GBOT

October 28, 2014
 ALIASES:

Microsoft: Seleya Eset: Seleya

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

GBOT variants usually come in the form of backdoors, all of which can receive commands such as HTTP, ICMP, and TCP flooding from a malicious user.

Variants of the GBOT family also has the capability to use some websites as its fake referrer. Other variants can gather information such as Host Name, Password, User ID, and Port Number from different FTP servers.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Compromises system security

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Windows%\WinUpdaterstd\svchost.exe
  • %User Temp%\WinUpdaterstd\svchost.exe
  • %User Temp%\winsvchost\svchost.exe
  • %Application Data%\nightupdate\svchost.exe
  • %Windows%\nightupdate\svchost.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
WinUpdaterstd = "%Windows%\WinUpdaterstd\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
Update service = "%User Temp%\WinUpdaterstd\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
Update service = "%User Temp%\winsvchost\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
UpdateSvchost = "%Application Data%\nightupdate\svchost.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\AuthorizedApplications\List
UpdateSvchost = "%Application Data%\nightupdate\svchost.exe:*:Enabled:svchost"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\AuthorizedApplications\List
UpdateSvchost = "%Windows%\nightupdate\svchost.exe:*:Enabled:svchost"

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://topshell.ru/gbot/getcmd.php?id=-{Malware ID}&traff=0
  • http://vocm.info/Alpha1/getcmd.php?id=-{Malware ID}&traff=0
  • http://vegaszoid.net//./././getcmd.php?id=-{Malware ID}&traff=0
  • http://fifavnn.com/xx/getcmd.php?id=-{Malware ID}&traff=0
  • http://hisoka.mobi/panel/getcmd.php?id=-{Malware ID}&traff=0
  • http://mustrem.in/only/getcmd.php?id=-{Malware ID}&traff=0
  • http://vipcam89.com/d3/getcmd.php?id=-{Malware ID}&traff=0
  • http://hackers-area.com/p/getcmd.php?id=-{Malware ID}&traff=0