Threat Research

Gumblar... Not Gumby!

Ok, I admit this blog post is not about our childhood TV friend, Gumby... Instead it's about a much more sinister character, Gumblar & its malware henchmen...

Originally making its debut back in March/April of this year (see here and here) and then suddenly it went quiet for a few months, until recently... Yes, Gumblar is back with a vengeance & still causing problems for it's unsuspecting victims.

The primary delivery mechanism is still via Drive-By-Download (notably compromised sites serving malicious Adobe PDF's) which when successful will load the malware onto your system.

We have taken a look at a couple of the Gumblar associated malware samples, you can see some VirusTotal results here & here.

Here is a quick peek at what this bad-guy is doing...
Once loaded on to the victim's system, it silently executes with out any obvious indications to the end-user. (no Fake AV pop-ups, instant reboots, tray icons or ransom notes here.)

The UPX packed executable will proceed to write out a file (disguised as an innocent temp or backup file) 1 subdirectory beneath it's current location.
The dropped file, actually a .dll (18432 bytes in size), uses (3-6 character) randomly generated filename with the extension ".tmp", ".bak", ".dat" or ".old".


filename extensions visible when looking at the binary in a hex editor.

It goes on to delete a couple audio drivers from the "c:\windows\system32\" directory (sysaudio.sys & wdmaud.sys).
Along with deleting these, it adds the following registry key:

"HKLM/Software/Microsoft/Windows NT/Current Version/Drivers32/midi9"

The above registry key value "midi9" actually equates to executing "<dropped_file> 0yAAAAAAAA" when loaded.
The system will now use the evil .dll file anytime the browser is loaded.

(Note the .bak file followed by the "0yAAAAAAAA" string, it's always there).

The malware will also generate an ID string (32 characters long) that gets sent to the C&C.



Sample screen shots of the malware's string generation routine.

The malware will also attempt to rename itself with no filename (null) upon reboot, using the MOVEFILE_DELAY_UNTIL_REBOOT function & a flag of 0x4.

A quick peek at the registry shows it created an entry under

HLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Normally ok except in the value data there is only 1 entry when there should be a pair (the current file name & what to rename it to upon reboot). 

Once the infection process completes, it quietly waits for you to access a website site using your browser.
Here is where this guy really starts to go to work, stealing FTP credentials and potentially skewing search results. Anything your browser sees, IT sees...

A quick look at a running packet capture and we see that along with the normal HTTP traffic it has taken the opportunity to communicate with the C&C.
It has sent the 32 character string (prefixed with "?0E2" & followed by a "0" at the end) in the URI to the C&C & received back a response as displayed here:


Notice the "SS: " & "Xost: " fields in the HTTP Header.
The "SS:" field contains the URI you were accessing & the "Xost:" field holds the original destination host/site.
Also of note is the response from the server.
The "//fHqq0EDFBNEED" is always present followed by the 32 byte string that was sent to the C&C, and then 2 additional bytes (the "2y" at the end).
(If you see this type of traffic on your network, it's time to be a little concerned...)

The malware attempts to contact one of 3 IP's

1.) - still alive & well.

OrgName: Secured Private Network 
Address: 1740 East Garry Ave.
Address: Suite 234
City: Santa Ana
StateProv: CA
PostalCode: 92705
Country: US
NetRange: -
OriginAS: AS22298
NetName: SPN3W
NetHandle: NET-67-215-224-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-10-18
Updated: 2008-10-08

2.)  - known Crimeware friendly ISP as mentioned here.

OrgName: Netelligent Hosting Services Inc.
OrgID: NHS-31
Address: 1396 Franklin Drive
City: Laval
StateProv: QC
PostalCode: H7W-1K6
Country: CA
NetRange: -
NetHandle: NET-67-212-64-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-08-30
Updated: 2008-06-20

3.) - which appears to host 9 other sites, including some leading to pages serving FakeAV.

inetnum: -
netname: ROOT-195-24-72-0-21
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
mnt-by: ROOT-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

So while unsuspecting victims go about there usual web activity, the malware will quietly send data to any one of these 3 IP's (in the above order).

Without careful inspection, this communication can easily snake by perimeter defenses & security software.

More to come...

A special thanks to my colleagues Atif Mushtaq & Julia Wolf.

J.G. @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM