Archive for the ‘Koobface’ Category

« Older Entries
Newer Entries »

Koobface on Yuotube

Thursday, November 12th, 2009

The Koobface gang and their inability to spell is a giveaway for the latest of their trick pages. If you end up at a page that states “This content requires Adobe Flash Player 10.37. Would you want to install it now?”, and the title of the page is “YuoTube”, your spidey sense should start to tingle.

The latest Koobface trick includes thousands of accounts at Google Reader (many continue to be up). Here is a shot of what today’s Reader pages look like hosting phony YouTube videos:

GoogleReader

Of course, these Google Reader pages are not new, and are not particularly notable, as other groups have used the same scam in the past year to drive the same redirections to other sites that host the malware. Here is one that is up today, a giveaway is the Title of the page “YuoTube”, instead of “YouTube”:

YuoTube

At the same time, the older Koobface style of flash player update pages served by the same gang all over the web appear to be more attractive to users, and attract many more hits. They are up and fooling users as this post goes up, here is a representative page to look out for, which, if you read this blog, you’ve seen before:

OldStyle

The phony “setup.exe” codec installer (which is really the Koobface malware) and the scheme still tricks many users. Don’t get fooled.

Posted in Koobface, Social Engineering, Undetected malware | 3 Comments »

Captcha Cracking Koobface

Wednesday, September 16th, 2009

In a post last December on the ThreatExpert blog, Sergei proposed a method to defeat Koobface — hit ‘em in the pocketbook where it hurts. The CAPTCHA cracking services that the Koobface gang uses could be the weak link in its chain and could be abused to interrupt their scams. Unfortunately, no one seems to be taking up that proposal. Koobface relentlessly is released and spread across multiple distribution groups with its captcha crackers in action.

The Koobface malware recently was slightly altered in several ways. The binary carries with it the functionality to phone back to one of two sites for its captcha cracking needs.

Perhaps these are the new weak links to target.

Posted in Koobface, Password stealing | No Comments »

Koobface 0×3e8 Folders and setup.exe Links

Thursday, August 13th, 2009

Koobface continues to tweet its assault on the twittersphere and social networking sites. Here is an abbreviated list of the more high volume Koobface urls that the ThreatFire community has been protected from over the past 48 hours. See a pattern here (DO NOT VISIT ANY OF THESE LINKS AND DOWNLOAD THE MALWARE SERVED THERE)?

84.109.178.7 /0×3e8/setup.exe
24.26.210.231 /0×3e8/setup.exe
70.55.53.249 /0×3e8/setup.exe
76.73.251.20 /0×3e8/setup.exe
62.0.89.172 /0×3e8/setup.exe
79.181.64.72 /0×3e8/setup.exe
66.25.232.104 /0×3e8/setup.exe
75.74.67.164 /0×3e8/setup.exe
24.174.63.153 /0×3e8/setup.exe
98.141.34.175 /0×3e8/setup.exe
83.185.64.203 /0×3e8/setup.exe
92.114.157.146 /1/PP.11.EXE
75.119.106.62 /0×3e8/setup.exe
71.76.142.141 /0×3e8/setup.exe
92.33.141.77 /0×3e8/setup.exe
98.197.95.169 /0×3e8/setup.exe
173.66.158.253 /0×3e8/setup.exe
174.96.77.152 /SETUP.EXE
76.73.251.20 /0×3e8/setup.exe
68.144.24.217 /0×3e8/setup.exe
174.42.228.14 /0×3e8/setup.exe
207.199.227.243 /SETUP.EXE
72.174.220.70 /0×3e8/setup.exe
81.245.19.99 /0×3e8/setup.exe
190.20.145.48 /0×3e8/setup.exe
65.71.236.57 /0×3e8/setup.exe
74.67.182.131 /0×3e8/setup.exe
88.74.12.80 /0×3e8/setup.exe
68.45.27.253 /0×3e8/setup.exe
77.210.43.169 /0×3e8/setup.exe
79.181.28.74 /0×3e8/setup.exe
76.126.23.249 /0×3e8/setup.exe
70.53.46.21 /0×3e8/setup.exe
24.113.132.233 /0×3e8/setup.exe
92.114.157.146 /1/FB.58.EXE
67.9.38.140 /0×3e8/setup.exe
75.187.74.2 /0×3e8/setup.exe
24.141.233.195 /0×3e8/setup.exe
75.34.65.250 /0×3e8/setup.exe
69.137.75.168 /0×3e8/setup.exe
84.109.35.166 /0×3e8/setup.exe
65.50.33.145 /0×3e8/setup.exe

Obviously, this is a fairly well automated scheme. The site locations are scattered throughout the globe. All the sites that we have visited serve up the same rather uninspired video presentation with a familiar and phony “Flash Player upgrade required” page. It serves malicious Koobface binaries from a most likely fictitious Bruno Carlot and his video about Hong Kong:

As always, exercise a high level of caution when reading tweets with links, and add a behavioral layer of protection to your system.

Posted in Koobface, Social Engineering | No Comments »

« Older Entries
Newer Entries »