Blog05: BFTP — Koobface: The rise and fall of the zombie army
The day is the 31st of July 2008. “I Kissed A Girl” by Katy Perry is at the top of the Billboard Hot 100, but things are starting to get hot elsewhere. Kaspersky Lab detected two variants of a new worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b, which attack MySpace and Facebook respectively.
This report was a warning for people using social networks, but the people behind Koobface were smart enough to change Koobface’s methods of working over the time to lead the making of one of the most notorious botnets of the world, one that’s made of “zombie computers” according to Kaspersky at the time.
How did it all start ?
Things started quietly and there isn’t exact information of how the malware began its journey, but Kaspersky reported that it was being spread primarily through Facebook messages and MySpace commentaries from friends that had their machines infected.
The messages or comments included enticing texts such as “LOL. My friend catched you on hidden cam” or “Paris Hilton Tosses Dwarf On The Street” with links redirecting to a website that looks identical to YouTube. The website displays a pop-up prompting the user to install an update of Flash Player in order to view the video. However, the download was not a Flash Player update but rather a file called codecsetup.exe which installs Koobface on the victim’s machine. A basic phishing attack, but an effective one. And those who wanted to see Paris Hilton tossing a dwarf were gotten good.
The result of this attack scheme was that users who were redirected via Facebook will have the MySpace worm downloaded to their machines, and vice versa.
Some of the links were very hard to discern by the less technical public. This was achieved by prefixing the hostname of the website with a usual website like Google or Youtube to obtain a link that could look something like: “www.google.com.id.4irlkkz6.28gejt.2b99df1a.cn”, note that the actual domain here is a .cn domain and not google.com. And at the time, it was extremely difficult to shut down .cn domains especially on some non-cooperative registrars.
Now the technically aware among the readers might be thinking; since we found a domain used by Koobface, why not capture the IP address of the webserver and shut it all down from there. And to that I say, great idea but the attackers were not as simple minded as that.
Introducing: “Fast Flux” networks
In a fast flux network, a hostname does not resolve to a single IP address like it normally should but rather to proxy addresses that keep changing over and over to make it harder to locate the actual webserver hosting the malicious links. It is basically as if the webserver is changing its place constantly.
Koobface used this very tactic to complicate the investigation efforts that were deployed against it. Fast flux networks existed before the first discovery of Koobface, but this aspect gave the malware a huge advantage to continue its propagation during the first months after its appearance.
By the end of August 2008 infected hosts started showing signs of what seemed like an “Adware” infection. Koobface had apparently found a paying customer and was starting to make money.
The botnet grew larger and started targeting social networks other than Facebook and MySpace, such as Bebo, Hi5 and Friendster. Koobface also employed spam campaigns over mail, but this was not enough. Whoever was behind Koobface needed it to grow bigger.
Getting bigger and bigger
Around June 2009, Koobface started using a delivery mechanism based on “drive-by website infections”.
Differently to links shared on social media or through email, Koobface started inserting HTML iframes into normal websites. The iframes directed users to open a PDF file, one that’s crafted to download the Koobface malware. This malware installation would then try to identify if the host uses an FTP server, and capture the FTP userid and password to be used by the botnet to create more content on the webserver accounts controlled by the infected users.
In July 2009, Twitter became a target of Koobface. Twitter offered a very viable environment for the malware to propagate. That is because by default, Twitter recommends to user shortened links in order to stick to the 140 character limit established at the time, which makes it easier to hide a malicious link when sharing it on the social network.
Around the same time, Koobface added a new feature that altered Windows registry keys on infected machines so that the DNS server assigned by the ISP or a Network Admin was circumvented and instead a static IP address is used. This address points to what’s called a rogue DNS server.
A rogue DNS server can be used, instead of redirecting the user to the website requested, to redirect the user to look-alike websites to the ones requested. Ones that are obviously controlled by attackers, or that are affiliated links that pay people behind Koobface per click received on their websites.
Imaginary Friends
Relying on methods stated above for propagation was not enough for people benefiting from Koobface, so they started spreading the malware by “inventing” new people. This was basically done by creating many accounts through the army of zombie computers that belonged to the botnet at the time.
But the social networking companies were not just sitting there and watching things unravel before them, they were fighting to keep criminals off their networks. One common solution to prevent malware from making posts on social networks was to display a CAPTCHA(Completely Automated Public Turing test to Tell Computers and Humans Apart) which would usually halt any stupid malware in its tracks. But Koobface was special.
Koobface implemented a unique system to deal with CAPTCHAs. Whenever Facebook or any other website asks Koobface to solve a CAPTCHA, Koobface would send the same CAPTCHA to other infected computers that are part of the botnet and waits for a person at one of those hosts to solve the CAPTCHA.
The CAPTCHA is presented to the human as something they must enter in order to stop Windows from shutting down. A timer counts down to 00:00 promising them if they don’t enter the CAPTCHA before that time, their system will shutdown. Koobface was able through this method to create its own accounts, and post even “suspicious” links to Facebook by “proving” that it was human.
We have just scratched the surface of what Koobface was able to make and make use of. But so far, Koobface seems to be impenetrable and able to surpass any hurdle placed in front of it. Boasting a huge amount of hosts within its botnet and exploiting them to the fullest, racking up thousands of dollars on each and every week of activity.
But Koobface did stop its activity, and that was due to relentless work from cybercrime investigators and a bunch of mistakes done by the alleged gang behind the botnet.
The fall of the Koob
In 2010, cyber investigators managed to narrow down the position of the Command and Control centers for the botnet to a bunch of servers hosted by Coreix in the United Kingdom. The servers are then wiped out, and the bots are now living with no new instructions. And in 2011, plenty of C&C centers appear which helps the total number of hosts in the Koobface botnet peak at around 600000 machines.
Investigators and researchers found out that the Apache web server on one of the active Command & Control servers had the mod_status module enabled. Having enabled this web server module, any visitor is provided with public access to a live view of requests made to the web server, thereby revealing file and directory names. Further digging enables investigators to find a picture, which according to its EXIF metadata was taken with an Apple iPhone on September 15, 2009 with a Latitude of N 59° 55.66′ and a Longitude of E 30° 22.11′. This directly points into the center of St. Petersburg, Russia.
And within the backups, information was found within a PHP script used to submit daily revenue statistics via short text messages to five mobile phones. The international prefix +7 identifies these numbers to be Russian telephone numbers.
One of the phone numbers matches posts on a platform used to sell cars, and on a forum posting selling cats.
The person who made the posts is identified then by an email address, which points to a corporate email of a company holding the name MobSoft. Which leads to multiple suspects, all of which have shared pictures of their vacation on social media, publicly. Facebook proceeds to doxx all of the suspects’ full names and pictures. The C&C centers are all shut down and none of the suspects was found.
And until today, none of the C&C centers has been reactivated, some people debate that Koobface is gone forever. But what we can be sure of is that the zombie army is still there, just waiting for a command to wreak havoc as it did before.
Further reading
Kaspersky Lab Detects New Worms Attacking MySpace and Facebook, 2021. URL https://www.kaspersky.com/about/press-releases/2008_kaspersky-lab-detects-new-worms-attacking-myspace-and-facebook.
Tanner, B.K., Warner, G., Stern, H., Olechowski, S., 2010. Koobface: The evolution of the social botnet, in: 2010 ECrime Researchers Summit. Presented at the 2010 eCrime Researchers Summit, pp. 1–10. https://doi.org/10.1109/ecrime.2010.5706694
Trend Micro. Show me the Money — The Monetization of KOOBFACE.
The Koobface malware gang — exposed!, 2012. . Naked Secur. URL https://nakedsecurity.sophos.com/koobface/ .
Links
Facebook: INSEC Ensias
Instagram: INSEC Ensias
Linkedin: INSEC Ensias
Youtube: INSEC Club
Don’t forget to drop us a follow on social media to stay up to date with everything the club is doing. Looking forward to sharing more knowledge with all the readers and we welcome your feedback at insecblog@gmail.com
Writer: berradAtay
