On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all. One reason for this is that the scanning done by Gimmiv looking for vulnerable hosts is limited to the local subnet, meaning it can only jump networks if an infected computer is moved from one network to another. Even if this were not the case, by default Windows XP SP2 (and above) restricts connections to the RPC ports to the local subnet only. So although future trojans and worms might utilize the same exploit, the window of opportunity for a globally impacting worm using this vector has passed for the most part.

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.

Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used - the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.

By converting the decrypted log data into KML format, we were able to use Google Maps and Google Earth to take a look at the global impact and spread of Gimmiv. Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections:

Each computer on the maps above represents a Gimmiv-infected location - due to NAT, this may include dozens of computers. For example, two networks in Malaysia had the most infections:

While Malaysia was the hardest hit, it appears that the “in-the-wild” spread of Gimmiv may have started in Vietnam on September 29:

But, looking in the logs, we actually see that Gimmiv appeared first on August 20, 2008 - but we don’t count this as being in-the-wild. This is because logs were seen from only two IP addresses, only briefly. One of these IP addresses, located in Korea, we can tell was running Gimmiv in a VMware virtual machine - exactly the kind of thing you might expect someone testing a piece of malicious mobile code to do:

Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv’s author is probably from South Korea.

The KML file used to generate the maps above can be downloaded into Google Earth and is available here.

If you saw the following browser window pop up on your desktop today for no apparent reason, you are:

For several years now, there has been a steady, increasing effort by computer criminals to utilize malware in order to steal data from victim computers. Often the criminals don’t actually write the malware, they simply download a trojan kit, configure it for their purposes and then spread it using various methods. We talk about these schemes all the time, yet there’s no good term to describe these miscreants.

They’re not exactly phishers, although they have the same goals.

They’re not VXers, and “trojan-fraudsters” doesn’t quite have a ring to it. But, if we think about what it is these criminals do for a living, it is quite analogous to piracy on the high seas. Hijacking (boarding) your computer and stealing your money, all done over the Internet, where no single jurisdiction applies.

Thus, I propose we redefine the term “computer piracy” to mean “the hijacking/unauthorized entry of another person’s computer for the purpose of stealing resources, data or money”. What most people think of as computer piracy these days isn’t really piracy anyway, it’s copyright infringement. It’s time to take back the definition of piracy and apply it to something it actually fits. The trojan-using fraudsters and thieves are nothing more than modern pirates.

Having this redefinition also suggests alternate ways of dealing with the problem - in days of old, private parties were commissioned with capturing and seizing the assets of pirates by letters of marque and reprisal. Although it sounds like an archaic concept, letters of marque are still authorized by the U.S. Constitition, and in fact, have been suggested as a possible means for capturing Osama bin Laden, in the Marque and Reprisal Act of 2001 introduced into Congress by Rep. Ron Paul of Texas.

You may be thinking “yes, but privateers were often indistinguishable from pirates in previous centuries.” Yes, that’s true - it was difficult for a country issuing a letter of marque to monitor the activities of its privateers on the high seas. This kind of unchecked power plus the amount of wealth that travelled on merchant ships often led to greed and corruption.

These days we have computer security researchers already tracking down the pirates in their spare time, for free. They’re not looking for a payoff for their efforts other than seeing the miscreants go to jail and/or pay restitution. Seizing an asset these days might simply mean forcing a registrar to remove a domain name or an ISP to identify and/or disconnect a customer (given proof of fraudulent activity) - something the private crimefighter currently doesn’t have the authority to do. Most already work with law enforcement at home and abroad, however it is becoming increasingly clear that the current level of law enforcement effort is not making a noticeable impact in the amount of trojan activity.

In late June, SecureWorks Senior Researcher Joe Stewart and I discovered new, previously undetected variants of the Prg Trojan. (see Prg Trojan). This week, I uncovered the largest, single cache of stolen data from the PrgTrojan. The Trojan, also called wnspoem, was originally discovered by Secure Science and analyzed by Michael Ligh in November 2006.

The data, which includes bank and credit card account information, SSNs, online payment account usernames and passwords and other personal information, is from 46,000 victims who were all individually infected. The infection began in early May. The victims are being infected and reinfected by ads on various online job sites. The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan.

Thus, when a user views or clicks on one of the malicious ads, their PC is getting infected and all the information they are entering into their browser (including financial information being entered before it reaches the SSL protected sites) is being captured and sent off to the hacker’s server in Asia Pacific. This server is still collecting stolen data and at any one time, we are seeing 9,000 to 10,000 victims sending information to the server.

When I first discovered this large cache of data, I couldn’t figure out how the hackers were compromising so many websites, and as a result, infecting so many victims. However, when I uncovered the Trojan-injected advertisements, it made total sense. These job sites get quite a bit of traffic so it is no wonder that the hackers are having such success. Not only is SecureWorks seeing a large infection rate among victims but they have found that many of the victims are being reinfected, causing them to have chronic infections of the Prg Trojan.

PC users are visiting these job sites and viewing these ads. They are then getting infected and two to three weeks later (after the hacker has captured their information) their anti-virus is catching the Trojan and wiping it off their PC. However, they are then going back to these online job sites, clicking or viewing another malicious ad and getting reinfected by the latest variant.

The hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker. Anti-virus is having a hard time keeping up with so many variants, so infections are going undetected for several weeks, and although it might eventually get cleaned off the user’s machine, many of them are getting reinfected by a totally new, undetectable variant, and the infection cycle starts all over again.

How to Detect if Your Computer is Infected

Computers infected with the Prg Trojan will have a backdoor proxy server listening for connections on port 6081. This port is not assigned to legitimate services and is not hidden by the rootkit functionality. If port 6081 is open on your computer, you are likely infected with the Prg Tojan. If anti-virus is not detecting the infection, then you will need to boot the computer into Safe Mode and run another scan. If that fails, manual removal or reinstalling the operating system may be necessary.