Archive for the ‘Koobface’ Category

« Older Entries

Koobface Continued…

Friday, March 5th, 2010

The Koobface gang’s changing tricks and longevity are noted at a recent USAToday article. They’ve recently upped their activity on a major social networking site and user infections appear to have a quick jump. The current theme has been effective for the past month. A message will arrive in a user’s box from a friend (names purposely removed from image). Note that the gang is no longer using the bit.ly service in their attack links:

Koobface_friendmessage

The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.

Koobface_spongebob

Past posts on Koobface here.

If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.

Posted in Bot, Downloader, Dropper, Koobface, Social Engineering, Uncategorized | 1 Comment »

Past the Second Half of 2009

Thursday, December 31st, 2009

Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.

Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

Posted in AMTSO, Bot, Bredolab, Crimeware, FakeAlert, Koobface, Malware Estimates, Password stealing, Rogueware, Sality, Social Engineering, Vundo, Waledac, ZBot | No Comments »

Black Coal for Koobface this Season

Tuesday, December 29th, 2009

Malware often just isn’t pleased to be running on ThreatFire protected systems. To gather data for the intelligence built into ThreatFire and BehaviorGuard for evaluating system events (which proves to be the best at blocking malware), ThreatFire blends into the Windows system itself. Some of the changes it makes may be unappealing to malware, although legitimate applications won’t notice. This difference is because of the complicated manner in which malware continues to be written, in order to evade various types of security products.

Sometimes, it’s easy to misunderstand the cause and effect of this sort of error. Since it is difficult for customers and even testing groups to quickly understand crashes that they may see on their system, this variant deserves some space: Koobface crashes on the most recent ThreatFire protected systems. It’s much better than the alternative.

As posted previously and discussed in major publications, Koobface is an extremely active family of malware. Victims consistently fall for web pages that appear to be serving up codecs from links that are posted on their friends’ social networking pages. So the links and phony codecs seem all the more trustworthy, and victims are left with the Black Spot. Let’s dive into some of the technical details.

The latest version of Koobface maintains an unpacking stub using code that legitimate software does not contain. Instead of calling the documented and well known GetProcAddress function to dynamically resolve needed addresses of functions exported by kernel32 and other dll system modules (one of the most common, documented functions at process-load on Win32 systems), the phony Koobface unpacking stub implements a custom and somewhat bizarre address resolution routine. First, it searches for the start of the kernel32 module in its process’ virtual memory space and then performs an unusual comparison to find the beginning of the function that it is interested in, in this case VirtualProtectEx. The comparison works like this:

Locate and verify Kernel32 within the process memory space

Loop through Kernel32 one byte at a time, gathering four bytes of data for comparison

Bitwise “AND” the current four bytes of data with the next four bytes in memory

Compare the results to the hardcoded value “5181045″

Once “5181045″ is found (which is first found in VirtualProtectEx within the kernel32 address space), perform another comparison, looking for the function prologue. If it’s a match, FOUND IT!, and call into this VirtualProtectEx memory location.

The related disassembly implementing the “logic” above constains these instructions…

mov ecx, dword ptr ds:[eax] (where EAX = Kernel32.7C800002, now ECX = 00030090)

and ecx, dword ptr ds: [eax + 4]

cmp ecx, 5181045

mov ecx, dword ptr ds:[eax] (EAX = Kernel32.7C801A6F)

and ecx, dword ptr ds: [eax + 4] (ECX = 1875FF57, EAX = 7C801A6E, [EAX+4] = 75FF1045)

cmp word ptr ds: [eax], 8B55 (8B55 is little endian 0×558B..x86 is push ebp..mov ebp)

call near dword ptr ds: [eax] <– call the expected function, in this case VirtualProtectEx

Now, ThreatFire makes some slight modifications to blend into the system at runtime. These modifications may cause one of Koobface’s odd GetProcAddress custom replacement routine’s checksums to fail (again, legitimate applications using “GetProcAddress” succeed at resolving their imports on ThreatFire-protected systems just fine). With this change, the Koobface unpacking stub cannot find 0×55 (push ebp), 0×8B (mov ebp) until it reaches GetSystemTimeAsFileTime, which is the incorrect function (just using the documented GetProcAddress function would work fine here). GetSystemTimeAsFileTime receives unexpected data passed in as a parameter and exception occurs.

Unfortunately, the Koobface binary may be left on the desktop because it has not performed anything malicious and ThreatFire won’t see any further behavior from the executable in question. It’s for this reason that defense in depth is always recommended — with the PC Tools Internet Security Suite, the system scanners kick in and can identify the file itself, and the Site Guard can protect your browsers from visiting malicious Koobface sites in the first place. Its layers of protection raise system protection to levels that users can be confident in.

Posted in Koobface | No Comments »

« Older Entries