We are analyzing the binaries and koobface processes and will provide detailed technical information later — this one performs lots of process, system admin, file create/delete activity, and each one has a tricky anti-emulation trick that we’ll describe here. Also of note, the server that was allegedly compromised to serve up koobface-downloaded adware/clickfraud executables in early November continues to serve up malware:
hxxp:// www.aibcvienna.o rg/ youtube/fb.28.exe
The unfortunate piece is that this binary continues to see only 15/38 AV scan detections at virustotal.

In the meantime, here is a map of only some of the attacking servers hosting the Koobface worm since the very end of November. As you can see, there are some concentrated pockets of the worm’s distribution servers throughout Europe, but it is a global problem:

This entry was posted on Friday, December 5th, 2008 at 6:46 pm and is filed under Dropper, Koobface, Social Engineering, Worm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.