10 things you didn't know about the Koobface gang

10 things you didn't know about the Koobface gang

Summary: The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 12 things you didn't know about the Koobface gang list.

SHARE:

Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as distributed hosting infrastructure in an attempt to undermine potential take down activities, a common misconception regarding the gang's activities shifts the attention from their true participating within the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you didn't know about the Koobface gang list.

Some are funny, others are disturbing,  the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet -- the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to -- between what I refer to as my "Ukrainian fan club" due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS file on the infected hosts, in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacked traffic. The "Ukrainian fan club" itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following campaigns, as well as the multiple connections linking it to the then centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A "Created with HyperSnap 6. To avoid this stamp, buy a license" at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a screenshot taken from a legitimate video page, with the spoofed Adobe error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my "Ukrainian fan club" the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign", a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in November, for the first time ever, they conducted an experiment lasting several hours, where client-side exploit serving iFrames were embedded on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang's claim -- more on that claim and their bold sense of humor in an upcoming poing -- on the very same IP hosting the exploit serving domain, there was an active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities before the gang would start serving exploits permanently remains unknown. A few hours after their experiment was exposed, they suspended it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the same redirectors found on Koobface infected hosts, both pushing scareware.

Are Mac OS X users left behind? -->

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces

Earlier this month, upon analyzing the techniques the gang uses to efficiently compromise web sites and backdoor them, I stumbled upon an early stage experiment attempting to monetize Mac OS X traffic through legitimate and fraudulent dating agencies.

Over the past two weeks, the gang has changed the monetization, and is now currently redirecting Mac OS X visitors to an online movie marketplace, based on whose registration details we can clearly seen that the email used to register the site in question, has also been used to register dozens of scareware/fake security sites. You judge the legitimacy of the service.

This very same Mac OS X monetization attempt was also seen in a blackhat SEO campaign (News Items Themed Blackhat SEO Campaign Still Active) managed by the gang in September, 2009.

07.  Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas

Throughout the entire 2009, the Koobface gang which now officially describes itself as Ali Baba following my discovery of their pseudonym on a compromised web site -- Ali baba is a fictional character from medieval Arabic literature, with Aliba Baba and 40 as the film adaptation of the "Ali Baba and the Forty Thieves" -- proved that it keeps itself up-to-date with the latest research done against it.

Around the time when the Koobface-friendly Riccom LTD - AS29550 was taken offline, the gang on purposely embedded a bold greeting on Koobface infected hosts in an attempt to legitimize its activities by stating that it is not a virus, and that they have never stolen financial data. Ironically, the gang also included a "Wish Koobface Marry Christmas" script, where over 10,000 people have surprisingly clicked. I wonder how many of these people inquired about a PC repair service, or filed a (scareware) fraud report once they checked their bank statements at the end of the month?

The message they included on the Koobface infected hosts is as follows:

"Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

  • Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
  • Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
  • Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
  • Cisco for their 3rd place to our software in their annual "working groups awards";
  • Soren Siebert with his great article;
  • Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system. By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards.

Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang "

Who is is Soren Siebert? According to the folks at Abuse.ch, who also maintain the ZeusTracker (Crimeware tracking service hit by a DDoS attack):

  • On my blog you will find a reference to a disclaimer page in the navigation bar. The disclaimer is written in German and was generated with a impressum generator provided by e-recht24.de. So the Koobface gang just came across this name on my disclaimer and thought that this is my name.

08. The Koobface gang once redirected Facebook's IP space to my personal blog

In 2009, the Koobface gang had a fixation on me, which didn't come to as a surprise given the comprehensive connections that I was able to establish. That's of course next to the take down of the majority of command and control servers used in Koobface 1.0, over a period of 24/32 hours, which prompted the gang to implement their contingency plan, one they appear to have been developing for a while.

In July, 2009, I was the only individual ever singled out, with the gang leaving the following message within their command and control infrastructure for nine days:

  • "We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Pretty diplomatic way of thanking me for having them kicked out of their ISPs, and systematically suspending the domains that botnet used as foundation for propagating and communicating with the already infected hosts? Depends.

In the next few months, the gang was experimenting with various ways to show me that they're aware of my research/take down activities by typosquatting domains using my name such as pancho-2807 .com (registered to Pancho Panchev; pancho.panchev@gmail.com), followed by rdr20090924 .info (registered to Vancho Vanchev, vanchovanchev@mail.ru). Then they decided to set a new benchmark.

In September, 2009, while checking my daily stats I noticed a sudden peak of visitors.  Digging a little deeper I was surprised to see that all of them were coming from within Facebook Inc's network. What the Koobface gang did, was to basically redirect Facebook's IP space to personal blog, every time a Facebook crawler was visiting their automatically registered Blogspot accounts.

Upon contacting Facebook's Security Incident Response Team, the folks implemented a filter and responded by confirming this was happening:

  • Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog.

Pretty dynamic "relationship", isn't it?

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype

With the Koobface botnet under the microscope of the security community, the gang is naturally interested in switching its social engineering tactics, or looking for alternative propagation methods.

In November, 2009, security vendors detected a new Koobface variant indicating their long-term strategy of diversifying the propagation vectors - by using Skype. The sample analyzed back then, was also collecting personally identifiable information from the affected users, a practice that is often used when a malicious attacker is building the foundations for a successful social engineering campaign.

Why would the gang bother propagating through Skype with such a well developed Web 2.0 propagation strategy already in place? Greed is the first thing that comes to my mind.

10. The gang is monetizing traffic through the Crusade Affiliates scareware network

Originally exposed in September, 2009's "Koobface Botnet's Scareware Business Model" post (See Part Two as well), when they officially started serving scareware each and every time a user visits a Koobface infected page, the Crusade Affiliates network appears to be primary choice for the Koobface gang in terms of scareware monetization.

Once its key domain got suspended, the network went undercover, although it appears that the entire network may be an exclusive operation maintained by, and used only by the Koobface gang in an attempt not to attract so much attention to its activities. This operational security (OPSEC) practice on behalf of Koobface and the network has been evident ever since, with the lack of branding whereas the gang still collects the revenue from the network, which is naturally earning profit thanks to the Koobface botnet.

Scareware continues being the single most profitable monetization strategy used by the gang. The success of this business model is pretty evident with PC repair shops noticing an increasing demand for their services thanks to scareware/fake security software (See a gallery of different scareware releases) infections.

Your most pragmatic strategy when fighting scareware n general, remains secure browsing, awareness (The ultimate guide to scareware protection), or plain simple sandboxing.

Topics: Software Development, Browser, Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

82 comments
Log in or register to join the discussion
  • Set your firewalls to stun.. block executable downloads

    Doesnt matter how they attack your PC, if they cannot download the executable, they are dead in their tracks.
    Been_Done_Before
    • Cheaper solution; unplug the Cat5.

      Or switch to Linux.
      AzuMao
      • Damn right!!

        Linux CAN'T EVER be infected because Linux users are smarter then Windoze users.

        We don't click on neferious links that install executables!!
        Ron Bergundy
        • ????

          There can't even [i]be[/i] any "links that executables" to click on; the default for a newly created file is to be non-executable. So I'm not sure what your post is trying to
          get across, sorry. o_O
          AzuMao
          • Maybe your new?

            Even the other Linux die hards ignore that guy.

            This guy even has multiple accounts on here and he'll post something then have his other account complament himself for something then agree with what he's saying.

            Pretty much read what he says for a laugh then move on.
            Cobra7fac
          • LInux in the screen name

            It's probably best to just ignore posters with Linux as part of their screen name. Mostly they just post drivel.
            Bill4
          • you know what he's trying to say

            yet...your being a little extreme

            fail.

            a redirect is a redirect.
            pcguy777
        • i think you meant "smarter [b]than[/b]" - great irony

          <nt>
          *Gman*
        • LOL - thank you I was afraid I would not have your

          comedy relief today Donnie.
          ItsTheBottomLine
      • to be fair, give windows users a better net-security conscience

        After two dozen XP rebuilds for 2009 and total 4 so far in 2010, I can say with 100% certainty that most of the general population of windows users are determined to bypass any security mechanisms to install socially-engineered malware disguised as friendly email "click-me's".

        It is akin to the big, red button that states "do not push!". I ask "Why did you push it?" - response usually equates to "because it was there".

        Most low-end desktops are dual-core overkill for the typical net user, so much power they can seamlessly run whatever linux distro under virtualbox as an internet appliance, but it's an inconvenience for them.
        ~doolittle~
        • good idea thanks.

          running linux for web surfing, on vmware, or virtual sunbox etc.
          pcguy777
        • That is the general culture among Windows users, yes, but not by..

          ..mere coincidence.

          I'm not sure if you've really used Windows
          before, because if you had, you'd know that in
          Windows, if you want to install something, you
          search around all over the place, download some
          file from some website you've never heard of,
          and run it. So of course Windows users will be
          used to downloading random crap from randomly
          places and running it.

          Where as most Linux distros have these things
          called "repositories" where everything you could
          ever want and then some is located all in one,
          verified place, and cryptographically signed to
          prevent someone in between you and the server
          modifying stuff while you're downloading it. You
          don't go to some website and click on a file and
          run it. Files aren't even executable by default.
          The culture is completely difference, it isn't
          just a matter of coincidence.
          AzuMao
          • comparing grandmas and frogs ...

            There's very little threat of somebody "modifying stuff while you're downloading it" ... that's actually quite an absurd notion. Hackers and spreaders of malware don't need to bother intercepting anything enroute, cause it's so easy to trick ignorant users into downloading malware or other foolishness in direct and simple manners such as phishing. Actual redirection is very very rare ... mostly the fools are going directly to malware sites out of their own ignorance.

            The vast majority (probably around 5-nines) of internet-based repositories of Windows executable programs are completely legit and wholly uninfected while serving up cheap goodness. Why are you down on that?

            Are you telling me you really do the whole MD5 hash checking for every damn file you download? Absurd. Nobody does that except for the most anal-retentive nerdniks with nothing better to do with their time.

            I've run various flavors of linux on various pc's from time to time just to explore & experience the "other side" and I have never found any repositories of "everything you could ever want" ... the number and variety of user-oriented (i.e., non-IT) software for linux utterly pales in comparison to what's available for Windoze users.

            General PC users will never switch to linux until the vast majority of distros & apps are regularly delivered as 'one click install' packages like windows-based stuff, with all necessary configuration issues (especially drivers) included and set. Mom & pop don't want to be bothered with trying to understand hash sums, make files, and especially don't want to have to troubleshoot driver problems. They want shyte to work right outa the box without any effort, and linux still can't do that.
            Gravyboat McGee
          • "it's so easy to trick ignorant users into downloading malware or other foo

            [i]lishness in direct and simple manners such as phishing[/i]"

            In the Windows world, yes.


            In the Linux world, people aren't used to downloading files off of random websites, making them executable (you can't run them by default), and running them.


            Meaning that in-transit would be an easier window to target. But that too is impervious.


            [i]The vast majority (probably around 5-nines) of internet-based repositories of Windows executable programs are completely legit and wholly uninfected while serving up cheap goodness. Why are you down on that?[/i]

            Because the vast majority of Windows software is downloaded on a per program, per site basis. Not from Windows.com or some other trusted authority.

            [i]Are you telling me you really do the whole MD5 hash checking for every damn file you download? Absurd. Nobody does that except for the most anal-retentive nerdniks with nothing better to do with their time.[/i]

            That question demonstrates a complete misunderstanding of basic security procedures.

            For one thing, MD5 has been broken for a long time.
            For another, where would you get the MD5 hash from.. the very connection that isn't trustworthy?
            For a third, putting the above two aside.. why would the check be manual (done by the user)?

            True repositories, used by Linux like OSs, are encrypted end-to-end from the beginning. Any modification of in-transit data would result in random, useless data. Think HTTPS, but implemented in the OS directly, not the browser.

            [i]I've run various flavors of linux on various pc's from time to time just to explore & experience the "other side" and I have never found any repositories of "everything you could ever want" ... the number and variety of user-oriented (i.e., non-IT) software for linux utterly pales in comparison to what's available for Windoze users. [/i]

            That exists, I mean. Obviously you won't find a repository with DiRT 2, since a Linux version of it wasn't made. This is the fault of whoever develops the program, not Linux. Just like it isn't the fault of Windows that it can't run AppArmor.


            [i]General PC users will never switch to linux until the vast majority of distros & apps are regularly delivered as 'one click install' packages like windows-based stuff, with all necessary configuration issues (especially drivers) included and set. Mom & pop don't want to be bothered with trying to understand hash sums, make files, and especially don't want to have to troubleshoot driver problems. They want shyte to work right outa the box without any effort, and linux still can't do that.[/i]

            It's called the Synaptic Package Manager.

            Have you used a Linux distro
            [b]in this millennium[/b] (relevant part bolded)?
            AzuMao
          • Have I used linux this millenium?

            Yes, several. I've been trying it out about once every other year for the past decade. My latest experiment was Ubuntu. Very pretty, but couldn't get online coz it didn't have the right drivers for my wireless network card, and I'm just not inclined to figure it out. Reboot to windoze, delete Ubuntu.

            I've run linux in a VM thereby avoiding the hardware compatibility and driver issues, but like others have pointed out that just adds overheard slowing things down while not eliminating the risks of the host os, so there's really no benefit to doing that.

            I'm not against linux, and I will continue to play with it coz I think it's neat. I can easily see it being used as a standard office platform, since in that environment you should have some professional IT support anyways, and linux would be easier to manage than windows in that environment.

            I'm just saying I don't believe it will be most folks first choice for their home pc's until it becomes as easy to use & manage (from a casual user standpoint) as Windows.

            But just to keep this posting somewhat on-topic, my main point was that the vast majority of risks within the Windows world are due to user ignorance, not to any inherent flaw in Windows. If Linux had as wide a user base as Windows, then hackers would be working overtime to compromise it. Browser-based attacks can be developed for any OS, and I seriously doubt that linux can't be hacked.

            Cheers :-)
            Gravyboat McGee
  • Switching to linix is not even close

    Switching to linix is not even close to an option,it doesn't run my programs and i have spent far too much money to waste it by going to linux.
    And pleaseeeeeeeeeeeeeeeeeeeeeeeeeee don't even mention
    Wine.
    Hell it doesn't even support my wireless adapter, lousy dual monitor support,even worse Nvidia support. Every time i installed the "More better graphics option" Linux crashed hard. Its just not worth the effort,take it from someone who has given linux more then enough trys and not just ubuntu,name one Ive tryed it more then likely.

    Whats even more funny is how very close to functionality they all are, as if they copied from each other ideas.hmmm i wonderrrrrrrrrr.
    Stan57
    • ????

      "Copied"? A distro is just a collection of packages pre-installed. That's like saying Windows 7 Ultimate "copied" some stuff from Windows 7 Enterprise. Well okay that's not a
      perfectly accurate analogy, but it's kind of hard to make one with such fundamental differences. =/

      Have either of you even used a Linux-based OS before?

      Also, you didn't even say what it is that you're having problems running, nor what the adapter is that you can't get to recognize. And it's up to NVIDIA to make drivers for NVIDIA's hardware, not the Linux community. How can you expect them to make NVIDIA's drivers for them when the specs aren't even available? That makes no sense!
      AzuMao
      • Obviously nVidia sees no future in Linux, if they won't write drivers. (nt)

        ...
        ths40
        • Ummmm...

          Have you even tried a modern distro? I'm running Mint on this machine with Nvidia's latest graphics drivers. Couldn't run World of Warcraft on it if their drivers weren't available.
          Dave32265
          • Still, linux really shines as a server platform...

            Let microsoft have games. Linux and Unix are where it's at for servers, and there is no shame in that. Sans the socialist element in the 'community' (most of whom contribute nothing, I might add), pretty much everyone realizes that trying to make Linux into a consumer operating system that performs consumer tasks is utterly pointless for any number of reasons.
            Tea.Rollins