Gumblar... Not Gumby!

Ok, I admit this blog post is not about our childhood TV friend, Gumby... Instead it's about a much more sinister character, Gumblar & its malware henchmen...

Originally making its debut back in March/April of this year (see here , here  and here) and then suddenly it went quiet for a few months, until recently... Yes, Gumblar is back with a vengeance & still causing problems for it's unsuspecting victims.

The primary delivery mechanism is still via Drive-By-Download (notably compromised sites serving malicious Adobe PDF's) which when successful will load the malware onto your system.

We have taken a look at a couple of the Gumblar associated malware samples, you can see some VirusTotal results here & here.

Here is a quick peek at what this bad-guy is doing...
Once loaded on to the victim's system, it silently executes with out any obvious indications to the end-user. (no Fake AV pop-ups, instant reboots, tray icons or ransom notes here.)

The UPX packed executable will proceed to write out a file (disguised as an innocent temp or backup file) 1 subdirectory beneath it's current location.
The dropped file, actually a .dll (18432 bytes in size), uses (3-6 character) randomly generated filename with the extension ".tmp", ".bak", ".dat" or ".old".

Strings_1

filename extensions visible when looking at the binary in a hex editor.

It goes on to delete a couple audio drivers from the "c:\windows\system32\" directory (sysaudio.sys & wdmaud.sys).
Along with deleting these, it adds the following registry key:

"HKLM/Software/Microsoft/Windows NT/Current Version/Drivers32/midi9"

The above registry key value "midi9" actually equates to executing "<dropped_file> 0yAAAAAAAA" when loaded.
The system will now use the evil .dll file anytime the browser is loaded.

Vm_reg_1
(Note the .bak file followed by the "0yAAAAAAAA" string, it's always there).

The malware will also generate an ID string (32 characters long) that gets sent to the C&C.

Crypt_c

Crypt_a

Sample screen shots of the malware's string generation routine.

The malware will also attempt to rename itself with no filename (null) upon reboot, using the MOVEFILE_DELAY_UNTIL_REBOOT function & a flag of 0x4.

A quick peek at the registry shows it created an entry under

HLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Normally ok except in the value data there is only 1 entry when there should be a pair (the current file name & what to rename it to upon reboot). 

Once the infection process completes, it quietly waits for you to access a website site using your browser.
Here is where this guy really starts to go to work, stealing FTP credentials and potentially skewing search results. Anything your browser sees, IT sees...

A quick look at a running packet capture and we see that along with the normal HTTP traffic it has taken the opportunity to communicate with the C&C.
It has sent the 32 character string (prefixed with "?0E2" & followed by a "0" at the end) in the URI to the C&C & received back a response as displayed here:

Pcap_A

Notice the "SS: " & "Xost: " fields in the HTTP Header.
The "SS:" field contains the URI you were accessing & the "Xost:" field holds the original destination host/site.
Also of note is the response from the server.
The "//fHqq0EDFBNEED" is always present followed by the 32 byte string that was sent to the C&C, and then 2 additional bytes (the "2y" at the end).
(If you see this type of traffic on your network, it's time to be a little concerned...)

The malware attempts to contact one of 3 IP's

1.) 67.215.246.34 - still alive & well.

OrgName: Secured Private Network 
OrgID: SPNW
Address: 1740 East Garry Ave.
Address: Suite 234
City: Santa Ana
StateProv: CA
PostalCode: 92705
Country: US
NetRange: 67.215.224.0 - 67.215.255.255
CIDR: 67.215.224.0/19
OriginAS: AS22298
NetName: SPN3W
NetHandle: NET-67-215-224-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SECUREDPRIVATENETWORK.NET
NameServer: NS2.SECUREDPRIVATENETWORK.NET
Comment:
RegDate: 2007-10-18
Updated: 2008-10-08


2.) 67.212.81.67  - known Crimeware friendly ISP as mentioned here.

OrgName: Netelligent Hosting Services Inc.
OrgID: NHS-31
Address: 1396 Franklin Drive
City: Laval
StateProv: QC
PostalCode: H7W-1K6
Country: CA
NetRange: 67.212.64.0 - 67.212.95.255
CIDR: 67.212.64.0/19
NetName: NETEL-ARIN-BLK02
NetHandle: NET-67-212-64-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NETELLIGENT.CA
NameServer: NS2.NETELLIGENT.CA
NameServer: NS3.NETELLIGENT.CA
Comment:
RegDate: 2007-08-30
Updated: 2008-06-20

3.) 195.24.76.250 - which appears to host 9 other sites, including some leading to pages serving FakeAV.

inetnum: 195.24.72.0 - 195.24.79.255
netname: ROOT-195-24-72-0-21
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
status: ASSIGNED PI
mnt-by: ROOT-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

So while unsuspecting victims go about there usual web activity, the malware will quietly send data to any one of these 3 IP's (in the above order).

Without careful inspection, this communication can easily snake by perimeter defenses & security software.

More to come...

A special thanks to my colleagues Atif Mushtaq & Julia Wolf.

J.G. @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM