Wednesday, November 05, 2008

Tracking Gimmiv

There is an interesting post from research Joe Stewart's research.

This is a tracking of a 0-day exploit which targetting an out-of-band Microsoft patch (MS08-067). This is a patch against a flaw in Windows RPC code.

Because of some mistakes made by the author(s) of Gimmiv worm, 3rd parties were able to download the logfiles of the Gimmiv control server. Even most of the data in the logs is AES-encrypted, the key hardcoded in the Gimmiv binary was recovered for decrypting the data.

From the decrypted log file into KML format, the result shows that:
  • Only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.
  • Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections. Two networks in Malaysia had the most infections.
  • While Malaysia was the hardest hit, it appears that the “in-the-wild” spread of Gimmiv may have started in Vietnam on September 29.
  • The log shows that Gimmiv appeared first on August 20, 2008.

The Gimmiv's author is probably from South Korea, because:
  • A zip file left behind on one of the control servers contained Korean characters in the compressed folder name.
  • One of IP addresses, located in Korea, was running Gimmiv in a VMware virtual machine (could be someone testing a piece of malicious mobile code to do).