Gbot Trojan (Dec 09, 2010)


SonicWALL UTM Research team received reports of a new Trojan that can be used to relay sensitive information to remote hosts and accept remote commands from an attacker. The Trojan will make periodic GET and POST requests to remote servers for pages and files that do not exist. Some parts of the requests contain system information or is encrypted.

The Trojan performs the following activities upon execution:

  • Drops the following three files on the compromised machine:
    • C:Documents and SettingsUserApplication Datadwm.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
    • C:Documents and SettingsUserApplication DataMicrosoftconhost.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
    • C:Documents and SettingsUserApplication DataE6AE.A4A
  • Creates the following registry entries to ensure regular startup:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Shell “explorer.exe,C:Documents and SettingsUserApplication Datadwm.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svchost “C:Documents and SettingsUserApplication DataMicrosoftconhost.exe”

  • Additional registry keys created:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings ProxyServer “http=”

  • Samples of periodic web requests made by the Trojan:

    GET request to: freeonline{removed}.net

    GET request to: 136{removed}.com

    GET request to: zon{removed}.com

    GET request to: pcdoc{removed}.com

    POST request to: xibu{removed}.cn
    /pics/23.jpg?type=g_v53&system={IE Browser Ver}|{OS Ver}|{Language}&id=B0CA268F7F02CA4AE6AE&status=err088_2_0&n=0&extra=0

SonicWALL Gateway AntiVirus provides protection against this threat via following signature:

GAV: Cycbot.AA_6 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.