Koobface Worm
Koobface is a worm propagating through social networking sites such as Facebook, MySpace, hi5, Bebo, Friendster and Twitter etc.
The worm spreads by sending spam to contacts containing a catchy message with a link to a "video.
Clicking the link will redirect the user to a website designed to mimic YouTube (but is actually named YuoTube ), which asks the user to install an executable (.EXE) file to be able to watch the video The .EXE file is, however, not the actual KOOBFACE malware but a downloader of KOOBFACE components. A screenshot of the fake page :
Upon execution of the .exe file displays an error message but infacts drops and executes a copy of itself from %WinDir%\
Once infected users machines can be used to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break CAPTCHAs, and subvert the affected user's online experience.The name KOOBFACE is an anagram of FACEBOOK.
Aliases:
- W32/Koobfa-Gen (Sophos)
- W32.Koobface.A(Symantec)
- W32/Koobface.worm(McAfee)
- WORM_KOOBFACE.DC (trendMicro)
- Net-Worm.Win32.Koobface.b (kaspersky)
- Win32/Koobface(Micrsoft)
Up on execution the Worm variants:
- creates the following files
%Windir%\ld12.exe
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
.bat file with the random file name at C:\%ProgramFiles%\webserv\webserv.exe(used asa web server for serving malicious content)
%ProgramFiles%\webserv\webserv.exe.new
"%ProgramFiles%\captcha5.dll"(USED AS CAPTCHA BREAKER)
Creates the following registry sub keys
o HKCR\Mime\Database\Content Type\application/xhtml+xml\"CLSID" = "{25336920-03F9-11cf-8FD0-00AA00686F13}"
o HKCR\Mime\Database\Content Type\application/xhtml+xml\"Extension" = ".xml"HKCR\Mime\Database\Content Type\application/xhtml+xml"Encoding" =hex:08,00,00,00
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] sysldtray = "<path to the exe>
o HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = dword:00000000
o HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = dword:00000000
Makes connections to the following domains and downloads further malware
- y17[blocked].com
- aibcvi[blocked].org
- me[blocked]spl.com
- iplug[blocked].cn
- curre[blocked]n.net
The KOOBFACE component may be subdivided into the following:
KOOBFACE downloaderLink title
o KOOBFACE downloaderis also known as the fake “Adobe Flash component” or video codec the fake YouTube site claims to view a video that turns out to be nonexistent. The downloader’s actual purpose are Determine what social networks the affected user is a member of , Connect to the KOOBFACE Command & Control (C&C) and Download the KOOBFACE components the C&C instructs it to download
Social network propagation components
o The social network component contacts one of many KOOBFACE C&Cs, which then issues commands that the component executes on the affected user’s machine. The C&C commands contain messages and URLs that are posted in the affected user’s social network shout-outs/status messages or sent to his/her social network friends’ inboxes.
The KOOBFACE Web server component makes the infected machine an Web server that is part of the KOOBFACE botnet and act as a proxy or a relay server to distribute other KOOBFACE components. This is responsible for sending out fake YOUTUBE pages.
Ads pusher and rogue antivirus (AV) installer Downloads rouge Antivirus software from a particular url as directed by the C&C server. It can show fake warning messages or push ads.
The captcha images to be break are downloaded from a C&C server. The "Time before shutdown" is a countdown clock, counting down from the three-minute mark. KOOBFACE does not shut a user’s machine down when the countdown timer finishes. It instead waits until the user solves the CAPTCHA test. After the user solves the CAPTCHA image test, KOOBFACE relays the solution to one of its C&C servers. If the given solution is, however,validated as correct (based on some regular expression check), KOOBFACE closes the CAPTCHA dialog box and "allows" the user to continue using his/her Windows machine.
It h steals Windows digital product IDs, Internet profiles( from Windows Live and Passport.NET profiles Opera saved profiles Mozilla saved profiles ) , email credentials (from Eudora, Mozilla thunderbird etc), FTP credentials(from CUTEFTP,TOTAL COMMANDER etc), and IM application(ICQ,TRILLIAN) credentials. The stolen data is then encrypted and sent to the Trojan’s C&C server.
It intercepts search queries to Google, Yahoo, MSN, Ask, or Live and to redirect them to dubious search portals and returns unwanted results.
Rogue Domain Name System (DNS) changer
Changes the host file of the affected machine, then intercepts the websites a user visits and serves malware or phishing pages and also blocks certain AV vendors sites
- By connecting to the remote server, the worm can receive and act on commands like the following:
basedomain,exit,fbshareurl,fbtargetperpost,
invite,link_b,link_c,link_m,razlog,rcaptcha
reset,sharelink,simplemode,start,startimg,
startonce,text_b,text_c,text_m,title_b,title_m,
update, wait
In view of rapid propagation and emergence of the KOOBFACE WORM, users are advised to implement the following countermeasures :
- Delete files, registry keys added by the worm.
- Excise caution when opening attachments and accepting file transfers.
- Excise caution when clicking on links to web pages.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Keep up-to-date patches and fixes on the operating system and application software.
- Install and maintain Desktop Firewall and block the ports which are not required
Reference: CERT-IN