Archive for the ‘Koobface’ Category

« Older Entries

Captcha Cracking Koobface

Wednesday, September 16th, 2009

In a post last December on the ThreatExpert blog, Sergei proposed a method to defeat Koobface — hit ‘em in the pocketbook where it hurts. The CAPTCHA cracking services that the Koobface gang uses could be the weak link in its chain and could be abused to interrupt their scams. Unfortunately, no one seems to be taking up that proposal. Koobface relentlessly is released and spread across multiple distribution groups with its captcha crackers in action.

The Koobface malware recently was slightly altered in several ways. The binary carries with it the functionality to phone back to one of two sites for its captcha cracking needs.

Perhaps these are the new weak links to target.

Posted in Koobface, Password stealing | No Comments »

Koobface 0×3e8 Folders and setup.exe Links

Thursday, August 13th, 2009

Koobface continues to tweet its assault on the twittersphere and social networking sites. Here is an abbreviated list of the more high volume Koobface urls that the ThreatFire community has been protected from over the past 48 hours. See a pattern here (DO NOT VISIT ANY OF THESE LINKS AND DOWNLOAD THE MALWARE SERVED THERE)?

84.109.178.7 /0×3e8/setup.exe
24.26.210.231 /0×3e8/setup.exe
70.55.53.249 /0×3e8/setup.exe
76.73.251.20 /0×3e8/setup.exe
62.0.89.172 /0×3e8/setup.exe
79.181.64.72 /0×3e8/setup.exe
66.25.232.104 /0×3e8/setup.exe
75.74.67.164 /0×3e8/setup.exe
24.174.63.153 /0×3e8/setup.exe
98.141.34.175 /0×3e8/setup.exe
83.185.64.203 /0×3e8/setup.exe
92.114.157.146 /1/PP.11.EXE
75.119.106.62 /0×3e8/setup.exe
71.76.142.141 /0×3e8/setup.exe
92.33.141.77 /0×3e8/setup.exe
98.197.95.169 /0×3e8/setup.exe
173.66.158.253 /0×3e8/setup.exe
174.96.77.152 /SETUP.EXE
76.73.251.20 /0×3e8/setup.exe
68.144.24.217 /0×3e8/setup.exe
174.42.228.14 /0×3e8/setup.exe
207.199.227.243 /SETUP.EXE
72.174.220.70 /0×3e8/setup.exe
81.245.19.99 /0×3e8/setup.exe
190.20.145.48 /0×3e8/setup.exe
65.71.236.57 /0×3e8/setup.exe
74.67.182.131 /0×3e8/setup.exe
88.74.12.80 /0×3e8/setup.exe
68.45.27.253 /0×3e8/setup.exe
77.210.43.169 /0×3e8/setup.exe
79.181.28.74 /0×3e8/setup.exe
76.126.23.249 /0×3e8/setup.exe
70.53.46.21 /0×3e8/setup.exe
24.113.132.233 /0×3e8/setup.exe
92.114.157.146 /1/FB.58.EXE
67.9.38.140 /0×3e8/setup.exe
75.187.74.2 /0×3e8/setup.exe
24.141.233.195 /0×3e8/setup.exe
75.34.65.250 /0×3e8/setup.exe
69.137.75.168 /0×3e8/setup.exe
84.109.35.166 /0×3e8/setup.exe
65.50.33.145 /0×3e8/setup.exe

Obviously, this is a fairly well automated scheme. The site locations are scattered throughout the globe. All the sites that we have visited serve up the same rather uninspired video presentation with a familiar and phony “Flash Player upgrade required” page. It serves malicious Koobface binaries from a most likely fictitious Bruno Carlot and his video about Hong Kong:

As always, exercise a high level of caution when reading tweets with links, and add a behavioral layer of protection to your system.

Posted in Koobface, Social Engineering | No Comments »

Tertwit? or Twitter Tweet Links Redirect to Koobface

Friday, August 7th, 2009

koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video :) ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:

The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.

The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28

Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:

// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com',  abc+'fb.php'],
['tagged. com',    abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com',   abc+'ms.php'],
['msplinks. com',  abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com',     abc+'fu.php'],
['twitter. com',   abc+'tw.php'],
['hi5. com',       abc+'hi5.php'],
['bebo. com',      abc+'be.php']];

Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.

Posted in Bot, Koobface, Social Engineering, Trojan, Worm | No Comments »

« Older Entries