With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as distributed hosting infrastructure in an attempt to undermine potential take down activities, a common misconception regarding the gang's activities shifts the attention from their true participating within the underground ecosystem.
The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you didn't know about the Koobface gang list.
Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security vendors and researchers.
01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnetBahama botnet -- the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to -- between what I refer to as my "Ukrainian fan club" due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.
Malware samples pushed by the Koobface botnet, were modifying HOSTS file on the infected hosts, in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacked traffic. The "Ukrainian fan club" itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following campaigns, as well as the multiple connections linking it to the then centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.
How did the gang respond? With a bold sense of humor.
02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube videoOctober, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.
The result? A "Created with HyperSnap 6. To avoid this stamp, buy a license" at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a screenshot taken from a legitimate video page, with the spoofed Adobe error message, being the only part of it that was clickable.
03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in Septemberestablishing a connection between my "Ukrainian fan club" the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.
The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign", a blackhat SEO campaign maintained by them.
04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hostsconducted an experiment lasting several hours, where client-side exploit serving iFrames were embedded on Koobface infected hosts.
Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang's claim -- more on that claim and their bold sense of humor in an upcoming poing -- on the very same IP hosting the exploit serving domain, there was an active Zeus crimeware campaign.
By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities before the gang would start serving exploits permanently remains unknown. A few hours after their experiment was exposed, they suspended it.
05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?
Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the same redirectors found on Koobface infected hosts, both pushing scareware.
Are Mac OS X users left behind? -->
06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplacesan early stage experiment attempting to monetize Mac OS X traffic through legitimate and fraudulent dating agencies.
Over the past two weeks, the gang has changed the monetization, and is now currently redirecting Mac OS X visitors to an online movie marketplace, based on whose registration details we can clearly seen that the email used to register the site in question, has also been used to register dozens of scareware/fake security sites. You judge the legitimacy of the service.
This very same Mac OS X monetization attempt was also seen in a blackhat SEO campaign (News Items Themed Blackhat SEO Campaign Still Active) managed by the gang in September, 2009.
07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on ChristmasAli Baba following my discovery of their pseudonym on a compromised web site -- Ali baba is a fictional character from medieval Arabic literature, with Aliba Baba and 40 as the film adaptation of the "Ali Baba and the Forty Thieves" -- proved that it keeps itself up-to-date with the latest research done against it.
Around the time when the Koobface-friendly Riccom LTD - AS29550 was taken offline, the gang on purposely embedded a bold greeting on Koobface infected hosts in an attempt to legitimize its activities by stating that it is not a virus, and that they have never stolen financial data. Ironically, the gang also included a "Wish Koobface Marry Christmas" script, where over 10,000 people have surprisingly clicked. I wonder how many of these people inquired about a PC repair service, or filed a (scareware) fraud report once they checked their bank statements at the end of the month?
The message they included on the Koobface infected hosts is as follows:
"Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:
In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook'ssecurity team - the guys made us move ahead. And we've moved. And will move. Improving their security system. By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did.They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards.
Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!
Always yours, "Koobface Gang "
Who is is Soren Siebert?According to the folks at Abuse.ch, who also maintain the ZeusTracker (Crimeware tracking service hit by a DDoS attack):
08. The Koobface gang once redirected Facebook's IP space to my personal blog
In July, 2009, I was the only individual ever singled out, with the gang leaving the following message within their command and control infrastructure for nine days:
Pretty diplomatic way of thanking me for having them kicked out of their ISPs, and systematically suspending the domains that botnet used as foundation for propagating and communicating with the already infected hosts? Depends.
In the next few months, the gang was experimenting with various ways to show me that they're aware of my research/take down activities by typosquatting domains using my name such as pancho-2807 .com (registered to Pancho Panchev; firstname.lastname@example.org), followed by rdr20090924 .info (registered to Vancho Vanchev, email@example.com). Then they decided to set a new benchmark.What the Koobface gang did, was to basically redirect Facebook's IP space to personal blog, every time a Facebook crawler was visiting their automatically registered Blogspot accounts.
Upon contacting Facebook's Security Incident Response Team, the folks implemented a filter and responded by confirming this was happening:
Pretty dynamic "relationship", isn't it?
09. The gang is experimenting with alternative propagation strategies, such as for instance SkypeKoobface botnet under the microscope of the security community, the gang is naturally interested in switching its social engineering tactics, or looking for alternative propagation methods.
In November, 2009, security vendors detected a new Koobface variant indicating their long-term strategy of diversifying the propagation vectors - by using Skype. The sample analyzed back then, was also collecting personally identifiable information from the affected users, a practice that is often used when a malicious attacker is building the foundations for a successful social engineering campaign.
Why would the gang bother propagating through Skype with such a well developed Web 2.0 propagation strategy already in place? Greed is the first thing that comes to my mind.
10. The gang is monetizing traffic through the Crusade Affiliates scareware networkKoobface Botnet's Scareware Business Model" post (See Part Two as well), when they officially started serving scareware each and every time a user visits a Koobface infected page, the Crusade Affiliates network appears to be primary choice for the Koobface gang in terms of scareware monetization.
Once its key domain got suspended, the network went undercover, although it appears that the entire network may be an exclusive operation maintained by, and used only by the Koobface gang in an attempt not to attract so much attention to its activities. This operational security (OPSEC) practice on behalf of Koobface and the network has been evident ever since, with the lack of branding whereas the gang still collects the revenue from the network, which is naturally earning profit thanks to the Koobface botnet.
Scareware continues being the single most profitable monetization strategy used by the gang. The success of this business model is pretty evident with PC repair shops noticing an increasing demand for their services thanks to scareware/fake security software (See a gallery of different scareware releases) infections.
Your most pragmatic strategy when fighting scareware n general, remains secure browsing, awareness (The ultimate guide to scareware protection), or plain simple sandboxing.