On October 15th Scan Safe wrote about the return of the gumblar botnet which can be found here.  The botnet was dubbed Gumblar back in May 2009 when it was first discovered. This was because the site which served the malware after a series of redirects was gumblar.cn.  Since then the Gumblar botnet has decentralized its malware distribution by using thousands of compromised legitimate websites. Once installed on the victims machine the  malware will look for FTP credentials from applications such as FileZilla.  The stolen credentials will then be used to to download files which will be modified before being uploaded back to the compromised account. In the example from the scan safe blog the malware (Trojan.Win32.Delf.phk) currently being delivered has a low detection rate.

More information can be found at the following links

http://en.wikipedia.org/wiki/Gumblar
blog.scansafe.com
wepawet
anubis

During the past 30 days the honeypot I maintain has been attacked 423 times. Interestingly the United States was the top offender with China (no surprise) coming in close second. All the attacking IP addresses can be found here.

Count – Country

94 – UNITED
82 – CHINA
23 – KOREA
19 – BRAZIL
13 – TAIWAN
11 – POLAND
10 – UNITED
10 – RUSSIAN
10 – ITALY
8 – GERMANY
8 – COLOMBIA
8 – ARGENTINA
7 – MEXICO
7 – INDIA
7 – CZECH
7 – CANADA
5 – SPAIN
5 – HUNGARY
5 – HONG
5 – FRANCE
4 – UKRAINE
4 – TURKEY
4 – ROMANIA
4 – PANAMA
4 – JAPAN
4 – CHILE
4 – AUSTRALIA
3 – BULGARIA
2 – VENEZUELA
2 – SOUTH
2 – SAUDI
2 – PHILIPPINES
2 – PERU
2 – PAKISTAN
2 – NETHERLANDS
2 – MOLDOVA
2 – MALAYSIA
2 – IRAN
2 – HONDURAS
2 – FINLAND
2 – EGYPT
2 – BELGIUM
2 – AUSTRIA
1 – VIET
1 – UNITED
1 – SYRIAN
1 – SRI
1 – SLOVAKIA
1 – SINGAPORE
1 – NICARAGUA
1 – LITHUANIA
1 – KAZAKHSTAN
1 – ISRAEL
1 – IRAQ
1 – GUATEMALA
1 – GREECE
1 – GHANA
1 – COSTA
1 – AZERBAIJAN

The root account was the most targeted username out of all the attacks. Its always a good idea to disable this account when setting up your ssh server. This will slightly decrease the chances of an automated brute force from being successful. Listed below are a few more options you should consider if you wish to protect your server.

- Using host-based tools such as DenyHosts, fail2ban or BlockHosts
- Making sure usernames were not easily guessable
- Using multiple factors of authentication or public keys if possible
- Reduce the amount of public facing servers if possible

The distribution of Zbot continues, this time by a file called tax-statement.exe and domains named (irs.gov.fedas1ao.com, irs.gov.y11derd.com, irs.gov.juhh1wo.com). Its unclear what the initial vector is however given the way the domains and file name have been crafted its likely related to spam. All the domains being used so far and the dates they were first seen can be found here.

Upon execution of tax-statement.exe the following changes will be made to the registry.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
UID = “%ComputerName%_0002DE7F”

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]

{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0×00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Cookies =
History =

From a network  perspective the following GET requests are generated

http://195.93.208.18/lcc/ip.gif

http://195.93.208.18/ip.php

Threat characteristics of ZBot – banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.