The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 12 things you didn't know about the Koobface gang list.
With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as distributed hosting infrastructure in an attempt to undermine potential take down activities, a common misconception regarding the gang's activities shifts the attention from their true participating within the underground ecosystem.
The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you didn't know about the Koobface gang list.
Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security vendors and researchers.
01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet
The result? A "Created with HyperSnap 6. To avoid this stamp, buy a license" at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a screenshot taken from a legitimate video page, with the spoofed Adobe error message, being the only part of it that was clickable.
03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September
Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my "Ukrainian fan club" the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.
Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang's claim -- more on that claim and their bold sense of humor in an upcoming poing -- on the very same IP hosting the exploit serving domain, there was an active Zeus crimeware campaign.
By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities before the gang would start serving exploits permanently remains unknown. A few hours after their experiment was exposed, they suspended it.
05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009
Over the past two weeks, the gang has changed the monetization, and is now currently redirecting Mac OS X visitors to an online movie marketplace, based on whose registration details we can clearly seen that the email used to register the site in question, has also been used to register dozens of scareware/fake security sites. You judge the legitimacy of the service.
07. Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas
Throughout the entire 2009, the Koobface gang which now officially describes itself as Ali Baba following my discovery of their pseudonym on a compromised web site -- Ali baba is a fictional character from medieval Arabic literature, with Aliba Baba and 40 as the film adaptation of the "Ali Baba and the Forty Thieves" -- proved that it keeps itself up-to-date with the latest research done against it.
Around the time when the Koobface-friendly Riccom LTD - AS29550 was taken offline, the gang on purposely embedded a bold greeting on Koobface infected hosts in an attempt to legitimize its activities by stating that it is not a virus, and that they have never stolen financial data. Ironically, the gang also included a "Wish Koobface Marry Christmas" script, where over 10,000 people have surprisingly clicked. I wonder how many of these people inquired about a PC repair service, or filed a (scareware) fraud report once they checked their bank statements at the end of the month?
The message they included on the Koobface infected hosts is as follows:
"Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:
Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
Hundreds of users who send us logs, crash reports, and wish-lists.
In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook'ssecurity team - the guys made us move ahead. And we've moved. And will move. Improving their security system.
By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did.
They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards.
Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!
On my blog you will find a reference to a disclaimer page in the navigation bar. The disclaimer is written in German and was generated with a impressum generator provided by e-recht24.de. So the Koobface gang just came across this name on my disclaimer and thought that this is my name.
08. The Koobface gang once redirected Facebook's IP space to my personal blog
In 2009, the Koobface gang had a fixation on me, which didn't come to as a surprise given the comprehensive connections that I was able to establish. That's of course next to the take down of the majority of command and control servers used in Koobface 1.0, over a period of 24/32 hours, which prompted the gang to implement their contingency plan, one they appear to have been developing for a while.
"We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."
Pretty diplomatic way of thanking me for having them kicked out of their ISPs, and systematically suspending the domains that botnet used as foundation for propagating and communicating with the already infected hosts? Depends.
In the next few months, the gang was experimenting with various ways to show me that they're aware of my research/take down activities by typosquatting domains using my name such as pancho-2807 .com (registered to Pancho Panchev; email@example.com), followed by rdr20090924 .info(registered to Vancho Vanchev, firstname.lastname@example.org). Then they decided to set a new benchmark.
Upon contacting Facebook's Security Incident Response Team, the folks implemented a filter and responded by confirming this was happening:
Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog.
Pretty dynamic "relationship", isn't it?
09. The gang is experimenting with alternative propagation strategies, such as for instance Skype
With the Koobface botnet under the microscope of the security community, the gang is naturally interested in switching its social engineering tactics, or looking for alternative propagation methods.
In November, 2009, security vendors detected a new Koobface variant indicating their long-term strategy of diversifying the propagation vectors - by using Skype. The sample analyzed back then, was also collecting personally identifiable information from the affected users, a practice that is often used when a malicious attacker is building the foundations for a successful social engineering campaign.
Why would the gang bother propagating through Skype with such a well developed Web 2.0 propagation strategy already in place? Greed is the first thing that comes to my mind.
10. The gang is monetizing traffic through the Crusade Affiliates scareware network
Originally exposed in September, 2009's "Koobface Botnet's Scareware Business Model" post (See Part Two as well), when they officially started serving scareware each and every time a user visits a Koobface infected page, the Crusade Affiliates network appears to be primary choice for the Koobface gang in terms of scareware monetization.
Once its key domain got suspended, the network went undercover, although it appears that the entire network may be an exclusive operation maintained by, and used only by the Koobface gang in an attempt not to attract so much attention to its activities. This operational security (OPSEC) practice on behalf of Koobface and the network has been evident ever since, with the lack of branding whereas the gang still collects the revenue from the network, which is naturally earning profit thanks to the Koobface botnet.