A glimpse in the past: Taking a look at a Gimmiv component timeline
I decided to take a look at the timeline of Gimmiv trojan component sysmgr.dll. Some of the results were a bit surprising.
First of all, I had 18 samples to work on. Here’s the compiled TimeDateStamps and MD5 hashes of them:
00:06:46 19.09.2008 0d1164549a480eb61d778f79fda71a62
00:07:12 19.09.2008 13bd22b626549f3c42dc764abdc6658f
00:07:43 19.09.2008 a04bd2cca69397db1afd03175f411f29
00:08:09 19.09.2008 7d33d6bf346ff022f005d30267a6154c
00:08:37 19.09.2008 4f808508d267465d54fe81a359dfa8c9
00:09:33 19.09.2008 ec921a477b52a978050781dce09337c0
00:09:06 19.09.2008 F5AB96C2ACAFF50218E5DFE77EF2659A
04:47:52 19.09.2008 f166333c55f061bb331c7c95e0dafbc7
06:50:40 29.09.2008 0de79e7dc89c6834f721a9c201177f35
06:51:10 29.09.2008 d14f812fa974818121eaa043d9e33c99
06:51:38 29.09.2008 c2c271b34dbaf91e4f54a17bbb352178
06:52:06 29.09.2008 06fbcf231d6db6e97d4dba5251252658
06:52:37 29.09.2008 768b0f2a83075b77889fe3732f504ac0
06:53:03 29.09.2008 c7e02aa2ea29392641a6d800aa3aba03
06:53:31 29.09.2008 d37f21cfea4717e73b58292c541c850f
02:06:42 13.10.2008 70f1114f1bc77d860fc1d37489c5f599
02:07:08 13.10.2008 969b4c98a4570bbdc4299de353806459
02:30:40 13.10.2008 1cdc67b1d55e9a2d30c0dba193375c11
Based on the sampleset I have the attackers had atleast somewhat working version of the trojan as early as September 19th, which is well over a month ago. Do bear in mind that this most likely isn’t a full list of versions of the sysmgr.dll. If you are in possession of samples other than ones already on the list I’d be interested in receiving them to fill up the timeline. The samples can be sent to samples_at_teamfurry_dot_com in a password protected archive.
I decided to take a look at how the code has changed during the timeperiod. First of all, all the samples compiled on 19.9.2008 are identical _codewise_ meaning that code is the same but the carried data has been changed. I’ll get to these changes at the end of this post.
The first codebase change was between 19.9.2008 and 29.9.2008. The difference was mostly in one function that’s basically acting as the _main. Here’s a pic of the the _main on the 19.9.2008:
‘And here’s a pic of the _main from the first sample on 29.9.2008:
So basically all that was changed was that they added a check in the _main for BitDefender registry key. The earlier variant had the code to do it but all it was used for was when it was reporting back to the C&C. The 29.09.2008 variant will terminate itself if it sees that BitDefender is present in the registry.
Judging by the timestamps of the 19.09.2008 binaries they’re all about 30 seconds apart, except for one. This could indicate either automation or someone manually changing a minor detail like a C&C server location and recompiling. We can see the same behaviour in the other timestamps as well.
As with the 19.09.2008 samples, all the samples compiled on 29.9.2008 are codewise identical, with only data being changed.
The variants introduced on 13.10.2008 are codewise identical with the 29.9.2008 variants, so only data changed there, even though they have bugs in the code.
I’m starting to do a similar analysis of the other components as well. If you have any of the DLL samples belonging to Gimmiv, please send them over to samples_at_teamfurry_dot_com in a password protected archive. It would be nice to establish a proper timeline on the codechanges as well as see whether they’ve possibly done “in production” testing of features.