like “www.google.com” or “www.sport.com”
- A Trojanised WMF File (Downloader)
- ActiveX/OCX File (dropper)
- ByteVerify (Java exploit)
The downloaded malware, when executed, installs
- A rootkit
- Various files hidden through ADS (Alternate Data Streams)
- Random files encrypted using EFS
- Linkoptimizer (hidden by a rootkit)
Once you got infected, Linkoptimizer downloads other Trojans, adware and installs other spyware applications, pop-ups several IE pages which redirect users to other malicious websites as well. With all of these installed, the machine is nearly unusable and really tough to clean up. You can easily find a machine infected by Linkoptimizer hosting more than 10 or 20 different malware.
The websites hosting these malicious files are constantly updated and adding new content very fast. Because of this, we’re seeing many different version of the same malware.
Here are some malware families involved here
- TROJ_LINKOPTI
- TROJ_AGENT
- TROJ_SMALL.Y
- TROJ_CLICKER
- TROJ_DROPPER
- TROJ_DLOADER
- TROJ_SPABOT
- TROJ_SPYWAD
- DIAL_DIAMIN
- DIAL_ADDIAL
- ADW_SMALL
- ADW_SYSTEMDOCT
You may ask why this threat is typically localized in Italy. The primary reason is that most of the malicious websites are using Italian keywords. A simple search on Google using Italian words can easily bring you to a malicious website.
Cleaning this malware infestation is a difficult, if not impossible, task, no thanks to the installed rootkit, which hides all the other malware files. But once the rootkit is disabled, you can start cleaning up the malware files. But with the malware constantly updated or modified, this makes the cleanup a bit tougher. An additional solution is to have a URL filtering solution to filter out the known malicious websites and avoid further infection through the known malicious websites.
Italian .bizness
While struggling with Linktoptimizer, Italy is getting harassed yet again by another menace, dubbed as the “Italian .Bizness”, a.k.a TROJ_AGENT.HDX.
It arrives by email, in Italian, asking you to download a removal tool to clean up your machine. It contains an HTTP link inside the body – the link uses a .biz domain, hence, the nickname.
Below is the English translation of the email text:
I am not an expert in this matter, anyway our technician states that those “e-mails” from you Are not made on purpose but can be caused by a virus. Moreover he say that it is possible to remove this worm with the AV program that you can download from the following address: http://www.spyware<BLOCKED>smasher.biz
I don’t have the knowledge nor the time to verify if this hypothesis is correct but I must “legally warn” you from keeping on sending undesired e-mails to my working e-mail. If I will receive again JUST A SINGLE MESSAGE of this kind, I will proceed with a legal action without any notice.
Stop sending or if it is a virus worm remove it immediately since probably I am not the only one receiving this trash from you.
I remind you that the police have the instruments to trace the real identity of the owner of an e-mail address even if registered with a fantasy name or international registration. So donâ??t think you can continue to infect my mail box with this kind of things.
Waiting for your kind reply,
This is a clever use of social engineer, using the “scare tactic” quite well.
Clicking on the link directs you to a webpage asking the user to download a removal tool. The download link is quite hard to miss; it is advertised by a green button:
The so-called “removal tool” (filename removal_tool.exe) uses the following icon, making it all the more attractive. 
Once the malware (the ‘removal tool’) is executed it drops a dll file, webdesk.dll in windows system32 folder, and it installs this as a BHO (Browser Helper Object).
The files removal_tool.exe and webdesk.dll are detected as TROJ_AGENT.HDX and can be cleaned up using our latest DCT.
The emails being spammed also advertise other URLs, such as
- http://www.privacy<BLOCKED>wall.biz
- http://www.notmore<BLOCKED>spyware.biz
- http://www.spyware<BLOCKED>executioner.biz
- http://www.kill<BLOCKED>malaware.biz
- http://www.pc-<BLOCKED>protector.biz
- http://www.spyware<BLOCKED>smasher.biz
- http://www.safe<BLOCKED>master.biz
- http://www.watchware<BLOCKED>murderer.biz
- http://www.adware<BLOCKED>zap.biz
- http://www.nowim<BLOCKED>protected.biz
- http://www.SpyStuff<BLOCKED>Killer.biz
- http://www.adware<BLOCKED>wipe.biz
- http://www.safe<BLOCKED>master.biz
- http://www.myclean<BLOCKED>pc.biz
- http://www.TenKiller<BLOCKED>Direct.biz
- http://www.watchare<BLOCKED>assassin.biz
- http://www.free-spyware-<BLOCKED>killer-software.biz
- http://www.spyware<BLOCKED>murderer.biz
There are probably many other websites hosting these malicious files. Most of these websites are pointing to the same IP address, hosted in Russia.
A peculiar characteristic of these websites is that they could only be accessed from Italy, not from an Italian Windows system but geographically from Italy. Even using an Italian DNS or Proxy you won’t be able to connect to these sites from another country.
Both of these local outbreaks are specifically targeted to Italy. I guess several groups working in concert are involved here – one sub-group created the websites as fast as we can send an SMS, another created the malware, another spams the emails and another hosting the bot network for sending spam.