On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurrence was the discovery of a "zero-day" exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.
But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all. One reason for this is that the scanning done by Gimmiv looking for vulnerable hosts is limited to the local subnet, meaning it can only jump networks if an infected computer is moved from one network to another. Even if this were not the case, by default Windows XP SP2 (and above) restricts connections to the RPC ports to the local subnet only. So although future trojans and worms might utilize the same exploit, the window of opportunity for a globally impacting worm using this vector has passed for the most part.
Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.
Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used; the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.
By converting the decrypted log data into KML format, we were able to use Google Maps and Google Earth to take a look at the global impact and spread of Gimmiv. Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections:
Each computer on the maps above represents a Gimmiv-infected location, due to NAT, this may include dozens of computers. For example, two networks in Malaysia had the most infections:
While Malaysia was the hardest hit, it appears that the "in-the-wild" spread of Gimmiv may have started in Vietnam on September 29:
But, looking in the logs, we actually see that Gimmiv appeared first on August 20, 2008, but we don't count this as being in-the-wild. This is because logs were seen from only two IP addresses, only briefly. One of these IP addresses, located in Korea, we can tell was running Gimmiv in a VMware virtual machine, exactly the kind of thing you might expect someone testing a piece of malicious mobile code to do:
Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv's author is probably from South Korea.
The KML file used to generate the maps above can be downloaded into Google Earth and is available here.
CTU Research Incident Response and Management Information Security Intelligence Risk Management