Koobface, an excuse to talk about botnets and cyber crime

Pierluigi Paganini January 19, 2012

Koobface virus is undoubtedly considered as the malware of social network because it uses them as spread channel. We have repeatedly mentioned the incredible power of social networking media, platforms that reach a global audience with a simple click, obvious that such a capability could be attractive to criminal organizations for the spread of malware.

Koobface unlike other malware propagated through social networking using an “active approach to its spread,” infecting each host and then propagate into the network, regardless of user awareness that in some cases deliberately share content with your friends.

The most common infection method is through via fake content on compromised web site. It is sufficient to click on one of the links which Koobface has posted on this web site. Usually this links attrac user proposing the download of cool video or applications. Unfortunately behind this link is hidden an installer for the Koobface virus.

The good news is that usually this type of malware are identified with little difficulty by leading antivirus on the market.

Koobface is a bot agent that once has infected the host connect back to so-called command and control servers (C&C) or receive directives on actions to perform or to upload stolen information. In this way the agent is able in a short time to build its on botnet, a huge number of Internet computers that, although their owners are unaware of it, have been set up to forward spam or viruses to other hosts on the Internet.

In this way a botmasters that control the botnet can instruct the infected computer to download and run any other application. Bot, or also called Zombie, computers can be invisibly controlled by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information. In this way, in fact users cannot manage their PCs.

The Koobface botnet has been built by a self proclaimed “Ali Baba & 4” or “Koobface Gang” group that is delinquent internet users since 2008. Do not make the mistake of thinking that botnets are a problem unique to careless users. They represent actual cyber threats at every level from which to defend themselves, they are a danger to society.  Cyber criminals are becoming more aggressive, collaborating with virus writers to create armies of bot computers, consider for example also that entire legitimate organisations with compromised computers are being identified as a source of spam.

Countless damage, from the possibility of attack sites and institutional organizations to the opportunity to realize fraud hardly to intercept on time. The threat from cyber space, as always argue, becomes concrete, and inflicts damage to the real world, even to those who are away from computer. Each service which every day we benefit is controlled by computers that are exposed to these threats.

But which is the monetization method used for Koobface? There are several evidences that the Koobface gang is involved in criminal activities such as clickfraud, FakeAV installation, information stealing and online dating.

Koobface and similar malware runs in stealth mode on infected hosts stealing informations and monitoring web activities of the victims. That is why it is suggested to change passwords on all on-line accounts once the malware has been found and removed.

This mode is considered cutting edge if compared to another possibility, absurd and imaginative, they are just human to solve the captcha.  The captured image is sent to operations centers in which the slaves of this criminal market provide the correct interpretation of the captcha. Unbelievable but true, that men hired for a few dollars a day by the crime meet the captcha, this happens in many parts of Eastern Europe and Asia, the alienation of the individual.

The best cure is prevention and awareness of the problem, in a time when cyber threats are growing at a dizzying rate. So lets share info on the malware and the on the channel used to its diffusion, keep our host updated on a security point of view installing latest patchs released by the main software vedors and be carefull during our web navigation, expecially on social networking sites.

The cyber criminals are moving into a territory not controlled, the cyber space, and it is often impossible to locate them in a specific are of the planet, and when this happens we encounter many problems related to territorial jurisdiction and local cyber laws often frustrate efforts in investigations.

Let’s give a look to the investigations conducted for this case by Sophos experts.

Interesting research has been conducted by independent researcher Jan Drömer and Dirk Kollberg of SophosLabs from early October 2009 until February 2010 and has since been made available to various international law enforcement agencies.  The Koobface investigation has been concentrated efforts to locate the Koobface Command & Control (C&C) servers used to steer the attacks.

But no crime is perfect, not even cyber crime. This “Koobface Mothership” was identified in an host with IP address, located within a network of UPL Telecom in Prague (Czech Republic) and used to store statistics, monitor C&C and used within the restore process in case C&C servers become unavailable. On that machine were found domain names (babkiup.com and service.incall.ru) were also hosted on the Koobface Mothership server. babkiup.com was the main Koobface Botnet service provider.

Analizing the traffic exchanged in the botnet the most interesting information was found within a PHP script used to submit daily revenue statistics via short text messages to five mobile phones. The international prefix +7 identifies these numbers to be Russian telephone numbers. Let me suck you read the document on the sophos investigation. An exceptional example of how the coarse errors have been used as starting point to discover the identity of criminals. From these mobile phone numbers, thanks to search engines and improper use of social networks has risen to the identity of the members of the dreaded group.

Propose the investigation as a case study.

It is important to emphasize the ability of these criminals that have brought trouble for several years the police and experts all around the world. As pointed out by the experts of Trend Micro the gang has shown the effort and diligence to keep Koobface hidden constantly changing and improving the C & C architecture, modifying the malware binaries to avoid signature interception, and Improving the backend services in order to become more resilient to Takedowns and escapes simplistic blocking / detection solutions.

This shows that the industry of crime knows no crisis and it uses evolutive methods for its products like any other successful company.

Pierluigi Paganini





you might also like

leave a comment