Grum

Aliases

• Tedroo

Comments

Grum is a pesky spam botnet as it has a tendency to infect files referenced by autorun registries.  Due to its kernel-based rootkit characteristics, it is capable of hiding component files as well as legitimate windows system files, hence the difficulty of its detection and removal. Grum usually concentrates on pharmaceutical spam. A wide range of spamming templates change often, served up by multiple different web servers. 

Features

• Kernel-based rootkit
• Reports to command and control server via HTTP on port 80
• Downloads plain text spam templates and address lists from a webserver
• Multiple control servers exist
  
• Performs DNS MX lookups to send spam
  

Spamming Rate

• 4000 messages per hour per bot

Command and Control

From the samples that we have examined, we have seen Grum connect to the following IP addresses:

• 66.96.248.21
• 206.51.229.118 (NOC4HOSTS)
• 206.51.234.126
• 206.51.238.243
• 91.207.4.122
• 91.207.4.58
• 91.207.4.106
• 91.207.5.66
• 91.207.5.106
• 91.207.6.194
• 91.207.7.194
• 91.207.7.234
• 91.207.8.242
• 195.190.13.18
• 195.190.13.146
   
  

Once Grum establishies a control server connection, it tries to sends a test email message.  If this is successful, it sends an HTTP request below to its control server:

GET /spm/s_alive.php?id=<bot ID>&tick=<Random>&ver=204&smtp=ok
HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)Accept: */*Connection: Keep-Alive

else if the SMTP test message fails it sends:

GET /spm/s_alive.php?id=<bot ID>&tick=<Random>&ver=204&smtp=bad
HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; VS2)Accept: */*Connection: Keep-Alive

 

Malware Behavior on Host

Grum drops the following files on the host computer (depending on the variant):

• %Windows%\services.exe
• %Temp%\winlogon.exe - spammer module
• %SystemRoot%\System32\DefLib.sys - rootkit module

DefLib.sys hooks the following Kernel-mode service API to help hide files:

• ZwQuerySystemInformation
• ZwQueryDirectoryFile
• ZwOpenProcess
• ZwEnumerateValueKey
• ZwCreateThread

DefLib.sys cloaks files with filenames starting with "D" and "W" in the System32 directory. Grum also drops a batch file with similar filename to the original one (i.e. <malwarename>.bat) to delete original file after execution.

Grum adds the following registry entries in the infected system:

Adds the control server IP addresses in the system registry:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop
• host =  "206.51.229.118"

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
• host =  "206.51.229.118"

Unique ID for each infected machine:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop
• id =  <randomize 12 digits>
• host = <control server IP address>

Registers the rootkit module as a service:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary
• ImagePath =  "\??\C:\WINDOWS\system32\DefLib.sys"
• Type = dword:00000001

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary\Enum
• 0 =  "Root\LEGACY_SYSLIBRARY\0000"
• Count = dword:00000001
• NextInstance = dword:00000001

Adds an autorun registry to execute the trojan upon windows start-up:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• Firewall auto setup =  %Temp%\winlogon.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• services = %windows%\services.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services
• del = ""

A registry key was added to override firewall setting:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
• EnableFirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
• EnableFirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
• FirewallOverride = 0x00000001 

Grum also creates a mutex named "Al Start 1" that acts as an infection marker in the system.