The Koobface botnet, one of the most efficient social engineering driven botnets, is entering the Xmas season with a newly introduced template spoofing a YouTube video page, in between enticing the visitor into installing a bogus Adobe Flash Player Update (New Koobface campaign spoofs Adobe's Flash updater), which remains one of the most popular social engineering tactics used by the botnet masters.
What is the Koobface gang up to? Would they continue sticking to their true nature and rely on social engineering tactics, or would they start using active exploitation tactics such as client-side exploits?
Let's discuss some of the new developments introduced on the Koobface front over the past week, and try to answer these questions.
- Experimenting with client-side exploits - last week, for the first time ever, the Koobface botnet started serving client-side exploits by embedding two iFrames on the hundreds of thousands of Koobface-infected hosts, for a period of several hours. Despite its reliance on outdated exploits used by the web malware exploitation kit in question, this does not automatically mean that their "infection optimization" strategy would go in vain taking into consideration the fact that a huge percentage of users/enterprises continue failing to properly manage their "software inventory". Whether the gang would re-introduce the use of client-side exploits (drive-by download) remains yet to be seen, however, this move directly contradicts with the infection model of the botnet, which so far has been exclusively using social engineering tactics.
- Constant diversification of legitimate services to abuse - in order to add additional layers of legitimacy, and increase its chances of bypassing reputation-based scanning mechanisms, the Koobface botnet is continue to put efforts into creating a self-sufficient botnet platform that's relying on the abuse of legitimate services only. Case in point - a user clicking on a bit.ly link generated by the Koobface botnet, will get forwarded to the automatically generated Blogspot account registered with the help of an already infected with Koobface victim, which will then use a legitimate compromised site to finally load the Xmas season themed template from a Koobface infected host. A similar redirection will take place if the user clicks on the spamvertised Google News redirector, or Google Reader link pushed by the Koobface botnet.
- Intensifying abuse of Bit.ly, the service strikes back - yesterday, Bit.ly, one of the most popular URL shortening services, which is also the service of choice for the Koobface botnet as of recently, has announced its intention to add additional layers of security by cooperating with Verisign, Sophos, WebSense in detecting malicious content using the service. The move will successfully position bit.ly as the URL shortening service with security in mind, taking into consideration the lack of such publicly acknowledged features in competing services, however, the sooner they implement it, the better, since the Koobface botnet masters have found a pragmatic way to trick users relying on bit.ly's preview feature months ago - in order to return a legitimate and recent news item, the automatically generated Blogspot accounts syndicate the title of a recent news item from Google News. The click-through rate on a sampled Koobface-generated bit.ly link speaks for itself - over 500 clicks within a 24-hour period.
- Skype propagation module in the works - Two weeks ago, security vendors have intercepted a new Koobface variant (W32/Koobfa-O), which revealed more details into the gang's intention of abusing the Skype accounts of already infected victims, by spamvertising Koobface-service links to their Skype contacts. Interestingly, the sample was also collecting personal Skype data (HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc.) and sending it back to the botnet masters, in what appears to be the foundation for a targeted marketing campaign tailored to the market segments which they're able to identify based on the collected data. Skype, with its millions of users is naturally a target for separate scareware campaigns which have been detected while using the application recently.
All of these recent developments clearly indicate the gang's intention to remain in business, as well as to continue maintaining its leading position in the scareware business model by pushing new scareware variants on each and every visit of Koobface-infected host.
Have you ever experienced a Koobface infection? Were some of your friends unknowingly spamming you with Koobface links, and did you tip them on the fact that they're infected? Do you think that the social networks most affected by Koobface should take a more radical approach when dealing with Koobface-infected users for the sake of providing a better service to the entire user base? Or is it the ISP's role to tackle the problem at its roots?