A leading malware research firm in the UK warned on Friday that the nearly undetectable Gromozon rootkit has infected a quarter of a million computers.
Also known as the LinkOptimizer rootkit, the malware was initially distributed through Gromozon.com but is now found on an increasing number of websites. The sneaky bit of software is typically downloaded by unsuspecting web users who visit sites that either contain or link to the rootkit.
It attacks computers by downloading a script that checks for running antivirus software and creating a workaround to prevent detection. It then downloads a file entitled "www.google.com" onto the PC, taking advantage of user trust in the Google name in order to entice users to click the link. Once the link is clicked, the infection is triggered.
From there the rootkit will attempt to download additional nasty bits of executables, including ActiveX control malware and Java exploits.
Information security researchers have become increasingly worried over stealthy rootkit attacks in recent months. In Gromozon's case, the malware hides its source code using Alternate Data Streams while encrypting hidden code and data files.
"Gromozon is just one of a growing wave of malicious software which is bypassing most security products with ease," said Mel Morris, CEO of Prevx. "In fact, despite claiming that this infection is ‘easy' to remove, one market leading security vendor is still unable to detect any component of this attack."
In conjunction with the announcement on Friday researchers from Prevx released a free detection and removal tool that gives users the ability to check their PCs for the presence of the Gromozon/LinkOptimizer rootkit.