By: ThreatLabz

A Brief Gumblar Infrastructure Analysis

Malware

Earlier this week, I had a request to analyze and describe why we were blocking customer access to:

hxxp://www.fdotfirstcoastouterbeltway.com/index.asp
(note: this page has since been cleaned)

Analysis of the page showed obfuscated JS after the closing HTML tag on the page. The obfuscated JS decoding report is available at JSunpack here. The injected JS decodes and creates an object on the page to pull content from:

hxxp://westcountry.ru:8080/google.com/deviantart.com/google.gr.php

A dig on the domain, shows that it round-robins to IPs across a number of providers with a short time-to-live (TTL) - or Fast-Fluxed:

westcountry.ru. 432 IN A 213.186.47.177 (OVH)
westcountry.ru. 432 IN A 88.198.49.197 (Hetzner)
westcountry.ru. 432 IN A 94.23.220.163 (OVH)
westcountry.ru. 432 IN A 174.137.179.244 (WebAir)
westcountry.ru. 432 IN A 188.72.212.104 (ImajHost)

Likewise, westcountry.ru is resolved from multiple name servers across a number of providers:

nserver: ns1.hostdnssite.com. (67.23.25.78)
nserver: ns2.hostdnssite.com. (67.223.233.101)
nserver: ns3.hostdnssite.com. (93.103.5.146)
nserver: ns4.hostdnssite.com. (86.49.83.234)

The domain for the name server (hostdnssite.com) was recently registered through OnlineNIC, and is used to provide domain resolution for numerous other domains involved in this malware campaign. A DomainTools preview shows that there are 49 other domains resolved by these name servers:
Reviewing our logs for other blocked "ru:8080/" transactions, showed the URL: furryentry.ru:8080/google.com/thesun.co.uk/iciba.com.php

Analyzing the page revealed these related pages:

furryentry.ru:8080/index.php?pid=1&home=1
furryentry.ru:8080/jquery.jxx?ver=2.1.5
furryentry.ru:8080/Notes1.pdf <-- Malicious

Uploading the malicious PDF to VirusTotal, showed very poor A/V detection results (only 1 of 41 vendors detect): VT report. Using Wepawet for a quick analysis of the malicious PDF shows that it has routines to exploit CVE-2008-2992 and CVE-2009-0927. And drops shellcode to call out to:

hxxp://waxytooth.ru:8080/welcome.php?id=6&pid=1&hello=503

All of the domains involved used the hostdnssite.com name server. Also many of the WHOIS records had similarities, such as the email address, telephone number, name, or location (usually Russia). For example, hostdnssite.com WHOIS:
A registrant search for 'Ekaterina Gilmanova' for example shows 558 domains (and a Google search shows the related malicious domain results). Additional open source analysis shows a large number of involved domains (reference: 1, 2, 3) within this campaign. The name server previously used to resolve some of the related domains was FREEHOSTINTERNET.COM - which now has a Hold on it from OnlineNIC. The majority of the domains that I've analyzed relate to the Gumblar botnet and there were a few one-off domains that related to fake pharmacy and money-mule campaigns. What is interesting is that the freehostinginternet.com name servers were also allegedly used in another malware campaign: Koobface (reference: 1). In other words, this identified infrastructure is likely supporting multiple campaigns (and possibly criminal groups).

Building out the list of domains and related IPs involved shows the tip of the iceberg as it relates to this underground infrastructure.

Sample of domains extracted:
Sample of IPs extracted:
The above analysis provides a peek inside some of Gumlar's supporting infrastructure. Also, while it's still a bit unclear, there appears to be some evidence that portions of the underground infrastructure that's supported Gumblar has also been used to support other campaigns.

Learn more about Zscaler.