Gbot Trojan (Dec 09, 2010)

SonicWALL UTM Research team received reports of a new Trojan that can be used to relay sensitive information to remote hosts and accept remote commands from an attacker. The Trojan will make periodic GET and POST requests to remote servers for pages and files that do not exist. Some parts of the requests contain system information or is encrypted.

The Trojan performs the following activities upon execution:

• Drops the following three files on the compromised machine:
• C:Documents and SettingsUserApplication Datadwm.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
• C:Documents and SettingsUserApplication DataMicrosoftconhost.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
• C:Documents and SettingsUserApplication DataE6AE.A4A

• Creates the following registry entries to ensure regular startup:
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Shell “explorer.exe,C:Documents and SettingsUserApplication Datadwm.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svchost “C:Documents and SettingsUserApplication DataMicrosoftconhost.exe”

• Additional registry keys created:
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings ProxyServer “http=127.0.0.1:61333”

• Samples of periodic web requests made by the Trojan:

  
  GET request to: freeonline{removed}.net
  /images/dating1.jpg?tq=gP4aKydUJoD%2BbLSpPM48HXAm%2BIp7RbMA%2Fj%2FBt%2F4rtL2W%2FTcjYNfHjHjmGehkmxM4tV0CLKqe6ul5HxkjOJVmFn2W7p6qiRuKM2cpy5wV
67ZN5NyS3oiAzfBfnR82Oj6fiu%2Fhq0R50Za6gQOYeTN%2F3XLpS%2FuvwQ3f6llQ8jWyxwwpBg%2FcIwgI

  GET request to: 136{removed}.com
  /LB5000/CGI-BIN/s.cgi?tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D

  GET request to: zon{removed}.com
  /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvAp1ujbwvgS917W65rJqlLfgPiWW1cg

  GET request to: pcdoc{removed}.com
  /images/logo-1.jpg?tq=gP4aKydMI5oGWaj6So61fGRfYz7KV8jMqwqKxVRWKZa7fLqVtLymA%2FOn9Itcm1zra2bubThHUef0bm2jztvHVcirw2XGuLsR5u3V%2BorIwuAZQROKs16%2BmEVT3jBx0lWjP%2
FEmg95AmzFTI18yhLbz8fvGc5zFAt5MlTLKL4RY8T1KL7GEaXaQeV4tnf0paKcyB

  POST request to: xibu{removed}.cn
  /pics/23.jpg?type=g_v53&system={IE Browser Ver}|{OS Ver}|{Language}&id=B0CA268F7F02CA4AE6AE&status=err088_2_0&n=0&extra=0

SonicWALL Gateway AntiVirus provides protection against this threat via following signature:

GAV: Cycbot.AA_6 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.