Koobface botnet enters the Xmas season

Koobface botnet enters the Xmas season

Summary: The Koobface botnet enters the Xmas season with a new holiday-themed YouTube page. In between, the botnet masters are clearly experimenting with new features. Let's review some of them.


The Koobface botnet, one of the most efficient social engineering driven botnets, is entering the Xmas season with a newly introduced template spoofing a YouTube video page, in between enticing the visitor into installing a bogus Adobe Flash Player Update (New Koobface campaign spoofs Adobe's Flash updater), which remains one of the most popular social engineering tactics used by the botnet masters.

What is the Koobface gang up to? Would they continue sticking to their true nature and rely on social engineering tactics, or would they start using active exploitation tactics such as client-side exploits?

Let's discuss some of the new developments introduced on the Koobface front over the past week, and try to answer these questions.

  • Experimenting with client-side exploits - last week, for the first time ever,  the Koobface botnet started serving client-side exploits by embedding two iFrames on the hundreds of thousands of Koobface-infected hosts, for a period of several hours. Despite its reliance on outdated exploits used by the web malware exploitation kit in question, this does not automatically mean that their "infection optimization" strategy would go in vain taking into consideration the fact that a huge percentage of users/enterprises continue failing to properly manage their "software inventory". Whether the gang would re-introduce the use of client-side exploits (drive-by download) remains yet to be seen, however, this move directly contradicts with the infection model of the botnet, which so far has been exclusively using social engineering tactics.

  • Constant diversification of legitimate services to abuse - in order to add additional layers of legitimacy, and increase its chances of bypassing reputation-based scanning mechanisms, the Koobface botnet is continue to put efforts into creating a self-sufficient botnet platform that's relying on the abuse of legitimate services only. Case in point - a user clicking on a bit.ly link generated by the Koobface botnet, will get forwarded to the automatically generated Blogspot account registered with the help of an already infected with Koobface victim, which will then use a legitimate compromised site to finally load the Xmas season themed template from a Koobface infected host. A similar redirection will take place if the user clicks on the spamvertised Google News redirector, or Google Reader link pushed by the Koobface botnet.
  • Intensifying abuse of Bit.ly, the service strikes back - yesterday, Bit.ly, one of the most popular URL shortening services, which is also the service of choice for the Koobface botnet as of recently, has announced its intention to add additional layers of security by cooperating with Verisign, Sophos, WebSense in detecting malicious content using the service. The move will successfully position bit.ly as the URL shortening service with security in mind, taking into consideration the lack of such publicly acknowledged features in competing services, however, the sooner they implement it, the better, since the Koobface botnet masters have found a pragmatic way to trick users relying on bit.ly's preview feature months ago - in order to return a legitimate and recent news item, the automatically generated Blogspot accounts syndicate the title of a recent news item from Google News. The click-through rate on a sampled Koobface-generated bit.ly link speaks for itself - over 500 clicks within a 24-hour period.

  • Skype propagation module in the works - Two weeks ago, security vendors have intercepted a new Koobface variant (W32/Koobfa-O), which revealed more details into the gang's intention of abusing the Skype accounts of already infected victims, by spamvertising Koobface-service links to their Skype contacts. Interestingly, the sample was also collecting personal Skype data (HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc.) and sending it back to the botnet masters, in what appears to be the foundation for a targeted marketing campaign tailored to the market segments which they're able to identify based on the collected data.
  • Skype, with its millions of users is naturally a target for separate scareware campaigns which have been detected while using the application recently.

All of these recent developments clearly indicate the gang's intention to remain in business, as well as to continue maintaining its leading position in the scareware business model by pushing new scareware variants on each and every visit of Koobface-infected host.

Have you ever experienced a Koobface infection? Were some of your friends unknowingly spamming you with Koobface links, and did you tip them on the fact that they're infected? Do you think that the social networks most affected by Koobface should take a more radical approach when dealing with Koobface-infected users for the sake of providing a better service to the entire user base? Or is it the ISP's role to tackle the problem at its roots?


Topics: Security, Collaboration, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • X This

    Thanks for the info Dancho and Happy X Year everyone! Did everyone have a good Xgiving day?
    Not enough space for 'Christmas'?
    • Wow.

      Seriously, who cares?
      • It seems

        you don't.

        Good luck when watching YouTube videos, if you ever do.

        • YouTube videos are safe. The problem is other websites

          [i]pretending[/i] to have YouTube videos. If the
          URL in your browser address bar starts with
          "http://www.youtube.com/" then it is not serving
          up this exploit.
      • The guy you just asked.

        [b] [/b]
    • Xmas has like, been used forever...

      as an accepted shortening of the term. Get over it!

      History excerpt from following source:


      "Abbreviations used as Christian symbols have a long history in the church. The letters of the word "Christ" in Greek, the language in which the New Testament was written, or various titles for Jesus early became symbols of Christ and Christianity. For example, the first two letters of the word Christ (cristoV, or as it would be written in older manuscripts, CRISTOS) are the Greek letters chi ([u]x[/u] or X) and rho (r or R). These letters were used in the early church to create the chi-rho monogram (see Chrismons), a symbol that by the fourth century became part of the official battle standard of the emperor Constantine."
      (Original greek lettering truncated because of HTML)

      I have studied original documents from the early church that confirm this information. The 'P' symbol over the X was an indication of victory over death, by the understanding of the ancients.

      Please don't make matters worse for us Christians; get educated and be tolerant like Jesus teaches.

      Don't be another ignorant 'Religio-fanatic American Taliban'
      • Jesus also...

        teaches us to not call other people names just because we don't agree with them, or don't like what they say.
        TTGIT Guy
        • I stand corrected...

          however it is getting so bad, I wouldn't blame folks for calling us terrorists next.

          Dragging his name through so much politics and controversy is certainly not helping us either.
        • Amen.

          [b] [/b]
          • OK

            God and his kid have left the building
      • Not Quite Right

        While your history may be accurate, your application of history is not. The majority of people today who use Xmas do not use it because of its original intent but because they want to eliminate the mention of Christ.

        So we don't always look at original intent to determine whether something is "ok", we also need to look at current usage. The other word for donkey and the holiday of Halloween would also fall into this category.
        • Speak for Yourself

          My very unscientific survey, found that a majority of people use Xmas because it is shorter. The Atheist I interviewed said he didn't care which form people used as long as they sent presents.
        • What mention?

          The majority of people today say it as "crissmis"
          so there's not much mention of Christ either way.
          In fact, I can't even remember the last somebody I
          actually heard somebody say it as Christ-mass.
    • I've seen longer titles on ZDNet before, so definitely enough space.

      It was probably shortened for convenience.
  • Back to the original subject...

    no matter what time of the year it is, these idiots are trying to new ways to get our personal information so they can ultimately steal our money.
    In short, beware of anyone that asks your personal information for no good reason.
    • Exactly.

      Letting down your guard just because it's a
      holiday is a very bad idea indeed.
    • "social engineering" has an aly

      The idiots who, despite being told, or even having been infected in the past themselves, fail to ever learn that the bulk of this stuff requires they do something in order to become infected.

      So this week it's Tiger Woods. One day it'll be "blue movies" starring a 19 year old "Hannah Montana."

      People are predictably and reliably stupid. There will never be an end to malware because human nature will never change.
      • Unless..

        ..someday they make an OS capable of recognizing
        malware and deleting it.

        Although that's going to be tricky since DRM
        technologies like StarForce have so much in
        common.. hmm..
  • Please clarify..

    ..which platforms can Koobface infect?

    No point scaring people who aren't affected by this.
    Please post a list.
    • Why would anyone be scared by this?

      Don't give root permissions to applications just because some site that kind of looks like YouTube asks you to. That is good common sense that applies to [b]all[/b] platforms, wouldn't you say?

      Also, keep your machine up to date:
      [i]Despite its reliance on outdated exploits[/i]
      Since you are on record as saying that vulnerabilities don't count if they've been patched (though we've yet to determine if that standard only holds for FreeBSD), there is no reason for anyone to be scared of this, no matter what platform they've chosen to use.