Forgot your password?
New user?
Koobface Worm
Koobface is a worm propagating through social networking sites such as Facebook, MySpace, hi5, Bebo, Friendster and Twitter etc.
The worm spreads by sending spam to contacts containing a catchy message with a link to a “video.
Clicking the link will redirect the user to a website designed to mimic YouTube (but is actually named YuoTube ), which asks the user to install an executable (.EXE) file to be able to watch the video The .EXE file is, however, not the actual KOOBFACE malware but a downloader of KOOBFACE components. A screenshot of the fake page :
The worm spreads by sending spam to contacts containing a catchy message with a link to a “video.
Clicking the link will redirect the user to a website designed to mimic YouTube (but is actually named YuoTube ), which asks the user to install an executable (.EXE) file to be able to watch the video The .EXE file is, however, not the actual KOOBFACE malware but a downloader of KOOBFACE components. A screenshot of the fake page :
Upon execution of the .exe file displays an error message but infacts drops and executes a copy of itself from %WinDir%\
Aliases:
Up on execution the Worm variants:
In view of rapid propagation and emergence of the KOOBFACE WORM, users are advised to implement the following countermeasures :
* Delete files, registry keys added by the worm.
* Excise caution when opening attachments and accepting file transfers.
* Excise caution when clicking on links to web pages.
* Install and maintain updated anti-virus software at gateway and desktop level.
* Keep up-to-date patches and fixes on the operating system and application software.
* Install and maintain Desktop Firewall and block the ports which are not required
Reference: www.cert-in.org.in
Once infected users machines can be used to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break CAPTCHAs, and subvert the affected user's online experience.The name KOOBFACE is an anagram of FACEBOOK.
Aliases:
- W32/Koobfa-Gen (Sophos)
- W32.Koobface.A(Symantec)
- W32/Koobface.worm(McAfee)
- WORM_KOOBFACE.DC (trendMicro)
- Net-Worm.Win32.Koobface.b (kaspersky)
- Win32/Koobface(Micrsoft)
Up on execution the Worm variants:
- creates the following files
- %Windir%\ld12.exe
- %windir%\bolivar19.exe
- %windir%\bolivar31.exe
- %windir%\bolivar30.exe
- %windir%\ld01.exe
- %windir%\che08.exe
- %windir%\freddy35.exe
- .bat file with the random file name at C:\
- %ProgramFiles%\webserv\webserv.exe(used as
- a web server for serving malicious content)
- %ProgramFiles%\webserv\webserv.exe.new
- "%ProgramFiles%\captcha5.dll"(USED AS CAPTCHA BREAKER)
- Creates the following registry sub keys
- HKCR\Mime\Database\Content Type\application/xhtml+xml\"CLSID" = "{25336920-03F9-11cf-8FD0-00AA00686F13}"
- HKCR\Mime\Database\Content Type\application/xhtml+xml\"Extension" = ".xml"HKCR\Mime\Database\Content Type\application/xhtml+xml"Encoding" =hex:08,00,00,00
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] sysldtray = "<path to the exe>
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = dword:00000000
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = dword:00000000
- Makes connections to the following domains and downloads further malware
- y17[blocked].com
- aibcvi[blocked].org
- me[blocked]spl.com
- iplug[blocked].cn
- curre[blocked]n.net
- The KOOBFACE component may be subdivided into the following:
- KOOBFACE downloader
- The KOOBFACE downloader is also known as the fake “Adobe Flash component” or video codec the fake YouTube site claims to view a video that turns out to be nonexistent. The downloader’s actual purpose are Determine what social networks the affected user is a member of , Connect to the KOOBFACE Command & Control (C&C) and Download the KOOBFACE components the C&C instructs it to download
- Social network propagation components
- The social network component contacts one of many KOOBFACE C&Cs, which then issues commands that the component executes on the affected user’s machine. The C&C commands contain messages and URLs that are posted in the affected user’s social network shout-outs/status messages or sent to his/her social network friends’ inboxes.
- Web server component
- The KOOBFACE Web server component makes the infected machine an Web server that is part of the KOOBFACE botnet and act as a proxy or a relay server to distribute other KOOBFACE components. This is responsible for sending out fake YOUTUBE pages.
- Web server component
- Ads pusher and rogue antivirus (AV) installer Downloads rouge Antivirus software from a particular url as directed by the C&C server. It can show fake warning messages or push ads.
- CAPTCHA breaker
- The captcha images to be break are downloaded from a C&C server. The “Time before shutdown” is a countdown clock, counting down from the three-minute mark. KOOBFACE does not shut a user’s machine down when the countdown timer finishes. It instead waits until the user solves the CAPTCHA test. After the user solves the CAPTCHA image test, KOOBFACE relays the solution to one of its C&C servers. If the given solution is, however,validated as correct (based on some regular expression check), KOOBFACE closes the CAPTCHA dialog box and “allows” the user to continue using his/her Windows machine.
- Data stealer
- It h steals Windows digital product IDs, Internet profiles( from Windows Live and Passport.NET profiles Opera saved profiles Mozilla saved profiles ) , email credentials (from Eudora, Mozilla thunderbird etc), FTP credentials(from CUTEFTP,TOTAL COMMANDER etc), and IM application(ICQ,TRILLIAN) credentials. The stolen data is then encrypted and sent to the Trojan’s C&C server.
- Web search hijackers
- It intercepts search queries to Google, Yahoo, MSN, Ask, or Live and to redirect them to dubious search portals and returns unwanted results.
- Rogue Domain Name System (DNS) changer
- Changes the host file of the affected machine, then intercepts the websites a user visits and serves malware or phishing pages and also blocks certain AV vendors sites
- KOOBFACE downloader
- By connecting to the remote server, the worm can receive and act on commands like the following:
basedomain,exit,fbshareurl,fbtargetperpost,
invite,link_b,link_c,link_m,razlog,rcaptcha
reset,sharelink,simplemode,start,startimg,
startonce,text_b,text_c,text_m,title_b,title_m,
update, wait
invite,link_b,link_c,link_m,razlog,rcaptcha
reset,sharelink,simplemode,start,startimg,
startonce,text_b,text_c,text_m,title_b,title_m,
update, wait
In view of rapid propagation and emergence of the KOOBFACE WORM, users are advised to implement the following countermeasures :
* Delete files, registry keys added by the worm.
* Excise caution when opening attachments and accepting file transfers.
* Excise caution when clicking on links to web pages.
* Install and maintain updated anti-virus software at gateway and desktop level.
* Keep up-to-date patches and fixes on the operating system and application software.
* Install and maintain Desktop Firewall and block the ports which are not required
Reference: www.cert-in.org.in
No rating set
Document Actions
Share
|
